qiling icon indicating copy to clipboard operation
qiling copied to clipboard
verified publisher icon qilingframework

多线程调试 target remote后断在exit,如何断在start函数

Open xiziyunqi105 opened this issue 3 years ago • 2 comments

*Describe the bug 多线程调试 target remote后断在exit,如何断在start函数

Sample Code

import sys
sys.path.append("..")

from qiling import *
from qiling.os.posix import syscall
from qiling.const import QL_VERBOSE

if __name__ == "__main__":

    ql = Qiling([r'rootfs/cramfs-root/dvr'], r'rootfs/cramfs-root/', verbose=QL_VERBOSE.DEBUG,multithread=True)
    ql.debugger = "gdb:0.0.0.0:8888"  
    ql.run()

开启多线程,target remote 后,断在exit函数,i thread只有一个线程,运行后,直接退出。 087f115103e08406128b4e04ca23a54 d6e7d9c4803424f00e00c9fa0ffc082 看log之前是有生成新的线程且挂起的,


[+] 	Profile: default
[+] 	Set kernel trap: memory_barrier at 0xffff0fa0
......
[+] [Thread 2000]	mmap2 - MAP_FIXED, mapping not needed
[+] [Thread 2000]	mem write : 0x26b0
[+] [Thread 2000]	mem mmap  : /home/test/Desktop/qiling/qiling-
[+] [Thread 2000]	Received interrupt: 0x2
[+] [Thread 2000]	0x90149e04: mprotect(start = 0x901e1000, mlen = 0x1000, prot = 0x0) = 0x0
[+] [Thread 2000]	Received interrupt: 0x2
[+] [Thread 2000]	[Thread 2001] created
[+] [Thread 2000]	new_tls=0x90210950
[+] [Thread 2000]	Set c13_c0_3 to 0x90210950
[+] [Thread 2000]	Saved context. c13_c0_3=0x90210950
[+] [Thread 2000]	Currently running pid is: 29983; tid is: 2000
[+] [Thread 2000]	Currently running pid is: 29983; tid is: 2000
[+] [Thread 2000]	0x9018c498: clone(flags = 0x3d0f00, child_stack = 0x90210028, parent_tidptr = 0x90210528, newtls = 0x90210950, child_tidptr = 0x90210528) = 0x7d1
[+] [Thread 2000]	Suspended at 0x47bb02c
[+] [Thread 2000]	Saved context. c13_c0_3=0x901e07b0
[+] [Thread 2000]	Call sched_cb: <function QlLinuxThread._default_sched_cb at 0x7f258ed77e50>
[+] [Thread 2001]	Set c13_c0_3 to 0x90210950
[+] [Thread 2001]	Restored context. c13_c0_3=0x90210950
[+] [Thread 2001]	Scheduled from 0x9018c498.
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x90026a58: set_robust_list(head_ptr = 0x90210530, head_len = 0xc) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	open(/proc/stat, 0o0) = 3
[+] [Thread 2001]	File found: /home/test/Desktop/qiling/qiling-master/examples/rootfs/cramfs-root/proc/stat
[+] [Thread 2001]	0x9018d274: open(filename = 0x901d1aa7, flags = 0x0, mode = 0x1b6) = 0x3
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9014992c: ioctl(fd = 0x3, cmd = 0x5401, arg = 0x9020f980) = -0x1 (EPERM)
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x90147df8: brk(inp = 0x2819000) = 0x2819000
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	read() CONTENT: b''
[+] [Thread 2001]	0x9018d394: read(fd = 0x3, buf = 0x2817068, length = 0x1000) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9018d1e4: close(fd = 0x3) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	open(/proc/stat, 0o0) = 3
[+] [Thread 2001]	File found: /home/test/Desktop/qiling/qiling-master/examples/rootfs/cramfs-root/proc/stat
[+] [Thread 2001]	0x9018d274: open(filename = 0x8a7c3d, flags = 0x0, mode = 0x1b6) = 0x3
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9014992c: ioctl(fd = 0x3, cmd = 0x5401, arg = 0x9020f9c8) = -0x1 (EPERM)
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9014c928: _llseek(fd = 0x3, offset_high = 0x0, offset_low = 0x0, result = 0x9020fa18, whence = 0x0) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	read() CONTENT: b''
[+] [Thread 2001]	0x9018d394: read(fd = 0x3, buf = 0x2817068, length = 0x1000) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	write() CONTENT: b'Parse_cpu_stat_thread_body Parse_cpu_stat Failed\n'
Parse_cpu_stat_thread_body Parse_cpu_stat Failed
[+] [Thread 2001]	0x9018d304: write(fd = 0x1, buf = 0x901dc804, count = 0x31) = 0x31
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9001f348: rt_sigaction(signum = 0x11, act = 0x0, oldact = 0x9020fe70) = 0x0
[+] [Thread 2001]	Received interrupt: 0x2
[+] [Thread 2001]	0x9014a00c: nanosleep(req = 0x9020fe60, rem = 0x9020fe60) = 0x0
[+] [Thread 2001]	Suspended at 0x9014a00c
[+] [Thread 2001]	Saved context. c13_c0_3=0x90210950
[+] [Thread 2001]	Call sched_cb: <function __sleep_common.<locals>._sched_sleep at 0x7f258ed53a60>
[+] [Thread 2000]	Set c13_c0_3 to 0x901e07b0
[+] [Thread 2000]	Restored context. c13_c0_3=0x901e07b0
[+] [Thread 2000]	Scheduled from 0x47bb02c.
[+] [Thread 2000]	Received interrupt: 0x2
[+] [Thread 2000]	0x9014976c: gettimeofday(tv = 0x7ff3cc78, tz = 0x0) = 0x0
[+] [Thread 2000]	Suspended at 0x9016e17c
[+] [Thread 2000]	Saved context. c13_c0_3=0x901e07b0
......
[=] [Thread 2000]	gdb> listening on 0.0.0.0:8888

所以想怎么断在_start函数。在生成新线程前,gdb能attach上,这样在生成新线程后就能通过i threads 显示gdb attach后生成的线程,进行调试了

multithread=False target remote 后,可正常断在_start函数

xiziyunqi105 avatar Jul 24 '22 02:07 xiziyunqi105

1

log显示创建了线程,且创建线程函数返回0,但是为啥 i threads,还是只有一个线程号?

xiziyunqi105 avatar Jul 26 '22 06:07 xiziyunqi105

Sry, multithreaded communication between Qiling and GDB has not been fully implemented. I think the mistake is made here

https://github.com/qilingframework/qiling/blob/fd74c83938868fe260d8a401cbebb89bce54d6ca/qiling/debugger/gdb/gdb.py#L468

kabeor avatar Jul 29 '22 09:07 kabeor