Facilities for x86 debugging Introduction to Pentium features that can assist programmers in their debugging of software.

Slides:

Advertisements

Similar presentations

CPU Structure and Function

Advertisements

Microprocessors General Features To be Examined For Each Chip Jan 24 th, 2002.

Assembly 01. Outline Binary vs. Text Files Compiler vs. Assembler Mnemonic Assembly Process Development Process Debugging Example 1 this analogy will.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

Computer Organization and Architecture

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

Microprocessor system architectures– IA32 debugging and performance monitoring Jakub Yaghob.

Facilities for x86 debugging

The ‘system-call’ interface We see how an application program can invoke privileged kernel services.

Facilities for x86 debugging Introduction to x86 CPU features that can assist programmers in the debugging of their software.

Processor Exceptions A survey of the x86 exceptions and mechanism for handling faults, traps, and aborts.

Interrupts What is an interrupt? What does an interrupt do to the “flow of control” Interrupts used to overlap computation & I/O – Examples would be console.

Exceptions and Interrupts How does Linux handle service- requests from the cpu and from the peripheral devices?

What Linux does with IDE? Introduction to Pentium features for trapping reads/writes to memory-locations and i/o-ports.

Deferred segment-loading An exercise on implementing the concept of ‘load-on-demand’ for the program-segments in an ELF executable file.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

The i/o-sensitive instructions An introduction to the software emulation of i/o-sensitive instructions in Virtual-8086 mode.

Introduction to Interrupts

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Stack Operations Runtime Stack PUSH Operation POP.

8086 emulation Using Virtual-8086 mode to execute real-mode procedures in a protected-mode environment.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.

Micro-Computer Applications: Procedures & Interrupts Dr. Eng. Amr T. Abdel-Hamid ELECT 707 Fall 2011.

Practical Malware Analysis Ch 8: Debugging Rev

Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.

Intel MP (32-bit microprocessor) Designed to overcome the limits of its predecessor while maintaining the software compatibility with the.

Multitasking Mr. Mahendra B. Salunke Asst. Prof. Dept. of Computer Engg., STES SITS, Narhe, Pune-41 STES Sinhgad Institute of Tech. & Science Dept. of.

The Functions of Operating Systems Interrupts. Learning Objectives Explain how interrupts are used to obtain processor time. Explain how processing of.

Lecture 4 ( Assembly Language).

System Address Registers/Memory Management Registers Four memory management registers are used to specify the locations of data structures which control.

Assembly תרגול 5 תכנות באסמבלי. Assembly vs. Higher level languages There are NO variables’ type definitions.  All kinds of data are stored in the same.

Accessing I/O Devices Processor Memory BUS I/O Device 1 I/O Device 2.

CSNB374: Microprocessor Systems Chapter 5: Procedures and Interrupts.

1 ICS 51 Introductory Computer Organization Fall 2009.

Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.

Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.

Dec Hex Bin 14 E ORG ; FOURTEEN Interrupts In x86 PC.

80386DX. Programming Model The basic programming model consists of the following aspects: – Registers – Instruction Set – Addressing Modes – Data Types.

Functions/Methods in Assembly

Interrupt driven I/O Computer Organization and Assembly Language: Module 12.

10. Epilogue ENGI 3655 Lab Sessions.  We took control of the computer as early as possible, right after the end of the BIOS  Our multi-stage bootloader.

Information Security - 2. Other Registers EFLAGS – 32 Bit Register CFPFAFZFSFTFIFDFOFIO PL IO PL NTRFVM Bits 1,3,5,15,22-31 are RESERVED. 18: AC, 19:VIF,

Introduction to Intel IA-32 and IA-64 Instruction Set Architectures.

Computer Organization 1

Information Security - 2. CISC Vs RISC X86 is CISC while ARM is RISC CISC is Compiler’s heaven while RISC is Architecture’s heaven Orthogonal ISA in RISC.

Introduction to Exceptions 1 Introduction to Exceptions ARM Advanced RISC Machines.

Chapter 6 Limited Direct Execution Chien-Chung Shen CIS/UD

Introduction to assembly language programming and Computer Architecture By Anand George SourceLens.org Copyright. All rights reserved. Content Owner -

Stack Operations Dr. Hadi AL Saadi.

CS 3214 Computer Systems Lecture 9 Godmar Back.

MICROPROCESSOR BASED SYSTEM DESIGN

Microprocessor and Assembly Language

Microprocessor Systems Design I

Anton Burtsev February, 2017

Basic Microprocessor Architecture

x86 segmentation, page tables, and interrupts

Computer Architecture “Bomb Lab Hints”

Introduction to Intel IA-32 and IA-64 Instruction Set Architectures

Assembly Language Programming II: C Compiler Calling Sequences

MIPS Procedure Calls CSE 378 – Section 3.

Low-Level Thread Dispatching on the x86

Chapter 11 Processor Structure and function

Computer Architecture and System Programming Laboratory

Presentation transcript:

Facilities for x86 debugging Introduction to Pentium features that can assist programmers in their debugging of software

TF-bit in EFLAGS Our ‘trydebug.s’ demo showed how to use the TF-bit to perform ‘single-stepping’ of a Linux application program (e.g., ‘hello’) The ‘popfd’ instruction was used to set TF But single-stepping starts only AFTER the immediately following instruction executes An exception-handler for INT-1 can display information about the state of the task

Using ‘objdump’ output You can generate an assembler ‘listing’ of the instructions in our ‘hello’ application You can then use the listing to follow along with the ‘single-stepping’ through that code Here’s how to do it: $ objdump –d hello > hello.u (The ‘-d’ option stands for ‘disassembly’)

A slight ‘flaw’ We cannot single-step the execution of an ‘int-0x80’ instruction (Linux’s system-calls) Our exception-handler’s ‘iretd’ instruction will restore the TF-bit to EFLAGS, but the single-step ‘trap’ doesn’t take effect until after the immediately following instruction This means we ‘skip’ seeing a display of the registers immediately after ‘int-0x80’

Fixing the ‘flaw’ The Pentium offers a way to overcome the problem of a delayed effect when TF is set We can use the Debug Registers to set an instruction ‘breakpoint’ which will interrupt the CPU at a specific instruction-address There are six Debug Registers: DR0, DR1, DR2, DR3(breakpoints) DR6 (the Debug Status register) DR7*the Debug Control register)

Breakpoint Address Registers DR0 DR1 DR2 DR3

Special ‘MOV’ instructions Use ‘mov DRn, genreg’ to write into DRn Use ‘mov genreg, DRn’ to read from DRn These instructions are ‘privileged’ (i.e., can only be executed by code running in ring0)

Debug Control Register (DR7) 00 GDGD 001 GEGE LELE G3G3 L3L3 G2G2 L2L2 G1G1 L1L1 G0G0 L0L0 LEN 3 R/W 3 LEN 2 R/W 2 LEN 1 R/W 1 LEN 0 R/W Least significant word Most significant word

What kinds of breakpoints? LENR/W LEN 00 = one byte 01 = two bytes 10 = undefined 11 = four bytes R/W 00 = break on instruction fetch only 01 = break on data writes only 10 = undefined (unless DE set in CR4) 11 = break on data reads or writes (but not on instruction fetches)

Control Register 4 The Pentium uses Control Register 4 to activate certain extended features of the processor, while still allowing for backward compatibility of software written for earlier Intel x86 processors An example: Debug Extensions (DE-bit) other feature bits CR4 DEDE

Debug Status Register (DR6) BDBD B3B3 B2B2 B1B1 unused ( all bits here are set to 1 ) Least significant word Most significant word BSBS B T 1 B0B0

Where to set a breakpoint Suppose you want to trigger a ‘debug’ fault at the instruction immediately following the software Linux ‘int-0x80’ system-call Your debug exception-handler can use the saved CS:EIP values on its stack to check that ‘int-0x80’ has caused an exception Machine-code is: 0xCD, 0x80 (2 bytes) So set a ‘breakpoint’ at address EIP+2

How to set this breakpoint isrDBG:push ebp mov ebp, esp pushad ; put breakpoint-address in DR0 mov eax, 4[ebp] add eax, #2 mov dr0, eax

Setting a breakpoint (continued) ; enable local breakpoint for DR0 mov eax, DR7 bts eax, #0; set LE0 mov DR7, eax … popad pop ebp iretd

Detecting a ‘breakpoint’ Your debug exception-handler reads DR6 to check for occurrences of breakpoints mov eax, DR6; get debug status bt eax, #0; breakpoint #0? jnc notBP0; no, another cause bts 12[ebp], #16 ; set the RF-bit ; or disable breakpoint0 in register DR7 notBP0:

In-Class Exercise #1 Modify the debug exception-handler in our ‘trydebug.s’ demo-program (on website) so that it will ‘single-step’ past ‘int-0x80’ But don’t forget to disable any breakpoints that might still be in effect when you enter the ‘do_exit’ procedure (to terminate your ‘hello’ application), by writing a zero value into the Debug Control Register DR7

In-class exercise #2 After you have completed exercise #1, you can try this further exercise: use a different Debug Register (i.e.,, DR1, DR2, or DR3) to set an instruction-breakpoint at the entry to your ‘int-0x80’ service-routine This will allow you to do single-stepping of your system-call handlers (e.g., ‘do_write’) (A problem arises with ‘do_read’ though)