MDB Example: Displaying environment variables of a process

By Ilya Voronin on June 17, 2006 at 4:06 pm in Modular Debugger

How process’s environment variables stored in memory? Each process has an associated data structure called proc in kernel memory. This structure has pointer to user structure also kown as u-area, which holds information about process such as argv, argc and envp - pointer to null-terminated array of c-strings in process’s address space. In this example we are going to display environment variables of the sshd daemon running with pid 546.

So launch modular debugger in kernel mode:


# mdb -k
>

And run the following command to determine address of proc structure of process with pid 546:


> 0t546::pid2proc
600036863b8

Next step: determine address of envp array in address space of process:


> 600036863b8::print proc_t p_user.u_envp
p_user.u_envp = 0xffbffea4

Because obtained address is in process space we need to change mdb context:


> 600036863b8::context
debugger context set to proc 600036863b8

Then we read envp array until NULL is returned:


> 0xffbffea4/X
0xffbffea4:     ffbfff36
> +
0xffbffea8:     ffbfff4e
> +
0xffbffeac:     ffbfff70
> +
0xffbffeb0:     ffbfff96
> +
0xffbffeb4:     ffbfffc6
> +
0xffbffeb8:     0
>

Obtained values are pointers to c-strings:


> ffbfff36/S
0xffbfff36:     PATH=/usr/sbin:/usr/bin
> ffbfff4e/S
0xffbfff4e:     SMF_FMRI=svc:/network/ssh:default
> ffbfff70/S
0xffbfff70:     SMF_METHOD=/lib/svc/method/sshd start
> ffbfff96/S
0xffbfff96:     SMF_RESTARTER=svc:/system/svc/restarter:default
> ffbfffc6/S
0xffbfffc6:     TZ=Europe/Moscow

Tags: , ,

Reader's Comments »

  1. By Alexander Nasonov on August 22, 2006 at 6:09 pm

    It’s not clear from your post that mdb -k stops the entire system, doesn’t it?

  2. By Ilya Voronin on August 22, 2006 at 6:29 pm

    Do not mix up “-k” (lower case) and “-K” (upper case) options. mdb with “-K” option will load kmdb and stop kernel execution. “-k” option is a synonym for “mdb /dev/ksyms /dev/kmem”

  3. By Yong Huang on January 7, 2007 at 6:46 pm

    Thanks for this tip, Mr (can’t find your name). Do you know any way to find the real running process environment? I mean, your method, as well as /usr/ucb/ps eww and pargs -e, finds the environment of the process when it was created, not as of now. If my shell does export A=B now, all these methods won’t detect this new setting. Thanks. — Yong Huang

  4. By Ilya Voronin on January 7, 2007 at 7:42 pm

    I think that this is a feature of shells, - they use internal structures to store variables.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>