0

I'm extracting C struct layout from and executable using gdb-python.

I manage to get all the fields, offsets, types & sizes.

Still, when trying to re-generate the struct's code, I do not have any indication for whether it was marked with GCC's attribute((__packed__)).

Is there any way to get this information from the executable? (preferably using gdb-python, but any other way will do too)

Uri Hoenig
  • 138
  • 6
  • "when trying to re-generate the struct's code" -- *why* would you want to do that? What are you trying to achieve? – Employed Russian Dec 12 '18 at 17:49
  • I have the same struct in 2 binaries (2 versions of the same binary). I want to detect any changes made to the struct between the 2 versions. Based on those changes, I generate a "copy" function for the fields that were left unchanged. I have to modify the name of the struct as "_old" (and recursively all the structs within it). I have other ways to do it, but I would like to use the same infrastructure I'm using to detect the changes (gdb-python). – Uri Hoenig Dec 14 '18 at 16:16

1 Answers1

1

Is there any way to get this information from the executable?

No, but you should be able to deduce this with a simple heuristic:

  • if sizeof(struct foo) is greater than the sum of its member field sizes, the struct is not packed.
  • if sizeof(struct foo) is equal to the sum of its member field sizes, the struct is either packed, or its members are naturally aligned with no holes, and packing doesn't matter for it.
Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • gdb-python alreday gives me the size of each field after packing, so this is not an option. – Uri Hoenig Dec 14 '18 at 16:09
  • I can compare the field sizes in gdb-python to those I can find using static code analysis of some kind (ctypesgen, ctypeslib...), but I would prefer to avoid it. – Uri Hoenig Dec 14 '18 at 16:18