Right now I've been using GDB to disassemble a binary file and check out different registers and whatnot. Is there an easy command to examine everything on the stack? Can this be limited to everything in a function?
- 3This should be of some help to you : cs.nyu.edu/courses/spring07/V22.0474-001/misc/gdb-refcard.pdf. You can always use "frame" command to jump between the frames.dicaprio– dicaprio2010-05-05 05:58:38 +00:00Commented May 5, 2010 at 5:58
- 1The link requires login now. Here's an archived link: web.archive.org/web/20141222091304/http://cs.nyu.edu/courses/…thyu– thyu2022-12-06 04:49:33 +00:00Commented Dec 6, 2022 at 4:49
5 Answers
You can view the contents of the stack with x/10x $sp
This will print the top 10 elements of the stack.
4 Comments
$sp and the 9 elements after it, that is (if the stack grows downwards like for example in x86) 9 elements that are not actually used by the program yet. Right?For the current stack frame:
- info frame lists general info about the frame (where things start in memory, etc.)
- info args lists arguments to the function
- info locals lists local variables stored in the frame
2 Comments
info frame is always going to tell you about the frame. If you want info about a variable you'd have to use other subcommands like info locals <name>, or other commands entirely like printbt(orbacktrace) will give you a call stack.frame <args>will select a frame on the call stack for inspectioninfo frame <args>will give you information about a specific frame from the stack. When called without arguments it will display the currently selected frameinfo localscan give you information about any local variables on the stack.
1 Comment
info frame <addr> is used to examine the frame without selecting it- just try
bt full, and you will get all frames and locals - input
frame x, to enter the x frame
by the way, you should know about process address space and what it is composed: linux virtual address space, this will help you understand how the frame is used.
1 Comment
Personally, I usually examine RBP (in an x86_64 system). I go behind RBP 32 bytes i.e. RBP-32 and then I print out 10 hexes i.e. 4 bytes each. From that point I can be able to see the local arguments, the padding(if any) as well as the function arguments because I am examining RBP- and RBP+ side.
Basically I like to see the stackframe in the structure below:
**************************************************************************** * RBP - 32 = 0x00007fffffffd910 * RBP - 24 = 0x00005555555554b7 * RBP - 16 = 0x0000000000000000 * RBP - 8 = 0x00005555555592a0 local var *Q * RBP(0x7fffffffd910) = 0x00000001 the value of RBP before we jumped to the Queue() function. rbp was popped and is now back to 0x00007fffffffda50 from the previous 0x00007fffffffda30. * RBP + 8 = 0x00007ffff7da9d90 0x00005555555554b7 return address to <main+22> * RBP + 16 = 0x0000000000000000 * RBP + 24 = 0x00005555555554a1 The very first line of the main function * RBP + 32 = 0x0000000100000000 * RBP + 40 = 0x00007fffffffda28 ****************************************************************************** To do that, I use the command below which basically says, "move from the address of RBP into it's negative addresses 32 bytes and then from there, fetch me 20 4 byte hexes"
(gdb) x/20x ($rbp-32) Here is a snippet for how the output looks in gdb. please note that you have to use the big endian/small endian notation to combine addresses because addresses in a 64 bit system are 8 bytes, but we are examining memory in 4bytes. So combining them i.e. 0x00007fff and 0xffffd910 give use the full address at RBP-32 which is 0x00007fffffffd910 as captured in my stack frame illustration above.
See snippet from GDB on my command line.
