Experimental Purpose:
Use GDB to track the processing of SYS_EXECVE kernel functions, analyze the system call processing of the exec* function, and understand how the Linux kernel loads and launches an executable program.
Experimental steps:
Open the virtual machine in the lab building, run the following command in the shell, get the code for this experiment, compile and run
CD Linuxkernel
RM MENU-RF
git clone https://github.com/mengning/menu.git
CD Menu
MV TEST_EXEC.C test.c
Make Rootfs
Stop in front of the code to debug:
Qemu-kernel LINUX-3.18.6/ARCH/X86/BOOT/BZIMAGE-INITRD Rootfs.img-s-S
Next, we can split a new shell window horizontally, then start GDB debugging with the following command
Gdb
(gdb) file Linux-3.18.6/vmlinux
(GDB) Target remote:1234
and set breakpoints at the entrance of the system call SYS_EXECVE
(GDB) B sys_execve
Continue running the program, enter exec in the Qemu window, and the system will stop at the breakpoint set above
You can set the following breakpoints by setting
b load_elf_binary
b start_thread
Experiment:
Experiment Summary:
Call the EXECVE () system call, and then call the kernel's ingress Sys_execve ().
When Do_execve () reads the 128-byte file header, then calls Search_binary_handle () to search for and match the appropriate executable file loading process.
When a Linux kernel or program (such as a shell) uses the fork function to create a child process, the child process often calls an EXEC function to execute another program.
When a process calls an EXEC function, the program that executes the process is completely replaced with the new program, and the new program starts with its main function.
exec simply replaces the body, data, heap, and stack segments of the current process with a completely new program.
How the Linux kernel loads and launches an executable program