Using mdb to locate the value of a symbol

I recently needed to locate the value of a specific symbol in the .data segment of an ELF executable. Prior to learning that mdb and gdb could be used to perform this lookup, I typically did the following:

1. Use nm to locate the symbol and it’s offset from .data

2. Use readelf or elfdump to locate the address of .data

3. Run hexdump on the library or executable that I wanted to lookup a value in, and check for a value at the address of step 1 + step 2

This seemed tedious, so I asked around to see if there was an easier way. It turns out I was overcomplicating this, as mdb and gdb can be used to resolve the symbol for me. Here is how to use mdb to display the value of the symbol mod_log_forensic in the library mod_log_forensic.so:

$ mdb mod_log_forensic.so

> ::nm
Value      Size       Type  Bind  Other Shndx    Name
0x00000000|0x00000000|NOTY |LOCL |0x0  |UNDEF   |
0x00000000|0x00000000|FILE |LOCL |0x0  |ABS     |.libs/mod_log_forensic.so
0x000000b4|0x00000000|SECT |LOCL |0x0  |1       |
0x0000019c|0x00000000|SECT |LOCL |0x0  |2       |
0x0000034c|0x00000000|SECT |LOCL |0x0  |3       |
0x000004f4|0x00000000|SECT |LOCL |0x0  |4       |
0x00000514|0x00000000|SECT |LOCL |0x0  |5       |
0x0000067c|0x00000000|SECT |LOCL |0x0  |6       |
0x000006b8|0x00000000|SECT |LOCL |0x0  |7       |
0x000006e8|0x00000000|SECT |LOCL |0x0  |8       |
0x000007cc|0x00000000|SECT |LOCL |0x0  |9       |
0x00000ff8|0x00000000|SECT |LOCL |0x0  |10      |
0x000010f8|0x00000000|SECT |LOCL |0x0  |11      |
0x00011308|0x00000000|SECT |LOCL |0x0  |12      |
0x00011384|0x00000000|SECT |LOCL |0x0  |13      |
0x0001149c|0x00000000|SECT |LOCL |0x0  |14      |
0x00011554|0x00000000|SECT |LOCL |0x0  |15      |
0x0001158c|0x00000000|SECT |LOCL |0x0  |16      |
0x000115c4|0x00000000|SECT |LOCL |0x0  |17      |
0x000115ca|0x00000000|SECT |LOCL |0x0  |18      |
0x00000000|0x00000000|SECT |LOCL |0x0  |19      |
0x00000000|0x00000000|SECT |LOCL |0x0  |20      |
0x00000000|0x00000000|SECT |LOCL |0x0  |1       |
0x00000000|0x00000000|SECT |LOCL |0x0  |21      |
0x00000000|0x00000000|SECT |LOCL |0x0  |22      |
0x00000000|0x00000000|SECT |LOCL |0x0  |1       |
0x000115ca|0x00000000|OBJT |LOCL |0x0  |18      |_END_
0x00000000|0x00000000|OBJT |LOCL |0x0  |1       |_START_
0x00000000|0x00000000|FILE |LOCL |0x0  |ABS     |mod_log_forensic.c
0x000115ca|0x00000000|NOTY |LOCL |0x0  |18      |Bbss.bss
0x00011554|0x00000000|NOTY |LOCL |0x0  |15      |Ddata.data
0x00000ff8|0x00000000|NOTY |LOCL |0x0  |10      |Drodata.rodata
0x0001158c|0x00000000|NOTY |LOCL |0x0  |16      |Dpicdata.picdata
0x00000ff8|0x00000100|OBJT |LOCL |0x0  |10      |test_char_table
0x000010f8|0x00000000|NOTY |LOCL |0x0  |11      |.L1334
0x0000110c|0x00000000|NOTY |LOCL |0x0  |11      |.L1335
0x00001130|0x00000000|NOTY |LOCL |0x0  |11      |.L1339
0x00001144|0x00000000|NOTY |LOCL |0x0  |11      |.L1340
0x0000116c|0x00000000|NOTY |LOCL |0x0  |11      |.L1366
0x00001174|0x00000000|NOTY |LOCL |0x0  |11      |.L1367
0x00001188|0x00000000|NOTY |LOCL |0x0  |11      |.L1373
0x00001190|0x00000000|NOTY |LOCL |0x0  |11      |.L1374
0x000011a4|0x00000000|NOTY |LOCL |0x0  |11      |.L1375
0x000011ac|0x00000000|NOTY |LOCL |0x0  |11      |.L1380
0x000011b4|0x00000000|NOTY |LOCL |0x0  |11      |.L1381
0x000011c8|0x00000000|NOTY |LOCL |0x0  |11      |.L1417
0x000011d4|0x00000000|NOTY |LOCL |0x0  |11      |.L1419
0x000011e8|0x00000000|NOTY |LOCL |0x0  |11      |.L1420
0x0000121c|0x00000000|NOTY |LOCL |0x0  |11      |.L1424
0x0000122c|0x00000000|NOTY |LOCL |0x0  |11      |.L1425
0x00001240|0x00000000|NOTY |LOCL |0x0  |11      |.L1430
0x00001264|0x00000000|NOTY |LOCL |0x0  |11      |.L1431
0x00001278|0x00000000|NOTY |LOCL |0x0  |11      |.L1432
0x000115c8|0x00000000|NOTY |LOCL |0x0  |17      |.L1442
0x00001284|0x00000000|NOTY |LOCL |0x0  |11      |.L1447
0x000012a0|0x00000000|NOTY |LOCL |0x0  |11      |.L1448
0x0001158c|0x00000030|OBJT |LOCL |0x0  |16      |forensic_log_cmds
0x00000f38|0x00000044|FUNC |LOCL |0x0  |9       |set_forensic_log
0x000115bc|0x00000000|OBJT |LOCL |0x0  |16      |.L1464
0x000007cc|0x0000002c|FUNC |LOCL |0x0  |9       |make_forensic_log_scfg
0x000007f8|0x00000054|FUNC |LOCL |0x0  |9       |merge_forensic_log_scfg
0x00000f7c|0x0000007c|FUNC |LOCL |0x0  |9       |register_hooks
0x0000084c|0x00000140|FUNC |LOCL |0x0  |9       |open_log
0x0000098c|0x00000040|FUNC |LOCL |0x0  |9       |log_init
0x000009cc|0x00000128|FUNC |LOCL |0x0  |9       |log_escape
0x00000af4|0x0000006c|FUNC |LOCL |0x0  |9       |count_string
0x00000b60|0x00000034|FUNC |LOCL |0x0  |9       |count_headers
0x00000b94|0x00000060|FUNC |LOCL |0x0  |9       |log_headers
0x00000bf4|0x00000270|FUNC |LOCL |0x0  |9       |log_before
0x00000e64|0x000000d4|FUNC |LOCL |0x0  |9       |log_after
0x00011384|0x00000000|OBJT |GLOB |0x0  |13      |_PROCEDURE_LINKAGE_TABLE_
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_table_get
0x0001149c|0x00000000|OBJT |GLOB |0x0  |14      |_DYNAMIC
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_file_open
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_hook_log_transaction
0x000115ca|0x00000000|OBJT |GLOB |0x0  |17      |_edata
0x00001307|0x00000000|OBJT |GLOB |0x0  |11      |_etext
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_pstrcat
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_server_root_relative
0x00011308|0x00000000|OBJT |GLOB |0x0  |12      |_GLOBAL_OFFSET_TABLE_
0x00011554|0x00000038|OBJT |GLOB |0x0  |15      |log_forensic_module
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_table_do
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_palloc
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_log_assert
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_pstrdup
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |strlen
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |strcpy
0x000115ca|0x00000000|OBJT |GLOB |0x0  |18      |_end
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |memset
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |sprintf
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_hook_post_read_request
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_open_piped_log
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_log_error
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |ap_hook_open_logs
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_table_setn
0x00000000|0x00000000|FUNC |GLOB |0x0  |UNDEF   |apr_file_write

> log_forensic_module/D
mod_log_forensic.so`log_forensic_module:
mod_log_forensic.so`log_forensic_module:        20020903        

> $q

It’s all about simplifying your IT life. :)

Solaris 802.1Q interface format

While reviewing some notes last night, I came across an entry in my notebook that described how to configure Solaris interfaces to support 802.1Q tagged queing. Given a physical interface named “ce0” that will be associated with VLAN 500, the formula to create the interface would be:

ce + (VLAN number * 1000 + instance number)

So in the example above, you would use an interface named ce500000 to tell the host to process 802.1Q tagged Ethernet frames destined for VLAN 500. I am still not sure why Sun chose to use this format, since you can’t just look at a name and know what it is. Luckily this annoyance will be fixed when the clearview project integrates into Solaris (clearview will allow you to use vanity names with interfaces).

Bash short cuts / hotkeys

I use bash as my primary shell, and have come to rely on the following bash short cuts:

alt-f   -- move forward one word
alt-b  -- move backwards one word
ctrl-a  -- takes you to the begining of the command you are currently typing.
ctrl-b  -- move backwards one character
ctrl-c  -- kills the current command or process.
ctrl-d  -- kills the shell.
ctrl-e  -- takes you to the end of the command you are currently typing in.
ctrl-f  -- move forward one character
ctrl-h  -- deletes one letter at a time from the command you are typing in.
ctrl-l  -- clear screen
ctrl-r  -- does a search in the previously given commands so that you don't have to repeat long command.
ctrl-u  -- clears the typing before the hotkey.
ctrl-z  -- puts the currently running process in background
esc-b  -- takes you back by one word while typing a command.
esc-p  -- like ctrl-r lets you search through the previously given commands.
esc-.  -- gives the last command you typed.