How can I examine a process' image?

Question

First I find the process' pid with ps:

% ps -a | grep 'a.out'

output:

36296 pts/0    00:00:07 a.out

Then I get an image of this process with gcore:

% sudo gcore 36296

output:

0x0000558eab27d131 in main ()
warning: Memory read failed for corefile section, 4096 bytes at 0xffffffffff600000.
Saved corefile core.36296
[Inferior 1 (process 36296) detached]

Then, hex dump object:

% hd core.36296 | grep 'HOME'

output:

001f4a90  3d 32 00 48 4f 4d 45 3d  2f 68 6f 6d 65 2f 63 61  |=2.HOME=/home/ca|

Now, I'm trying to find the section where environment variables is loaded. How can I do this ?

Answer 1

You should use a debugger!

For linux, gcc and gdb you can do:

> gdb <executable> <core-file>

Within gdb you now can examine the environment from the core file:

 (gdb) print ((char**)__environ)[0]
$1 = 0x7ffc6aba0a58 "SHELL=/bin/bash"
(gdb) print ((char**)__environ)[1]
$2 = 0x7ffc6aba0a68 "SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1873,unix/unix:/tmp/.ICE-unix/1873"

unless you get a string with length 0.

If you do not have an executable with debug infos, you also can try to find the text with:

strings –a <core-file>

But before you write a core file and try to search in it, you simply can get the environment from a process by using ps if your program is still running:

ps eww <pid>