Introduction

One of the more interesting things for any person is to see how the internal engines from the server software work. The purpose of this article is to show how we can apply basic assembler knowledge to find interesting runtime information.

Few days ago, my friend was involved on PHP+MYSQL site development. He was experiencing some issues.

Ok, we can start.

  1. You will need MySQL installation download and install any version of MySQL. Please make sure that your MySQLD service is running successfully (In other words, ensure that your MySQL is working properly).
  2. Download the latest version of Windbg for Windows from the Microsoft site.
  3. Launch Windbg.
  4. Press F6 and attach the mysqld.exe process.
  5. Set the Windbg symbols properly by using File->Symbols File Path:srv*c:\windows*http://msdl.microsoft.com/download/symbols.
  6. On Windbg command line, execute .reload.
  7. Press F5 to run the process (When you attach the process, this gets frozen). Using F5 or with G command, the process runs.
  8. Here is the tricky part. MYSQLD.exe process (or service in this case) is in charge of executing the SQL Queries from PHP pages, or MYSQL different clients. Navicat is a cool MYSQL client which allows us to see the MYSQL Server in a graphical mode, like Microsoft Management Studio does with SQL Server.
  9. Let's start navicat tool for educative purposes (if you want), or use your own PHP or any other application which is a MYSQL Client.
  10. EXECUTE is the magic word. The tricky part is: Why if MYSQLD.EXE process performs a SQL Query executing any kind of EXECUTE function on any part of their internal code? Let's put a breakpoint there.
  11. Breakpoint: Stop the current MYSQLD Execution by CTRL+Break on Windbg and put the following command: bm *mysqld*!*execute* (BM=break on mask, library all *mysqld* and function *execute*).
  12. Press F5 and perform any client operation with PHP Page or Navicat or any other MYSQL client.
  13. You will see a freeze in your page or navicat: Why? Because MYSQLD was stopped. Lets see the windbg.

  14. Nice, the MYSQLD process stopped on MYSQLD!MYSQL_EXECUTE_COMMAND, let's see the Stack Trace: Use KB command:
  15. As you can see, you can observe directly the input parameters for MYSQL_EXECUTE_COMMAND on Args to Child section. Every hexadecimal value there represents normally a pointer to any specified data structure. Is any string there on any of the Args to Child pointer? Let's examine this.
  16. Click on View->Memory. On Address, write the Pointer (captured from Args to child) try with 01eb2630 and the other args to child:

  17. We did not see any interesting thing on all args to child parameters for MYSQL_EXECUTE_COMMAND, but what about the previous function: mysql_parse?

  18. Eureka! There is something interesting there. What if we print the value there? Let's execute: .printf “%ma”.03b62a68:

  19. Yes, this is definitely a SQL Query captured from MYSQLD process. Now when we have the function that we want, delete all breakpoints by using the command BC * and use bp mysqld!mysql_parse and continue the execution by using F5 or G windbg command line.
  20. Now our windbg stopped on mysqld!mysql_parse.
  21. The one million question is: everytime that any MYSQL Query executes something, it will freeze my app until press F5 app? The answer is no, if we use a more intelligent breakpoint. We know the functionmysql_parse, but in which memory address it is stored? This is a call stack theory:

  22. Let's explain this, when the process is starting a function, it pushes the Function parameters to be used. Then what happens with ESP processor register? Example: VOID SUM(INT X,INT *Y)ESP represents theTOP of the stack, and EBP the base address for the Stack. Let's assume that ESP=1000.
    1. The process pushes the pointer to the value and ESP decreases their value, decreases the top of the stack? Sounds confusing, Yes it's true, in the Windows operative system, the TOP of the stack is in the lower part of memory than EBP (Base pointer of the stack) ESP=ESP-4 : 996.
    2. The process pushes the value of X ESP=ESP-4 : 992.
    3. The process push the return address for the previous function: ESP=ESP-4 : 998.
  23. When the Windbg stops, the stack is in the state. For example, you can find the second parameter by just executing a simple math operation: 2º parameter is located in the POI(ESP+8), as we can see the Windbg previous picture, YES, our string is the second parameter. Let's try this:
  24. Printing the 2º parameter: .printf “%ma”,poi(esp+8).

  25. Why POI? Poi in windbg represents or gets the pointer address of ESP+8%ma means or represent just a ASCII chars. %mu represents Unicode.
  26. Good, now we can put together in a simple breakpoint.
  27. The complete breakpoint: bp mysqld!mysql_parse ".printf \"\\n%ma\",poi(esp+8);gc"
  28. When we set Bp=breakpoint in the function mysqld!mysql_parse, it prints an ASCII string given a pointer to the esp+8 (second parameter, and gc to continue the execution without stop.
 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge的更多相关文章

  1. 【MySQL笔记】解除输入的安全模式,Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconnect.

    Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE tha ...

  2. Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconn

    使用MySQL执行update的时候报错:   MySQL     在使用mysql执行update的时候,如果不是用主键当where语句,会报如下错误,使用主键用于where语句中正常. 异常内容: ...

  3. Monitor All SQL Queries in MySQL (alias mysql profiler)

    video from youtube: http://www.youtube.com/watch?v=79NWqv3aPRI one blog post: Monitor All SQL Querie ...

  4. java.sql.SQLException: Streaming result set com.mysql.jdbc.RowDataDynamic@27ce24aa is still active. No statements may be issued when any streaming result sets are open and in use on a given connection

    在Sqoop往mysql导出数据的时候报了这个错误,一开始还以为是jar包没有打进去或者打错位置了,未解便上网查询. Error reading from database: java.sql.SQL ...

  5. EF: Raw SQL Queries

    Raw SQL Queries Entity Framework allows you to query using LINQ with your entity classes. However, t ...

  6. Executing Raw SQL Queries using Entity Framework

    原文 Executing Raw SQL Queries using Entity Framework While working with Entity Framework developers m ...

  7. Thinkphp中查询复杂sql查询表达式,如何表达MYSQL中的某字段不为空is not null?

    Thinkphp中查询复杂sql查询表达式,如何表达MYSQL中的某字段不为空is not null?先上两种实现方式的实例:$querys["house_type_image"] ...

  8. EF Core 2.1 Raw SQL Queries (转自MSDN)

    Entity Framework Core allows you to drop down to raw SQL queries when working with a relational data ...

  9. Debezium SQL Server Source Connector+Kafka+Spark+MySQL 实时数据处理

    写在前面 前段时间在实时获取SQLServer数据库变化时候,整个过程可谓是坎坷.然后就想在这里记录一下. 本文的技术栈: Debezium SQL Server Source Connector+K ...

随机推荐

  1. 【学习笔记】动态树Link-Cut-Tree

    这是两个月前写的,看能不能搬运过来…… 动态树是一类维护森林连通性的问题(已纠正,感谢ZQC巨佬),目前最(wo)常(zhi)见(hui)的动态树就是LCT(Link-Cut-Tree),然而LCT似 ...

  2. 图论-最近公共祖先-离线Tarjan算法

    有关概念: 最近公共祖先(LCA,Lowest Common Ancestors):对于有根树T的两个结点u.v,最近公共祖先表示u和v的深度最大的共同祖先. Tarjan是求LCA的离线算法(先存储 ...

  3. HDU 6109 数据分割 并查集,SET

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=6109 题意:中文题面 解法:每次都贪心地尝试将尽量多的条件放进当前这组,遇到第一个与已有条件冲突时,就 ...

  4. C基础 读写锁中级剖析

    引言 读写锁 是为了 解决, 大量 ''读'' 和 少量 ''写'' 的业务而设计的. 读写锁有3个特征: 1.当读写锁是写加锁状态时,在这个锁被解锁之前,所有试图对这个锁加锁的线程都会被阻塞 2.当 ...

  5. Linux设备驱动--内存管理

           MMU具有物理地址和虚拟地址转换,内存访问权限保护等功能.这使得Linux操作系统能单独为每个用户进程分配独立的内存空间并且保证用户空间不能访问内核空间的地址,为操作系统虚拟内存管理模块 ...

  6. django “如何”系列8:如何为模型提供初始化数据

    当你第一次配置一个app的时候,有时候使用硬编码的数据去预填充你的数据库是非常有用的.这里有几个你可以让django自动创建这些数据的方法:你可以提供固定格式的初始化数据或者提供通过SQL初始化数据. ...

  7. 16:django 有条件的视图处理(Last-Modified和ETag)&&加密签名

    有条件的视图处理 上一节我们介绍了缓存来减轻服务器的负担,这里的有条件的视图处理也从一定程度上减轻了服务器的负担,在正式介绍之前,先来看两个概念:Last-Modified和ETag Last-Mod ...

  8. 深入解析当下大热的前后端分离组件django-rest_framework系列三

    三剑客之认证.权限与频率组件 认证组件 局部视图认证 在app01.service.auth.py: class Authentication(BaseAuthentication): def aut ...

  9. SEO如何写好文章标题

    近一半网民只看标题不点内容,许多网站有个标题和内容摘要,而这个摘要基本概括了整篇新闻的大致内容,所以的互联网信息泛滥的今天,看标题看摘要成了最快阅读新闻资讯的一种有效方式. 如何写好标题?我一直愁这事 ...

  10. win10的VMware虚机host-only模式下,虚拟机无法ping通物理机,而物理机能ping通虚机

    1.打开控制面板—->Windows防火墙(win10操作系统) 2.点击最上面的”允许应用或功能通过xxxxx” 3.勾上上图的“文件和打印机共享” 然后点确定.