The GNU debugger, gdb, has an option named follow-fork-mode
designed for just this situation. Under gdb, follow-fork-mode can be set to parent,
child, or ask, such that gdb will stay with the parent, follow the child, or ask the user
what to do when a fork occurs.
NOTE gdb??™s follow-fork-mode is not available on all architectures.
Another useful feature available in some debuggers is the ability to analyze a core
dump file. A core dump is simply a snapshot of a process??™s state, including memory contents
and CPU register values, at the time an exception occurs in a process. Core dumps
are generated by some operating systems when a process terminates as a result of an
unhandled exception such as an invalid memory reference. Core dumps are particularly
useful when attaching to a process is difficult to accomplish. If the process can be made
to crash, you can examine the core dump file and obtain all of the same information you
would have gotten had you been attached to the process with a debugger at the moment
PART IV
Chapter 14: Advanced Reverse Engineering
339
it crashed. Core dumps may be limited in size on some systems (they can take up quite a
bit of space), and may not appear at all if the size limit is set to zero.
Pages:
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612