|
|
The map command shows the areas of memory that the running program is allowed to access:
debug> map Address Map for p1 Address Range Size Access Object File 0x08046000..0x0804ffff 0x00002000 RWX [STACK] 0x08049000..0x0807bfff 0x00033000 R_X /usr/lib/libc.so.1 0x0807c000..0x0807dfff 0x00002000 RWX /usr/lib/libc.so.1 0x0807e000..0x0807efff 0x00001000 RWX /usr/lib/libc.so.1 0x08300000..0x08300fff 0x00001000 R_X sget 0x08301000..0x08301fff 0x00001000 RWX sget 0x08302000..0x08303fff 0x00002000 RWX
Jumps or writes to areas outside of those listed will probably result in a segmentation violation. By comparing a suspicious pointer to the address map, you can see if you have a valid address and guess what it might point to. You can determine the segment types from the access permissions; a segment with write permissions (RWX) is (usually) data, containing static and global data symbols; a segment without write permissions (R_X) is (usually) text, containing machine instructions and constant (read-only) data. A writable segment without an associated object file is probably the heap (dynamically allocated space).
For most programs, the number of segments will be constant for the life of the process, but the number of segments may change as the program runs if the program dynamically links to any additional shared objects via dlopen or uses mmap to map the contents of a file or allocate anonymous memory.