3

I am very new to Ghidra, so please accept my apologies if my question sounds too simple. Despite the poor quality of the Internet in my country, I tried my best to find an answer online before asking but I could not find much.

Imagine we have a Linux shared object named CustLib.so, that exports one single function named Func.

Furthermore, imagine a program (let's call it ClientProg) imports Func from CustLib.so and calls it from its main.

What I have been trying to do with Ghidra is:

  1. Load CustLib.so into Ghidra, Analyze it, and put a breakpoint somewhere within the decompiled code pertaining to Func.

  2. Load ClientProg into Ghidra, Analyze it, and start it in the Debugger.

  3. Wait until ClientProg calls Func, at which point I expect Ghidra to break on the breakpoint I had previously set at Func.

To my surprise, the last step above never happens. ClientProg runs from start to completion (in GDB IN-VM mode), without ever breaking on Func.

Could I ask whether I am actually missing something? Or am I expecting an unsupported functionality? Many thanks.

Improve this question
2
  • I don't think it will work like that. If you put a run ClientProg in Ghidra, only breakpoints in ClientProg will hit, not CustLib.so. Instead, you should do something like start debugging the .so but with the application path (not the file path) pointing to ClientProg, so ClientProg can be started and CustLib.so will be debugged. I don't know how to do this in Ghidra (due to my lack experiences with Ghidra), but that is how I would do in IDA
    – raspiduino
    Commented Dec 25, 2022 at 14:27
  • 1
    Thanks a lot! @raspiduino
    – ElenaKarimi
    Commented Jan 9, 2023 at 6:24

0

Reset to default

Browse other questions tagged or ask your own question.