Victor Stinner
Mon, 20 Apr 2009 12:09:05 -0700
Hi, > attached you will find a small patch that allows one to "follow" a > sequence of bytes (a regular string or a byte string) across the > execution of a program. I commited your patch and added your name to the AUTHORS list. I changed MemoryMapping.search() to reuse process.readBytes() instead of opening directly /proc/pid/mem: process.readBytes() works on any OS supporting ptrace and has optimized versions for Linux and FreeBSD. > At any point during the debugging of the program, one can use the > "xray" command to inspect the memory of all debugged processes > for instances of the "followed" terms: > > (gdb) xray > (...) I also noticed that MemoryMapping.search() reads the whole mapping into memory! It's ok if the mapping is smaller than 100 MB, but if it's bigger it may causes a MemoryError! > The "pointers: " clause, shows the addresses of possible pointers > pointing to a "followed" term. -- > It seems that python-ptrace has some serious potential in the field > of taint analysis :-) Well, I commited your patch but I don't need today. It would be nice to have "search a byte string in memory mappings" and "search a pointer to address ... in memory mappings" commands (functions already implemented for xray). Eg. "search bytes 'pattern'" and "search pointer 0x8f0cfd0a". If these functions exist in gdb, it would nice (for interoperability) to reuse the same names. -- Victor Stinner aka haypo http://www.haypocalc.com/blog/