ProcExp now provides core dumps!

Used for discussing the various tools in the book as well as encouraging members to share tools

ProcExp now provides core dumps!

Postby morpheus » Tue Aug 04, 2015 1:47 pm

If the Windows process explorer can provide core dumps, why can't we? I decided to integrate some of my coreuption tools into Process Explorer, so it now provides a full dump of any PID you so choose - presently on iOS only, but for both 32-bit and 64-bit. Usage could not be simpler:


Code: Select all
Phontifex:~ root# ps -ef | grep SpringB
  501    59     1   0  3:37PM ??         0:52.89 /System/Library/CoreServices/SpringBoard.app/SpringBoard
    0   856   766   0  9:19AM ttys000    0:00.01 grep SpringB
Phontifex:~ root#  procexp 59 core
.. (some warnings are fine here)
Full core dumped to /tmp/core.59
Pontifex:~ root#  ls -l /tmp/core.59 
-rw-------  1 root  wheel  680747008 Aug  4 09:19 /tmp/core.59
Phontifex:~ root#  lldb -c /tmp/core.59
...

libsystem_kernel.dylib`mach_msg_overwrite_trap:
   0x194b34e10:  movn   x16, #31
   0x194b34e14:  svc    #128
   0x194b34e18:  ret   
  thread #11: tid = 0x000a, 0x0000000194b4fc78 libsystem_kernel.dylib`__workq_kernreturn + 8, stop reason = signal SIGSTOP
    frame #0: 0x0000000194b4fc78 libsystem_kernel.dylib`__workq_kernreturn + 8
libsystem_kernel.dylib`__workq_kernreturn + 8:
-> 0x194b4fc78:  b.cc   0x194b4fc90               ; __workq_kernreturn + 32
   0x194b4fc7c:  stp    fp, lr, [sp, #-16]!
   0x194b4fc80:  mov    fp, sp
   0x194b4fc84:  bl     0x194b3652c               ; cerror_nocancel
(lldb) thread list
Process 0 stopped
* thread #1: tid = 0x0000, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #2: tid = 0x0001, 0x0000000194b34c24 libsystem_kernel.dylib`kevent64 + 8, stop reason = signal SIGSTOP
  thread #3: tid = 0x0002, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #4: tid = 0x0003, 0x0000000194b34e48 libsystem_kernel.dylib`semaphore_wait_trap + 8, stop reason = signal SIGSTOP
  thread #5: tid = 0x0004, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #6: tid = 0x0005, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #7: tid = 0x0006, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #8: tid = 0x0007, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #9: tid = 0x0008, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #10: tid = 0x0009, 0x0000000194b34e0c libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
  thread #11: tid = 0x000a, 0x0000000194b4fc78 libsystem_kernel.dylib`__workq_kernreturn + 8, stop reason = signal SIGSTOP
(lldb) bt
* thread #1: tid = 0x0000, 0x393a6a8c libsystem_kernel.dylib`mach_msg_trap + 20, stop reason = signal SIGSTOP
  * frame #0: 0x393a6a8c libsystem_kernel.dylib`mach_msg_trap + 20
    frame #1: 0x393a688c libsystem_kernel.dylib`mach_msg + 48
    frame #2: 0x2e9847c2 CoreFoundation`<redacted> + 154
    frame #3: 0x2e982f2e CoreFoundation`<redacted> + 854
    frame #4: 0x2e8edc26 CoreFoundation`CFRunLoopRunSpecific + 522
    frame #5: 0x2e8eda0a CoreFoundation`CFRunLoopRunInMode + 106
    frame #6: 0x33614282 GraphicsServices`GSEventRunModal + 138
    frame #7: 0x31191048 UIKit`UIApplicationMain + 1136
    frame #8: 0x0008c8c4 SpringBoard


The core is generated without impacting the process in any way, and - as the above shows - can be used with gdb or lldb. The only downside is that it's a FULL core (with the entire dyld_shared_cache, some 400MB of quality prelinked dylibs) - and so it takes time. This actually proves very useful if you're moving the core to an OS X host, wherein (because it's full) it can be properly analyzed by lldb.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: ProcExp now provides core dumps!

Postby backendbilly » Wed Aug 05, 2015 2:03 am

Thanks a lot for this wonderful feature Jonathan. Comes very handy

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: ProcExp now provides core dumps!

Postby backendbilly » Wed Aug 05, 2015 2:24 am

where can I get the latest version?
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: ProcExp now provides core dumps!

Postby morpheus » Wed Aug 05, 2015 4:16 am

You're more than welcome :) The usual location (newOSXBook.com/files/procexp.tgz) should have a universal binary whose ARMv7/ARMv8 components have this feature, but I added it here too. I need to get myself to do this for x86 (the segments are the same, but the THREAD_STATE is a bit different) - yet there's no rush, since you can get cores via /cores and ulimit -c unlimited.

Note that when dumping process memory I uncovered (yet another) XNU bug in that mach_vm_read lies about how much memory it actually does read - and memory that the kernel paged out is not read. In that sense, even a full core dump is exactly that - CORE, as in "mincore(2)", so if procexp now complains about memory regions read partially (or not at all) don't worry about that - the process itself is likely to have discarded them.

I remember your request for a memory dumper, btw. This is pretty much it, but more will follow.



J
Attachments
procexp.tgz
For the lazy
(478.34 KiB) Downloaded 308 times
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest