Hi, > $ cat > foo.c > int main() { return 0; } > $ cc -static -o foo foo.c > $ ktrace ./foo > $ kdump > 2153 ktrace RET ktrace 0 > 2153 ktrace CALL execve(0x7f7fffff910f,0x7f7fffff8c78,0x7f7fffff8c88) > 2153 ktrace NAMI "./foo" > 2153 foo EMUL "native" > 2153 foo RET execve 0 > > Userland execution starts here. > > 2153 foo CALL __sysctl(0.0,0x801360,0x7f7ffffe62b0,0,0) > 2153 foo RET __sysctl 0 > > Here the program fetches a random number to set up the canary for > the stack protector. > > 2153 foo CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0) > 2153 foo RET mmap 1192062976/0x470d7000 > > Here a page is allocated for atexit function pointers... > > 2153 foo CALL mprotect(0x470d7000,0x1000,0x1) > 2153 foo RET mprotect 0 > > ...and then this page is protected to be read-only to avoid attacks that > change atexit function pointers. > > Here, where you don't get syscalls logged in ktrace, main is called. Then > it returns, so exit() is called. exit() processes all the atexit hooks > and then unmaps the atexit page and exits the program. > > 2153 foo CALL munmap(0x470d7000,0x1000) > 2153 foo RET munmap 0 > 2153 foo CALL exit(0) > $
thanks! This exactly is the minimal example I wanted to understand. Would you please recommend a piece of literature where I can learn this from the begining? > ps. Yes, it's a slow day at work, so I have time to talk too much. Thank you very much for that :-) Jan