blob: 17bf9637d9a852405fe6afb392c718fdc58af530 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
# Detecting Patterns With Recognizers
Frame recognizers allow for retrieving information about special frames based
on ABI, arguments or other special properties of that frame, even without
source code or debug info. Currently, one use case is to extract function
arguments that would otherwise be inaccessible, or augment existing arguments.
Adding a custom frame recognizer is done by implementing a Python class and
using the `frame recognizer add` command. The Python class should implement the
`get_recognized_arguments` method and it will receive an argument of type
`lldb.SBFrame` representing the current frame that we are trying to recognize.
The method should return a (possibly empty) list of `lldb.SBValue` objects that
represent the recognized arguments.
An example of a recognizer that retrieves the file descriptor values from libc
functions 'read', 'write' and 'close' follows:
```python3
class LibcFdRecognizer:
def get_recognized_arguments(self, frame: lldb.SBFrame):
if frame.name in ["read", "write", "close"]:
fd = frame.EvaluateExpression("$arg1").unsigned
target = frame.thread.process.target
value = target.CreateValueFromExpression("fd", "(int)%d" % fd)
return [value]
return []
```
The file containing this implementation can be imported via `command script import`
and then we can register this recognizer with `frame recognizer add`.
It's important to restrict the recognizer to the libc library (which is
`libsystem_kernel.dylib` on macOS) to avoid matching functions with the same name
in other modules:
```c++
(lldb) command script import .../fd_recognizer.py
(lldb) frame recognizer add -l fd_recognizer.LibcFdRecognizer -n read -s libsystem_kernel.dylib
```
When the program is stopped at the beginning of the 'read' function in libc, we can view the recognizer arguments in 'frame variable':
```c++
(lldb) b read
(lldb) r
Process 1234 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.3
frame #0: 0x00007fff06013ca0 libsystem_kernel.dylib`read
(lldb) frame variable
(int) fd = 3
```
|
