Hi,
> $ cat > foo.c
> int main() { return 0; }
> $ cc -static -o foo foo.c
> $ ktrace ./foo
> $ kdump
> 2153 ktrace RET ktrace 0
> 2153 ktrace CALL execve(0x7f7fffff910f,0x7f7fffff8c78,0x7f7fffff8c88)
> 2153 ktrace NAMI "./foo"
> 2153 foo EMUL "native"
> 2153 foo RET execve 0
>
> Userland execution starts here.
>
> 2153 foo CALL __sysctl(0.0,0x801360,0x7f7ffffe62b0,0,0)
> 2153 foo RET __sysctl 0
>
> Here the program fetches a random number to set up the canary for
> the stack protector.
>
> 2153 foo CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0)
> 2153 foo RET mmap 1192062976/0x470d7000
>
> Here a page is allocated for atexit function pointers...
>
> 2153 foo CALL mprotect(0x470d7000,0x1000,0x1)
> 2153 foo RET mprotect 0
>
> ...and then this page is protected to be read-only to avoid attacks that
> change atexit function pointers.
>
> Here, where you don't get syscalls logged in ktrace, main is called. Then
> it returns, so exit() is called. exit() processes all the atexit hooks
> and then unmaps the atexit page and exits the program.
>
> 2153 foo CALL munmap(0x470d7000,0x1000)
> 2153 foo RET munmap 0
> 2153 foo CALL exit(0)
> $
thanks! This exactly is the minimal example I wanted to understand.
Would you please recommend a piece of literature where I can learn
this from the begining?
> ps. Yes, it's a slow day at work, so I have time to talk too much.
Thank you very much for that :-)
Jan
