yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-05 19:42:36 +02:00
Code Issues Releases Wiki Activity

GP-3887: Update Debugger course for Trace RMI.

Browse source
This commit is contained in:
Dan 2024-04-22 10:11:25 -04:00
parent 190f1eaa1e
commit a93a695e6a
79 changed files with 2235 additions and 1663 deletions
Download patch file Download diff file Expand all files Collapse all files

95
GhidraDocs/GhidraClass/Debugger/A4-MachineState.html
View file

@ -107,7 +107,7 @@ not, please refer to the previous modules.</p>
<p>This module will address the following features in more depth:</p>
<ul>
<li>Dynamic Listing window</li>
<li>Dynamic Bytes window</li>
<li>Dynamic Bytes (Memory) window</li>
<li>Registers window</li>
<li>Watches window</li>
<li>Sleigh expressions</li>
@ -154,10 +154,10 @@ may present tables with editable cells. These will often include a
accidental patching. Furthermore, you must use the <img
src="images/record.png" alt="control mode" /> Control Mode toggle in the
global toolbar (next to the control actions) to enable patching
throughout the Debugger tool. For now, please only use the “Control
Target” and “Control Target w/ Edits Disabled” options. The write toggle
is included here so that actions like copy-paste do not lead to
accidental patching.</p>
throughout the Debugger tool. For now, please only use the
<strong>Control Target</strong> and <strong>Control Target w/ Edits
Disabled</strong> options. The write toggle is included here so that
actions like copy-paste do not lead to accidental patching.</p>
</section>
</section>
<section id="the-dynamic-listing" class="level2">
@ -190,19 +190,19 @@ Location drop-down and select <strong>Track Stack Pointer</strong>. The
window should seek to (and highlight in pale green) the address in the
stack pointer. Since the target has just entered <code>main</code>, we
should expect a return address at the top of the stack. With your cursor
at the stack pointer, press <strong>P</strong> to place a pointer there,
just like you would in the Static Listing. You can now navigate to that
address by double-clicking it. To return to the stack pointer, you can
use the back arrow in the global toolbar, you can click the <img
src="images/register-marker.png" alt="track location" /> Track Location
button, or you can double-click the <code>sp = [Address]</code> label in
the top right of the Dynamic Listing.</p>
at the stack pointer, press <strong><code>P</code></strong> to place a
pointer there, just like you would in the Static Listing. You can now
navigate to that address by double-clicking it. To return to the stack
pointer, you can use the back arrow in the global toolbar, you can click
the <img src="images/register-marker.png" alt="track location" /> Track
Location button, or you can double-click the <code>sp = [Address]</code>
label in the top right of the Dynamic Listing.</p>
<p>To examine a more complicated stack segment, we will break at
<code>rand</code>. Ensure your breakpoint at <code>rand</code> is
enabled and press <img src="images/resume.png" alt="resume" /> Resume.
Your Dynamic Listing should follow the stack pointer. In the menus,
select <strong>Debugger → Analysis → Unwind Stack</strong> or press
<strong>U</strong>.</p>
select <strong>Debugger → Analysis → Unwind from frame 0</strong> or
press <strong><code>U</code></strong>.</p>
<figure>
<img src="images/State_ListingStackAfterCallRand.png"
alt="The dynamic listing of the stack after a call to rand" />
@ -231,9 +231,9 @@ snapshots of the machine state, discussed later in this module.</p>
<section id="cache-status-indication" class="level3">
<h3>Cache Status Indication</h3>
<p>The listings contents are read from a live target, which may become
unresponsive or otherwise temperamental. The Debugger uses a database,
which acts as a cache separating the GUI from the live target. The UI
requests memory pages from the target, the target asynchronously
unresponsive or otherwise temperamental. The Debugger uses a trace
database, which acts as a cache separating the GUI from the live target.
The UI requests memory pages from the target, the target asynchronously
retrieves those pages and stores them into the database, then the
database updates the UI. This sequence does not always go as expected;
thus, pages with stale data are displayed with a grey background. This
@ -241,8 +241,8 @@ may also happen if auto-read is disabled. Typically, user-space targets
are not so temperamental, but others may be, or memory reads could be
expensive, in which case disabling automatic memory reads may be
advantageous. If the back-end debugger reports an error while reading
memory, the first address of the page will have a red background. To
refresh the visible or selected page(s), click the
memory, the page will have a red background. To refresh the visible or
selected page(s), click the
<img alt="refresh" src="images/view-refresh.png" width="16px"/> Refresh
button. Examine the Debug Console window for errors / warnings before
spamming this button. To toggle auto read, use the
@ -269,12 +269,12 @@ memory map.</p>
</section>
<section id="go-to" class="level3">
<h3>Go To</h3>
<p>The Go To action in the Dynamic Listing differs from the one in the
Static Listing. Like the static one, it accepts an address in
hexadecimal, possibly prefixed with the address space and a colon.
However, it also accepts Sleigh expressions, allowing you to treat
<code>RAX</code> as a pointer and go to that address, for example. We
cover Sleigh expressions later in this module.</p>
<p>The <strong>Go To</strong> action in the Dynamic Listing differs from
the one in the Static Listing. Like the static one, it accepts an
address in hexadecimal, possibly prefixed with the address space and a
colon. However, it also accepts Sleigh expressions, allowing you to
treat <code>RAX</code> as a pointer and go to that address, for example.
We cover Sleigh expressions later in this module.</p>
</section>
<section id="compare" class="level3">
<h3>Compare</h3>
@ -315,12 +315,12 @@ alt="The dynamic memory view of the stack after a call to rand" />
after a call to rand</figcaption>
</figure>
<p>Just as the Dynamic Listing is the analog of the Static Listing, the
Memory viewer is the analog of the Byte viewer. It is not visible by
default. To open it, use <strong>Windows → Byte Viewer → Memory
</strong> in the menus. Its default configuration should be Auto PC,
the same as the Dynamic Listings default. It has all the same
additional Debugger features as the Dynamic Listing. Furthermore, bytes
that have changed are displayed in red text.</p>
Memory viewer is the analog of the Bytes viewer. To open it, use
<strong>Windows → Byte Viewer → Memory</strong> in the menus. Its
default configuration should be Auto PC, the same as the Dynamic
Listings default. It has all the same additional Debugger features as
the Dynamic Listing. Furthermore, bytes that have changed are displayed
in red text.</p>
<section id="exercise-display-the-board-in-hex" class="level3">
<h3>Exercise: Display the Board in Hex</h3>
<p>This is a bit quick and dirty, but it works and can be useful. Your
@ -401,16 +401,17 @@ srand</figcaption>
expressions. This can provide an alternative to the Registers window
when you are really only interested in a couple of registers. It can
also watch values in memory. Furthermore, when a watch has a memory
address, the expression will appear as an option in the Location
Tracking menus of the Listing and Memory viewers. Selecting that option
will cause the window to follow that watch as its address changes.</p>
address, the expression will appear as an option in the <strong>Location
Tracking</strong> menus of the Listing and Memory viewers. Selecting
that option will cause the window to follow that watch as its address
changes.</p>
<p>To add a watch, click the <img src="images/add.png" alt="add" /> Add
button. A new entry will appear. Double-click the left-most cell of the
row to set or edit the Sleigh expression. For starters, try something
like <code>RDI</code>. (Conventionally, this is the location for the
first parameter on Linux x86-64 systems.) The context menus for the
Listing and Registers windows include a “Watch” action, which adds the
current selection to the Watches window.</p>
Listing and Registers windows include a <strong>Watch</strong> action,
which adds the current selection to the Watches window.</p>
<p>The columns are:</p>
<ul>
<li>The <strong>Expression</strong> column is the user-defined Sleigh
@ -420,7 +421,8 @@ value, if applicable. This may be in <code>register</code> space.
Double-clicking this cell will go to the address in the Dynamic
Listing.</li>
<li>The <strong>Symbol</strong> column gives the symbol in a mapped
static image closest to or containing the address, if applicable.</li>
program database closest to or containing the address, if
applicable.</li>
<li>The <strong>Value</strong> column gives the “raw” value of the
expression. If the result is in memory, it displays a byte array;
otherwise, it displays an integer.</li>
@ -436,13 +438,14 @@ evaluating the expression.</li>
</section>
<section id="sleigh-expressions" class="level2">
<h2>Sleigh Expressions</h2>
<p>Watches and Go-To commands are expressed using Ghidras Sleigh
language. More precisely, expressions are the sub-language of Sleigh for
the right-hand side of assignment statements in semantic sections. If
you already know this language, then there is little more to learn. Of
note, you may use labels from mapped program images in your expression.
For example, to see how far a return address is into <code>main</code>,
you could use <code>*:8 RSP - main</code>.</p>
<p>Watches and Go-To commands are expressed using Ghidras
<em>Sleigh</em> language. More precisely, expressions are the
sub-language of Sleigh for the right-hand side of assignment statements
in semantic sections. If you already know this language, then there is
little more to learn. Of note, you may use labels from mapped program
databases in your expression. For example, to see how far a return
address is into <code>main</code>, you could use
<code>*:8 RSP - main</code>.</p>
<p>For the complete specification, see the Semantic Section in the <a
href="../../../Ghidra/Features/Decompiler/src/main/doc/sleigh.xml">Sleigh
documentation</a>.</p>
@ -521,7 +524,7 @@ array. To read memory:</p>
<li><strong>Dereference</strong>: <code>*:8 RSP</code> or
<code>*[ram]:8 RSP</code></li>
</ul>
<p><strong>NOTE</strong> The <code>[ram]</code> part is optional. On
<p><strong>NOTE</strong>: The <code>[ram]</code> part is optional. On
x86, you will rarely if ever specify the space, since there is only one
physical RAM space. The <code>:8</code> part specifies the number of
bytes to read from memory. It is also optional, but only if the size can
@ -636,7 +639,7 @@ variable, e.g., <code>7fffffffe618</code></li>
<li><strong>Bytes</strong>: The raw bytes currently stored in the memory
allocated to the variable</li>
<li><strong>Integer</strong>: The “raw” integer value of the variable,
rendered with varyied signedness and radix</li>
rendered with varied signedness and radix</li>
<li><strong>Value</strong>: The value of the variable, according to its
type</li>
<li><strong>Instruction</strong>: If the variable points to code, the