Linux ';eip&x27;字段/proc/<;pid>/统计数据不';似乎没有更新
根据这个线程,/proc//stat的第30个值(从1开始)应该显示进程的“eip”值 但当我打印bash进程的第30个值时,它一直返回相同的地址:Linux ';eip&x27;字段/proc/<;pid>/统计数据不';似乎没有更新,linux,bash,proc,Linux,Bash,Proc,根据这个线程,/proc//stat的第30个值(从1开始)应该显示进程的“eip”值 但当我打印bash进程的第30个值时,它一直返回相同的地址: root@graphics:/proc# ps | grep bash 3032 pts/21 00:00:00 bash root@graphics:/proc# cd 3032 root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" &am
root@graphics:/proc# ps | grep bash
3032 pts/21 00:00:00 bash
root@graphics:/proc# cd 3032
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
同样的情况也发生在chrome上。我认为“eip”值在执行时会动态变化。为什么它总是返回相同的地址
好的,在读了明杰的答案后,我下定决心,如果我超频繁地检查它,看看这个值是否真的改变了。目标进程是chrome,其pid为1834。下面是我的bash脚本,用于代表我检查值:
#!/bin/bash
EIP=
while true; do
NEW_EIP=`cat /proc/1834/stat | awk '{print $30}' | xargs printf "0x%x"`
if [[ "$NEW_EIP" != "$EIP" ]]; then
echo "eip changed! (eip: " $NEW_EIP ")"
fi
EIP=$NEW_EIP
echo $EIP >> $0.dump
done
脚本设计为打印eip已更改!如果捕获的值与以前捕获的值不同,则显示消息。当我运行这个脚本时,它实际上正在改变
root@graphics:/home/gwangmu/Documents# ./eiptest
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868ce0d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868ce0d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868cbfa )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868ce0d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868d23d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868d23d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94e868ce0d )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94ee983c7a )
eip changed! (eip: 0x7f94e711e8dd )
eip changed! (eip: 0x7f94ee7a1190 )
eip changed! (eip: 0x7f94e711e8dd )
我希望这对其他人有点帮助。谢谢明杰 当bash运行程序时,它会等待子进程退出,因此
eip
指向waitpid
调用的退出地址
/proc/9919$ cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f037e3a831c
您可以使用gdb
% gdb
(gdb) attach 9919
Attaching to process 9919
Reading symbols from /bin/bash...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libncurses.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done.
0x00007f037e3ca5e0 in read () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) disassemble 0x7f037e3a831c
Dump of assembler code for function waitpid:
0x00007f037e3a8300 <+0>: mov 0x2f14cd(%rip),%r9d # 0x7f037e6997d4
0x00007f037e3a8307 <+7>: test %r9d,%r9d
0x00007f037e3a830a <+10>: jne 0x7f037e3a8336 <waitpid+54>
0x00007f037e3a830c <+12>: xor %r10d,%r10d
0x00007f037e3a830f <+15>: movslq %edx,%rdx
0x00007f037e3a8312 <+18>: movslq %edi,%rdi
0x00007f037e3a8315 <+21>: mov $0x3d,%eax
0x00007f037e3a831a <+26>: syscall
0x00007f037e3a831c <+28>: cmp $0xfffffffffffff000,%rax
0x00007f037e3a8322 <+34>: ja 0x7f037e3a8325 <waitpid+37>
0x00007f037e3a8324 <+36>: retq
0x00007f037e3a8325 <+37>: mov 0x2ebb3c(%rip),%rdx # 0x7f037e693e68
0x00007f037e3a832c <+44>: neg %eax
0x00007f037e3a832e <+46>: mov %eax,%fs:(%rdx)
0x00007f037e3a8331 <+49>: or $0xffffffffffffffff,%rax
0x00007f037e3a8335 <+53>: retq
0x00007f037e3a8336 <+54>: push %rbx
0x00007f037e3a8337 <+55>: sub $0x10,%rsp
0x00007f037e3a833b <+59>: mov %edx,0xc(%rsp)
0x00007f037e3a833f <+63>: mov %rsi,(%rsp)
0x00007f037e3a8343 <+67>: mov %edi,0x8(%rsp)
0x00007f037e3a8347 <+71>: callq 0x7f037e3e3620
0x00007f037e3a834c <+76>: mov $0x3d,%ecx
0x00007f037e3a8351 <+81>: mov %eax,%r8d
0x00007f037e3a8354 <+84>: xor %r10d,%r10d
0x00007f037e3a8357 <+87>: movslq 0xc(%rsp),%rdx
0x00007f037e3a835c <+92>: mov (%rsp),%rsi
0x00007f037e3a8360 <+96>: mov %ecx,%eax
0x00007f037e3a8362 <+98>: movslq 0x8(%rsp),%rdi
0x00007f037e3a8367 <+103>: syscall
0x00007f037e3a8369 <+105>: cmp $0xfffffffffffff000,%rax
0x00007f037e3a836f <+111>: mov %rax,%rbx
0x00007f037e3a8372 <+114>: ja 0x7f037e3a8384 <waitpid+132>
0x00007f037e3a8374 <+116>: mov %r8d,%edi
0x00007f037e3a8377 <+119>: callq 0x7f037e3e3680
0x00007f037e3a837c <+124>: add $0x10,%rsp
0x00007f037e3a8380 <+128>: mov %ebx,%eax
0x00007f037e3a8382 <+130>: pop %rbx
0x00007f037e3a8383 <+131>: retq
0x00007f037e3a8384 <+132>: mov 0x2ebadd(%rip),%rax # 0x7f037e693e68
0x00007f037e3a838b <+139>: neg %ebx
0x00007f037e3a838d <+141>: mov %ebx,%fs:(%rax)
0x00007f037e3a8390 <+144>: or $0xffffffffffffffff,%rbx
0x00007f037e3a8394 <+148>: jmp 0x7f037e3a8374 <waitpid+116>
End of assembler dump.
%gdb
(gdb)连接9919
附加到进程9919
正在从/bin/bash…读取符号(未找到调试符号)…已完成。
正在从/lib/x86_64-linux-gnu/libncurses.so.5读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libtinfo.so.5读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libdl.so.2读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libc.so.6读取符号…(未找到调试符号)…完成。
正在从/lib64/ld-linux-x86-64.so.2…读取符号(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libnss_compat.so.2读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libnsl.so.1读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libnss_nis.so.2读取符号…(未找到调试符号)…完成。
正在从/lib/x86_64-linux-gnu/libnss_文件中读取符号。so.2…(未找到调试符号)…完成。
0x00007f037e3ca5e0在/lib/x86_64-linux-gnu/libc.so.6的读取()中
(gdb)拆解0x7f037e3a831c
函数waitpid的汇编程序代码转储:
0x00007f037e3a8300:mov 0x2f14cd(%rip),%r9d#0x7f037e6997d4
0x00007f037e3a8307:测试%r9d,%r9d
0x00007f037e3a830a:jne 0x7f037e3a8336
0x00007f037e3a830c:异或%r10d,%r10d
0x00007f037e3a830f:movslq%edx,%rdx
0x00007f037e3a8312:movslq%edi,%rdi
0x00007f037e3a8315:mov$0x3d,%eax
0x00007f037e3a831a:系统调用
0x00007f037e3a831c:cmp$0xFFFFFFFFF000,%rax
0x00007f037e3a8322:ja 0x7f037e3a8325
0x00007f037e3a8324:retq
0x00007f037e3a8325:mov 0x2ebb3c(%rip),%rdx#0x7f037e693e68
0x00007f037e3a832c:负%eax
0x00007f037e3a832e:mov%eax,%fs:(%rdx)
0x00007f037e3a8331:或$0xFFFFFFFFFFFFFF,%rax
0x00007f037e3a8335:retq
0x00007f037e3a8336:推送%rbx
0x00007f037e3a8337:sub$0x10,%rsp
0x00007f037e3a833b:mov%edx,0xc(%rsp)
0x00007f037e3a833f:mov%rsi,(%rsp)
0x00007f037e3a8343:mov%edi,0x8(%rsp)
0x00007f037e3a8347:调用0x7F037E3620
0x00007f037e3a834c:mov$0x3d,%ecx
0x00007f037e3a8351:mov%eax,%r8d
0x00007f037e3a8354:异或%r10d,%r10d
0x00007f037e3a8357:movslq 0xc(%rsp),%rdx
0x00007f037e3a835c:mov(%rsp),%rsi
0x00007f037e3a8360:mov%ecx,%eax
0x00007f037e3a8362:movslq 0x8(%rsp),%rdi
0x00007f037e3a8367:系统调用
0x00007f037e3a8369:cmp$0xFFFFFFFFF000,%rax
0x00007f037e3a836f:mov%rax,%rbx
0x00007f037e3a8372:ja 0x7f037e3a8384
0x00007f037e3a8374:mov%r8d,%edi
0x00007f037e3a8377:调用0x7F037E3680
0x00007f037e3a837c:添加$0x10,%rsp
0x00007f037e3a8380:mov%ebx,%eax
0x00007f037e3a8382:弹出%rbx
0x00007f037e3a8383:retq
0x00007f037e3a8384:mov 0x2ebadd(%rip),%rax#0x7f037e693e68
0x00007f037e3a838b:负%ebx
0x00007f037e3a838d:mov%ebx,%fs:(%rax)
0x00007f037e3a8390:或$0xFFFFFFFFFFFFFF,%rbx
0x00007f037e3a8394:jmp 0x7f037e3a8374
汇编程序转储结束。
0x7f037e3a831c
在函数waitpid
中的系统调用之后,回答说它是第29个字段。OTOH你在做什么建筑?它有可检索的eip吗?我在x86-64机器上测试了它。因为这个答案从0开始编号,所以我认为awk使用30美元是可以的。谢谢你的答案,但对于任何其他进程,比如chrome,似乎都是这样。我忘了提到这一点:(为了节省cpu使用,通常所有进程都应该在某个地方阻塞,否则它将消耗100%的cpu。因此它的eip
指向阻塞系统调用的下一条指令