How to find the address of a string in memory using GDB?

Question

I want to find the address of a string in memory. In this case, I'm looking for "/bin/sh". Its an initialized variable, so its in the .data section and after compilation, it has a fixed address. So what do I do in GDB to find out its memory address? And I do not know the name of the variable its stored in.

Answer 1

Take this example:
1.find the string "Can not open script" .
2.gdb>info proc map

process 8636
Mapped address spaces:

    Start Addr   End Addr       Size     Offset objfile
     0x8048000  0x8898000   0x850000        0x0 /home/lela/ask/mLinux32
     0x8898000  0x8902000    0x6a000   0x850000 /home/lela/ask/mLinux32
     0x8902000  0x8d4c000   0x44a000        0x0 [heap]
    0xf6800000 0xf6821000    0x21000        0x0 
    0xf6821000 0xf6900000    0xdf000        0x0 
    0xf6a00000 0xf6a21000    0x21000        0x0 
    0xf6a21000 0xf6b00000    0xdf000        0x0 
    0xf6b00000 0xf6b21000    0x21000        0x0 
    0xf6b21000 0xf6c00000    0xdf000        0x0 
    0xf6cbf000 0xf6cc0000     0x1000        0x0 
    0xf6cc0000 0xf6d00000    0x40000        0x0 
    0xf6d00000 0xf6d21000    0x21000        0x0 
    0xf6d21000 0xf6e00000    0xdf000        0x0 
    0xf6e06000 0xf6e07000     0x1000        0x0 
    0xf6e07000 0xf6e47000    0x40000        0x0 
    0xf6e47000 0xf6e48000     0x1000        0x0 
    0xf6e48000 0xf6e88000    0x40000        0x0 
    0xf6e88000 0xf6e89000     0x1000        0x0 
    0xf6e89000 0xf794f000   0xac6000        0x0 
    0xf794f000 0xf7a4f000   0x100000        0x0 
    0xf7a4f000 0xf7c15000   0x1c6000        0x0 
    0xf7c15000 0xf7c17000     0x2000        0x0 /usr/lib/i386-linux-gnu/libgcc_s.so.1
    0xf7c17000 0xf7c2d000    0x16000     0x2000 /usr/lib/i386-linux-gnu/libgcc_s.so.1
    0xf7c2d000 0xf7c32000     0x5000    0x18000 /usr/lib/i386-linux-gnu/libgcc_s.so.1
    0xf7c32000 0xf7c33000     0x1000    0x1c000 /usr/lib/i386-linux-gnu/libgcc_s.so.1

like this result.

3.use find command with the start address and end address,and string with string type length ex:{char[19]},likes below.

gdb➤  find  0x8048000, 0x8902000, {char[19]}"Can not open script"
0x8611234
1 pattern found.
gdb➤  x/s 0x8611234
0x8611234:  "Can not open script file \"%s\" to execute.\n"

4.finish.

Answer 2

If you want to search in the whole address space of the process, you need to get the memory mapping for your process and use the start address the end address with the find command in gdb.

for instance, if cat /proc/$PID/maps shows that your process's virtual memory ranges from 0x08048000 to 0xc0000000 you can search as follows:

(gdb) find 0x80048000, 0xc0000000, "/bin/sh"

Another way to get the memory mapping of your process is using the gdb's embedded command :

(gdb) info proc map

Answer 3

Using info proc map sounds like a better approach to me.

(gdb) info proc map
process 930
Mapped address spaces:

      Start Addr           End Addr       Size     Offset objfile
        0x400000           0x401000     0x1000        0x0 /myapp
        0x600000           0x601000     0x1000        0x0 /myapp
        0x601000           0x602000     0x1000     0x1000 /myapp
  0x7ffff7a1c000     0x7ffff7bd2000   0x1b6000        0x0 /usr/lib64/libc-2.17.so
  0x7ffff7bd2000     0x7ffff7dd2000   0x200000   0x1b6000 /usr/lib64/libc-2.17.so
  0x7ffff7dd2000     0x7ffff7dd6000     0x4000   0x1b6000 /usr/lib64/libc-2.17.so
  0x7ffff7dd6000     0x7ffff7dd8000     0x2000   0x1ba000 /usr/lib64/libc-2.17.so

(gdb) find 0x7ffff7a1c000,0x7ffff7bd2000,"/bin/sh"
0x7ffff7b98489
1 pattern found.
(gdb) x /s 0x7ffff7b98489
0x7ffff7b98489: "/bin/sh"
(gdb) x /xg 0x7ffff7b98489
0x7ffff7b98489: 0x0068732f6e69622f

Answer 4

Use the find command.

find [/sn] start_addr, +len, val1 [, val2, …]
find [/sn] start_addr, end_addr, val1 [, val2, …]

Search memory for the sequence of bytes specified by val1, val2, etc. The search begins at address start_addr and continues for either len bytes or through to end_addr inclusive. s and n are optional parameters. They may be specified in either order, apart or together.

s, search query size The size of each search query value.

b bytes

h halfwords (two bytes)

w words (four bytes)

g giant words (eight bytes)

All values are interpreted in the current language. This means, for example, that if the current source language is C/C++ then searching for the string “hello” includes the trailing ’\0’.

If the value size is not specified, it is taken from the value’s type in the current language. This is useful when one wants to specify the search pattern as a mixture of types. Note that this means, for example, that in the case of C-like languages a search for an untyped 0x42 will search for ‘(int) 0x42’ which is typically four bytes.

n, maximum number of finds The maximum number of matches to print. The default is to print all finds.

You can use strings as search values. Quote them with double-quotes ("). The string value is copied into the search pattern byte by byte, regardless of the endianness of the target and the size specification.

The address of each match found is printed as well as a count of the number of matches found.

The address of the last value found is stored in convenience variable ‘$_’. A count of the number of matches is stored in ‘$numfound’.