Using mdb to locate the value of a symbol
I recently needed to locate the value of a specific symbol in the .data segment of an ELF executable. Prior to learning that mdb and gdb could be used to perform this lookup, I typically did the following:
1. Use nm to locate the symbol and it’s offset from .data
2. Use readelf or elfdump to locate the address of .data
3. Run hexdump on the library or executable that I wanted to lookup a value in, and check for a value at the address of step 1 + step 2
This seemed tedious, so I asked around to see if there was an easier way. It turns out I was overcomplicating this, as mdb and gdb can be used to resolve the symbol for me. Here is how to use mdb to display the value of the symbol mod_log_forensic in the library mod_log_forensic.so:
$ mdb mod_log_forensic.so
> ::nm Value Size Type Bind Other Shndx Name 0x00000000|0x00000000|NOTY |LOCL |0x0 |UNDEF | 0x00000000|0x00000000|FILE |LOCL |0x0 |ABS |.libs/mod_log_forensic.so 0x000000b4|0x00000000|SECT |LOCL |0x0 |1 | 0x0000019c|0x00000000|SECT |LOCL |0x0 |2 | 0x0000034c|0x00000000|SECT |LOCL |0x0 |3 | 0x000004f4|0x00000000|SECT |LOCL |0x0 |4 | 0x00000514|0x00000000|SECT |LOCL |0x0 |5 | 0x0000067c|0x00000000|SECT |LOCL |0x0 |6 | 0x000006b8|0x00000000|SECT |LOCL |0x0 |7 | 0x000006e8|0x00000000|SECT |LOCL |0x0 |8 | 0x000007cc|0x00000000|SECT |LOCL |0x0 |9 | 0x00000ff8|0x00000000|SECT |LOCL |0x0 |10 | 0x000010f8|0x00000000|SECT |LOCL |0x0 |11 | 0x00011308|0x00000000|SECT |LOCL |0x0 |12 | 0x00011384|0x00000000|SECT |LOCL |0x0 |13 | 0x0001149c|0x00000000|SECT |LOCL |0x0 |14 | 0x00011554|0x00000000|SECT |LOCL |0x0 |15 | 0x0001158c|0x00000000|SECT |LOCL |0x0 |16 | 0x000115c4|0x00000000|SECT |LOCL |0x0 |17 | 0x000115ca|0x00000000|SECT |LOCL |0x0 |18 | 0x00000000|0x00000000|SECT |LOCL |0x0 |19 | 0x00000000|0x00000000|SECT |LOCL |0x0 |20 | 0x00000000|0x00000000|SECT |LOCL |0x0 |1 | 0x00000000|0x00000000|SECT |LOCL |0x0 |21 | 0x00000000|0x00000000|SECT |LOCL |0x0 |22 | 0x00000000|0x00000000|SECT |LOCL |0x0 |1 | 0x000115ca|0x00000000|OBJT |LOCL |0x0 |18 |_END_ 0x00000000|0x00000000|OBJT |LOCL |0x0 |1 |_START_ 0x00000000|0x00000000|FILE |LOCL |0x0 |ABS |mod_log_forensic.c 0x000115ca|0x00000000|NOTY |LOCL |0x0 |18 |Bbss.bss 0x00011554|0x00000000|NOTY |LOCL |0x0 |15 |Ddata.data 0x00000ff8|0x00000000|NOTY |LOCL |0x0 |10 |Drodata.rodata 0x0001158c|0x00000000|NOTY |LOCL |0x0 |16 |Dpicdata.picdata 0x00000ff8|0x00000100|OBJT |LOCL |0x0 |10 |test_char_table 0x000010f8|0x00000000|NOTY |LOCL |0x0 |11 |.L1334 0x0000110c|0x00000000|NOTY |LOCL |0x0 |11 |.L1335 0x00001130|0x00000000|NOTY |LOCL |0x0 |11 |.L1339 0x00001144|0x00000000|NOTY |LOCL |0x0 |11 |.L1340 0x0000116c|0x00000000|NOTY |LOCL |0x0 |11 |.L1366 0x00001174|0x00000000|NOTY |LOCL |0x0 |11 |.L1367 0x00001188|0x00000000|NOTY |LOCL |0x0 |11 |.L1373 0x00001190|0x00000000|NOTY |LOCL |0x0 |11 |.L1374 0x000011a4|0x00000000|NOTY |LOCL |0x0 |11 |.L1375 0x000011ac|0x00000000|NOTY |LOCL |0x0 |11 |.L1380 0x000011b4|0x00000000|NOTY |LOCL |0x0 |11 |.L1381 0x000011c8|0x00000000|NOTY |LOCL |0x0 |11 |.L1417 0x000011d4|0x00000000|NOTY |LOCL |0x0 |11 |.L1419 0x000011e8|0x00000000|NOTY |LOCL |0x0 |11 |.L1420 0x0000121c|0x00000000|NOTY |LOCL |0x0 |11 |.L1424 0x0000122c|0x00000000|NOTY |LOCL |0x0 |11 |.L1425 0x00001240|0x00000000|NOTY |LOCL |0x0 |11 |.L1430 0x00001264|0x00000000|NOTY |LOCL |0x0 |11 |.L1431 0x00001278|0x00000000|NOTY |LOCL |0x0 |11 |.L1432 0x000115c8|0x00000000|NOTY |LOCL |0x0 |17 |.L1442 0x00001284|0x00000000|NOTY |LOCL |0x0 |11 |.L1447 0x000012a0|0x00000000|NOTY |LOCL |0x0 |11 |.L1448 0x0001158c|0x00000030|OBJT |LOCL |0x0 |16 |forensic_log_cmds 0x00000f38|0x00000044|FUNC |LOCL |0x0 |9 |set_forensic_log 0x000115bc|0x00000000|OBJT |LOCL |0x0 |16 |.L1464 0x000007cc|0x0000002c|FUNC |LOCL |0x0 |9 |make_forensic_log_scfg 0x000007f8|0x00000054|FUNC |LOCL |0x0 |9 |merge_forensic_log_scfg 0x00000f7c|0x0000007c|FUNC |LOCL |0x0 |9 |register_hooks 0x0000084c|0x00000140|FUNC |LOCL |0x0 |9 |open_log 0x0000098c|0x00000040|FUNC |LOCL |0x0 |9 |log_init 0x000009cc|0x00000128|FUNC |LOCL |0x0 |9 |log_escape 0x00000af4|0x0000006c|FUNC |LOCL |0x0 |9 |count_string 0x00000b60|0x00000034|FUNC |LOCL |0x0 |9 |count_headers 0x00000b94|0x00000060|FUNC |LOCL |0x0 |9 |log_headers 0x00000bf4|0x00000270|FUNC |LOCL |0x0 |9 |log_before 0x00000e64|0x000000d4|FUNC |LOCL |0x0 |9 |log_after 0x00011384|0x00000000|OBJT |GLOB |0x0 |13 |_PROCEDURE_LINKAGE_TABLE_ 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_get 0x0001149c|0x00000000|OBJT |GLOB |0x0 |14 |_DYNAMIC 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_file_open 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_log_transaction 0x000115ca|0x00000000|OBJT |GLOB |0x0 |17 |_edata 0x00001307|0x00000000|OBJT |GLOB |0x0 |11 |_etext 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_pstrcat 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_server_root_relative 0x00011308|0x00000000|OBJT |GLOB |0x0 |12 |_GLOBAL_OFFSET_TABLE_ 0x00011554|0x00000038|OBJT |GLOB |0x0 |15 |log_forensic_module 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_do 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_palloc 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_log_assert 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_pstrdup 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |strlen 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |strcpy 0x000115ca|0x00000000|OBJT |GLOB |0x0 |18 |_end 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |memset 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |sprintf 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_post_read_request 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_open_piped_log 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_log_error 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |ap_hook_open_logs 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_table_setn 0x00000000|0x00000000|FUNC |GLOB |0x0 |UNDEF |apr_file_write > log_forensic_module/D mod_log_forensic.so`log_forensic_module: mod_log_forensic.so`log_forensic_module: 20020903 > $q
It’s all about simplifying your IT life. :)
