-
Notifications
You must be signed in to change notification settings - Fork 130
How to disassemble code dump
ABC edited this page Oct 21, 2015
·
5 revisions
How to disassemble code dump practical example:
Oct 31 11:26:07 servername kernel: [56560.220012] Hardware name: Dell Inc. PowerEdge 1950/0TT740, BIOS 2.6.1 04/20/2009
Oct 31 11:26:07 servername kernel: [56560.220012] task: ffff8801294a5dc0 ti: ffff8801294ae000 task.ti: ffff8801294ae000
Oct 31 11:26:07 servername kernel: [56560.220012] RIP: 0010:[<ffffffffa029f71e>] [<ffffffffa029f71e>] netflow_target+0xcbe/0x1124 [ipt_NETFLOW]
Oct 31 11:26:07 servername kernel: [56560.220012] RSP: 0018:ffff8801294af930 EFLAGS: 00000202
Oct 31 11:26:07 servername kernel: [56560.220012] RAX: ffff88006d7b2376 RBX: 0000000000394d98 RCX: 0000000000000000
Oct 31 11:26:07 servername kernel: [56560.220012] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000006c
Oct 31 11:26:07 servername kernel: [56560.220012] RBP: ffff8801294afa30 R08: 000000000000000c R09: 0000000000000001
Oct 31 11:26:07 servername kernel: [56560.220012] R10: 0000000000000020 R11: 00000000c8fe9f4f R12: ffff8801294af938
Oct 31 11:26:07 servername kernel: [56560.220012] R13: ffff8801294af930 R14: 000000000e000000 R15: 00000000000000e0
Oct 31 11:26:07 servername kernel: [56560.220012] FS: 0000000000000000(0000) GS:ffff88012fd80000(0000) knlGS:0000000000000000
Oct 31 11:26:07 servername kernel: [56560.220012] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Oct 31 11:26:07 servername kernel: [56560.220012] CR2: 00007fb04e59fc60 CR3: 00000001271dd000 CR4: 00000000000007e0
Oct 31 11:26:07 servername kernel: [56560.220012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Oct 31 11:26:07 servername kernel: [56560.220012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Oct 31 11:26:07 servername kernel: [56560.220012] Stack:
Oct 31 11:26:07 servername kernel: [56560.220012] ffff880100000000 ffff880125ba0000 ffff88006c844dc0 ffff88010000000c
Oct 31 11:26:07 servername kernel: [56560.220012] 0000000000000000 00000000300001a2 00000000000005ae ffff880127de1e10
Oct 31 11:26:07 servername kernel: [56560.220012] 00000000294afa08 ffff8801294af940 0000000000000034 ffff8801294af9b8
...
Oct 31 11:26:07 servername kernel: [56560.220012] Code: 09 da 40 84 ff 75 19 89 95 2c ff ff ff 48 c7 c3 20 40 01 00 48 8b a5 48 ff ff ff e9 97 f4 ff ff 41 39 f0 76 e2 40 80 ff 01 74 ac <48> 63 ce 0f b6 0c 08 8d 74 0e ff eb 9f c7 85 2c ff ff ff 00 00
# echo 09 da 40 84 ff 75 19 89 95 2c ff ff ff 48 c7 c3 20 40 01 00 48 8b a5 48 ff ff ff e9 97 f4 ff ff 41 39 f0 76 e2 40 80 ff 01 74 ac 48 63 ce 0f b6 0c 08 8d 74 0e ff eb 9f c7 85 2c ff ff ff 00 00 | xxd -r -ps > code
# objdump -D -b binary -mi386:x86-64 code
code: file format binary
Disassembly of section .data:
0000000000000000 <.data>:
0: 09 da or %ebx,%edx
2: 40 84 ff test %dil,%dil
5: 75 19 jne 0x20
7: 89 95 2c ff ff ff mov %edx,-0xd4(%rbp)
d: 48 c7 c3 20 40 01 00 mov $0x14020,%rbx
14: 48 8b a5 48 ff ff ff mov -0xb8(%rbp),%rsp
1b: e9 97 f4 ff ff jmpq 0xfffffffffffff4b7
20: 41 39 f0 cmp %esi,%r8d
23: 76 e2 jbe 0x7
25: 40 80 ff 01 cmp $0x1,%dil
29: 74 ac je 0xffffffffffffffd7
2b: 48 63 ce movslq %esi,%rcx
2e: 0f b6 0c 08 movzbl (%rax,%rcx,1),%ecx
32: 8d 74 0e ff lea -0x1(%rsi,%rcx,1),%esi
36: eb 9f jmp 0xffffffffffffffd7
38: c7 .byte 0xc7
39: 85 2c ff test %ebp,(%rdi,%rdi,8)
3c: ff (bad)
3d: ff 00 incl (%rax)
...
# objdump -S ipt_NETFLOW.ko|less
/40 80 ff 01
3f1b: 00 00
options |= observed_hdrs(currenthdr);
3f1d: 09 85 04 ff ff ff or %eax,-0xfc(%rbp)
3f23: e9 67 f4 ff ff jmpq 338f <netflow_target+0x12f>
* Set proper bit for htonl later. */
ret |= 1 << (32 - ip4_opt_table[op]);
}
if (likely(i >= optsize || op == 0))
3f28: 41 39 f7 cmp %esi,%r15d
3f2b: 0f 8e b9 fd ff ff jle 3cea <netflow_target+0xa8a>
return ret;
else if (unlikely(op == 1))
3f31: <40 80 ff 01> cmp $0x1,%dil
3f35: 74 09 je 3f40 <netflow_target+0xce0>
continue;
i += p[i] - 1;
3f37: 48 63 f6 movslq %esi,%rsi
3f3a: 0f b6 34 30 movzbl (%rax,%rsi,1),%esi
3f3e: 01 d6 add %edx,%esi
3f40: 89 f2 mov %esi,%edx
3f42: e9 68 fd ff ff jmpq 3caf <netflow_target+0xa4f>
hdrlen = ipv6_optlen(hp);
}
currenthdr = hp->nexthdr;
ptr += hdrlen;
}
tuple.protocol = currenthdr;
3f47: 41 80 ff 88 cmp $0x88,%r15b