Query the CTF for specific information.
ctfquery [ -s SYM | -t TYPE_ID | -c TYPE_ID | -l LABEL | -v | -h ] <file>
-s SYMsearch for a symbol namedSYM-S TYPE_IDsearch for all symbols that are of typeTYPE_ID-t TYPE_IDsearch for a type identified withTYPE_ID-c TYPE_IDsolve atypedefchain with the head identified withTYPE_ID-l LABELsearch for a label with nameLABEL-vprint CTF version of the file-hprint help message
$ ninja
Grab my hand, we are going for a trip! Say we are, for some reason, totally
into finding out about the kernel symbol pid_max which denotes the maximal
PID on a system. One way is to look into the source, sure, but what if it is
not available and we are stuck with some random black box crash dump?
ctfquery to the rescue!
We will start by gently poking the beast:
$ ctfquery -s pid_max /boot/kernel/kernel
776
The first bit of knowledge! The symbol inspection (-s) told us that the
type ID of the type associated with the symbol is 776. Only if we could
describe a type!
$ ctfquery -t 776 /boot/kernel/kernel
Kind: typedef
Ref ID: 775
New name: pid_t
And we could. A type with ID 775 disguised as the pid_t using the typedef
sorcery. Sneaky. Let's dive even further!
$ ctfquery -t 775 /boot/kernel/kernel
Kind: typedef
Ref ID: 17
New name: __pid_t
Oh man! This is a serious typedef hell! For how long will we have to follow
these links? Luckily, we can solve typedef chains with the -c option for free:
$ ctfquery -c 776 /boot/kernel/kernel
pid_t (776) -> __pid_t (775) -> __int32_t (17) -> int (16)
Finally, some solid info right there, it all seems to boil down to the type with ID 16. You guessed correctly, we're gonna inspect the hell out of it!
$ ctfquery -t 16 /boot/kernel/kernel
Kind: int
Name: int
Size: 32
Offset: 0
Signed: yes
Content: number
QED! The symbol pid_max is a 32-bit signed integer. Now go solve the
important stuff.
2-clause BSD, for more information please see the license.
Daniel Lovasko lovasko@freebsd.org