whatis
如果提前知道数据类型的定义,可以直接用struct、union等,否则可以直接用whatis。
crash> whatis -o page
struct page {
[0] unsigned long flags;
union {
struct {
union {
[8] struct list_head lru;
struct {
[8] void *__filler;
[16] unsigned int mlock_count;
};
[8] struct list_head buddy_list;
[8] struct list_head pcp_list;
};
[24] struct address_space *mapping;
union {
[32] unsigned long index;
[32] unsigned long share;
};
[40] unsigned long private;
};
struct {
[8] unsigned long pp_magic;
[16] struct page_pool *pp;
[24] unsigned long _pp_mapping_pad;
[32] unsigned long dma_addr;
union {
[40] unsigned long dma_addr_upper;
[40] atomic_long_t pp_frag_count;
};
};
...
[52] atomic_t _refcount;
[56] unsigned long memcg_data;
}
SIZE: 64
struct
上面显示page是struct类型,那么也可以直接用struct,struct的输出格式更丰富,这里struct也可以用*代替。
crash> *page -xo
struct page {
[0x0] unsigned long flags;
union {
struct {
union {
[0x8] struct list_head lru;
struct {
[0x8] void *__filler;
[0x10] unsigned int mlock_count;
};
[0x8] struct list_head buddy_list;
[0x8] struct list_head pcp_list;
};
[0x18] struct address_space *mapping;
union {
[0x20] unsigned long index;
[0x20] unsigned long share;
};
[0x28] unsigned long private;
};
...
[0x34] atomic_t _refcount;
[0x38] unsigned long memcg_data;
}
SIZE: 0x40
上面显示的是结构体成员的的偏移,如果我们已经知道某个结构体变量的地址,那么可以可以用下面的方法获取其中每个成员的地址:
crash> *page -ox ffffea0000000440
struct page {
[ffffea0000000440] unsigned long flags;
union {
struct {
union {
[ffffea0000000448] struct list_head lru;
struct {
[ffffea0000000448] void *__filler;
[ffffea0000000450] unsigned int mlock_count;
};
[ffffea0000000448] struct list_head buddy_list;
[ffffea0000000448] struct list_head pcp_list;
};
[ffffea0000000458] struct address_space *mapping;
union {
[ffffea0000000460] unsigned long index;
[ffffea0000000460] unsigned long share;
};
[ffffea0000000468] unsigned long private;
};
...
[ffffea0000000474] atomic_t _refcount;
[ffffea0000000478] unsigned long memcg_data;
}
SIZE: 0x40
完。