Kernel, Virus and Programming

GKD can dump the exceptions now

GKD can dump the exceptions now, it helps me to trace what happened to my kernel

2015/08/13 0

hard to theme netbeans perfectly

It is hard to theme netbeans using traditional swing look & feel. The reason is netbean’s tab container is not traditional swing JTabbedPane. See the post¬† Netbeans use a¬†AbstractViewTabDisplayerUI to support only few “default look & feel”, such as Metal, Nimbus, Aqua. see below: The problem is : This default look & feel tab container…
Read more

2015/08/06 0

Peter-swing java look & feel

2015/08/03 0

grub is slow on bochs

if grub is running slowly on bochs, try to add “–no-rs-codes” to your grub-bios-setup command. It will be 0.5 sec versus 5 seconds different.

2015/08/02 0

gcc can’t handle too much #if macro

gcc can’t handle too much macro (#if, #define), the output dwarf will have wrong line number. So when you disassemble the assembly with c/c++ source, everything are wrong, including wrong line number, wrong assembly code to c source code, duplicated c/c++ line.   In GKD, i add an on/off button to filter out those…
Read more

2015/08/02 1

GKD is running fast with bochs instrumentation stub now

GKD is running fast with bochs instrumentation stub now, it captures all jmp/call/int/ret, all instructions that change you EIP. I am using H2 as the backbone database, every second can records over 100,000 instruction, which is pretty fast. Turn on subtitle when you are watching it:

2015/07/26 0

Nazi gun tower

2015/07/13 0

Getting the parameters by parsing the dwarf directly

I used another two months to getting correct location of each parameter of a functions. Mission sounds stupid, the timeframe i spent sounds stupid. If I use GDB, i perhaps never know how parameters are stored in memory. Now i know how computer ACTUALLY works. People think the parameters are store in the stack, and…
Read more

2015/07/07 0

libelf include issue

When you meet this: Just comment out the following line in /toolchain/include/libelf/sys_elf.h When I build the libelf in mac and in linux, the output sys_elf.h is different, in mac, the above line is not exist, so my OS is able to compile. Peter.

2015/06/30 0

How to lookup the value of each parameter from dwarf and memory location

Here are the steps to lookup the parameter value 1) Look into the “info” section from dwarf, “objdump –dwarf=info”. There is a die DW_AT_LOCATION (DW_OP_freg:0), telling you the offset to the frame register. 2) Look at the CIE from .eh_frames section, “objdump –dwarf=frames”. It will tell you the formula of calculating the CFA, such as…
Read more

2015/06/18 1

Linux view csv command

alias csv=’column -s, -t’ csv your_file

2015/06/16 0

Successfully decode .eh_frame

Successfully decode .eh_frame, now able to calculate the base offset of each parameter, can keep going on profiling feature of GKD

2015/05/27 0

objdump 2.24 has bug

objdump 2.24 has bug, but this bug is fixed in 2.25. It dump the wrong address for my 32 bits kernel.

2015/05/22 1

Decoded first two instructions of .eh_frame

Decoded first two instructions of .eh_frame, dwarf spec is lack of detail, need to hack into the objdump to understand each byte, it is time consuming.

2015/05/12 1

binutils compile error

If you compiling binutils and have these error, just remove d-exp.c and try again. d-exp.c should be generated by d-exp.y but binutils makefile won’t delete it during “make distclean”

2015/05/03 0

Tsinghua ucore kernel with GKD

I talked to Professor Chen from Tsing Hua (, i tried their education kernel ( I modified a little bit their Makefile so that it can be compiled in Mac and debug using my GKD debugger.

2015/04/30 0

I finally understand why “DW_OP_fbreg: 0” is possible

In the following function kmalloc2, take a look the first parameter, the memory location of that parameter is stated by dwarf “DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0)”, where “DW_OP_fbreg: 0” means stack+0. I was thinking why it is possible. Because when cpu executed call instruction, it already pushed 4 bytes into the…
Read more

2015/04/14 0

objdump has bug

objdump command has bug, i tried to use this command “objdump -dS kernel” to display mixed assembly and c code. But objdump has bug, it dump the same piece of c source code in two different memory locations. I double checked the dwarf data, nothing wrong. On more prove the dwarf is correct, my GKD…
Read more

2015/04/11 0

I finally understand why same parameter even has multiple locations

I finally understand why same parameter even has multiple locations. My pass concept is parameter stay in the stack. But after hacking the dwarf, it show me same parameter have multiple location during execution. Take a look below image, I wrote a function call kmalloc2 (blue arrow), the third parameter “size” has three locations (yellow…
Read more

2015/04/07 1

Finally can dump out the parameter type from dwarf standard

Finally can dump out the parameter type from dwarf standard. Some parameter is store recursively, so need to read out DW_AT_type and get the right die and decode again. Personally I think dwarf is just too hard to parse. Here is the code

2015/03/29 0