I recently needed to locate the value of a specific symbol in the .data segment of an ELF executable. Prior to learning that mdb and gdb could be used to perform this lookup, I typically did the following:
This seemed tedious, so I asked around to see if there was an easier way. It turns out I was overcomplicating this, as mdb and gdb can be used to resolve the symbol for me. Here is how to use mdb to display the value of the symbol mod_log_forensic in the library mod_log_forensic.so:
$ mdb mod_log_forensic.so
> ::nm
Value Size Type Bind Other Shndx Name
0x00000000|0x00000000|NOTY |LOCL |0x0 |UNDEF |
0x00000000|0x00000000|FILE |LOCL |0x0 |ABS |.libs/mod_log_forensic.so
0x000000b4|0x00000000|SECT |LOCL |0x0 |1 |
0x0000019c|0x00000000|SECT |LOCL |0x0 |2 |
0x0000034c|0x00000000|SECT |LOCL |0x0 |3 |
0x000004f4|0x00000000|SECT |LOCL |0x0 |4 |
0x00000514|0x00000000|SECT |LOCL |0x0 |5 |
0x0000067c|0x00000000|SECT |LOCL |0x0 |6 |
0x000006b8|0x00000000|SECT |LOCL |0x0 |7 |
0x000006e8|0x00000000|SECT |LOCL |0x0 |8 |
0x000007cc|0x00000000|SECT |LOCL |0x0 |9 |
0x00000ff8|0x00000000|SECT |LOCL |0x0 |10 |
0x000010f8|0x00000000|SECT |LOCL |0x0 |11 |
0x00011308|0x00000000|SECT |LOCL |0x0 |12 |
0x00011384|0x00000000|SECT |LOCL |0x0 |13 |
0x0001149c|0x00000000|SECT |LOCL |0x0 |14 |
0x00011554|0x00000000|SECT |LOCL |0x0 |15 |
0x0001158c|0x00000000|SECT |LOCL |0x0 |16 |
0x000115c4|0x00000000|SECT |LOCL |0x0 |17 |
0x000115ca|0x00000000|SECT |LOCL |0x0 |18 |
0x00000000|0x00000000|SECT |LOCL |0x0 |19 |
0x00000000|0x00000000|SECT |LOCL |0x0 |20 |
0x00000000|0x00000000|SECT |LOCL |0x0 |1 |
0x00000000|0x00000000|SECT |LOCL |0x0 |21 |
0x00000000|0x00000000|SECT |LOCL |0x0 |22 |
0x00000000|0x00000000|SECT |LOCL |0x0 |1 |
0x000115ca|0x00000000|OBJT |LOCL |0x0 |18 |_END_
0x00000000|0x00000000|OBJT |LOCL |0x0 |1 |_START_
0x00000000|0x00000000|FILE |LOCL |0x0 |ABS |mod_log_forensic.c
0x000115ca|0x00000000|NOTY |LOCL |0x0 |18 |Bbss.bss
0x00011554|0x00000000|NOTY |LOCL |0x0 |15 |Ddata.data
0x00000ff8|0x00000000|NOTY |LOCL |0x0 |10 |Drodata.rodata
0x0001158c|0x00000000|NOTY |LOCL |0x0 |16 |Dpicdata.picdata
0x00000ff8|0x00000100|OBJT |LOCL |0x0 |10 |test_char_table
0x000010f8|0x00000000|NOTY |LOCL |0x0 |11 |.L1334
0x0000110c|0x00000000|NOTY |LOCL |0x0 |11 |.L1335
0x00001130|0x00000000|NOTY |LOCL |0x0 |11 |.L1339
0x00001144|0x00000000|NOTY |LOCL |0x0 |11 |.L1340
0x0000116c|0x00000000|NOTY |LOCL |0x0 |11 |.L1366
0x00001174|0x00000000|NOTY |LOCL |0x0 |11 |.L1367
0x00001188|0x00000000|NOTY |LOCL |0x0 |11 |.L1373
0x00001190|0x00000000|NOTY |LOCL |0x0 |11 |.L1374
0x000011a4|0x00000000|NOTY |LOCL |0x0 |11 |.L1375
0x000011ac|0x00000000|NOTY |LOCL |0x0 |11 |.L1380
0x000011b4|0x00000000|NOTY |LOCL |0x0 |11 |.L1381
0x000011c8|0x00000000|NOTY |LOCL |0x0 |11 |.L1417
0x000011d4|0x00000000|NOTY |LOCL |0x0 |11 |.L1419
0x000011e8|0x00000000|NOTY |LOCL |0x0 |11 |.L1420
0x0000121c|0x00000000|NOTY |LOCL |0x0 |11 |.L1424
0x0000122c|0x00000000|NOTY |LOCL |0x0 |11 |.L1425
0x00001240|0x00000000|NOTY |LOCL |0x0 |11 |.L1430
0x00001264|0x00000000|NOTY |LOCL |0x0 |11 |.L1431
0x00001278|0x00000000|NOTY |LOCL |0x0 |11 |.L1432
0x000115c8|0x00000000|NOTY |LOCL |0x0 |17 |.L1442
0x00001284|0x00000000|NOTY |LOCL |0x0 |11 |.L1447
0x000012a0|0x00000000|NOTY |LOCL |0x0 |11 |.L1448
0x0001158c|0x00000030|OBJT |LOCL |0x0 |16 |forensic_log_cmds
0x00000f38|0x00000044|FUNC |LOCL |0x0 |9 |set_forensic_log
0x000115bc|0x00000000|OBJT |LOCL |0x0 |16 |.L1464
0x000007cc|0x0000002c|FUNC |LOCL |0x0 |9 |make_forensic_log_scfg
0x000007f8|0x00000054|FUNC |LOCL |0x0 |9 |merge_forensic_log_scfg
0x00000f7c|0x0000007c|FUNC |LOCL |0x0 |9 |register_hooks
0x0000084c|0x00000140|FUNC |LOCL |0x0 |9 |open_log
0x0000098c|0x00000040|FUNC |LOCL |0x0 |9 |log_init
0x000009cc|0x00000128|FUNC |LOCL |0x0 |9 |log_escape
0x00000af4|0x0000006c|FUNC |LOCL |0x0 |9 |count_string
0x00000b60|0x00000034|FUNC |LOCL |0x0 |9 |count_headers
0x00000b94|0x00000060|FUNC |LOCL |0x0 |9 |log_headers
0x00000bf4|0x00000270|FUNC |LOCL |0x0 |9 |log_before
0x00000e64|0x000000d4|FUNC |LOCL |0x0 |9 |log_after
0x00011384|0x00000000|OBJT |GLOB |0x0 |13 |_PROCEDURE_LINKAGE_TABLE_
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_get
0x0001149c|0x00000000|OBJT |GLOB |0x0 |14 |_DYNAMIC
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_file_open
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_log_transaction
0x000115ca|0x00000000|OBJT |GLOB |0x0 |17 |_edata
0x00001307|0x00000000|OBJT |GLOB |0x0 |11 |_etext
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_pstrcat
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_server_root_relative
0x00011308|0x00000000|OBJT |GLOB |0x0 |12 |_GLOBAL_OFFSET_TABLE_
0x00011554|0x00000038|OBJT |GLOB |0x0 |15 |log_forensic_module
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_do
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_palloc
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_log_assert
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_pstrdup
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |strlen
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |strcpy
0x000115ca|0x00000000|OBJT |GLOB |0x0 |18 |_end
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |memset
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |sprintf
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_post_read_request
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_open_piped_log
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_log_error
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_open_logs
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_setn
0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_file_write
> log_forensic_module/D
mod_log_forensic.so`log_forensic_module:
mod_log_forensic.so`log_forensic_module: 20020903
> $q
It’s all about simplifying your IT life. :)