This page presents IDA macros I’ve written.

Load PE/COFF symbolsBACK TO TOC

IntroductionBACK TO TOC

It appears that when IDA parses symbols of Windows applications compiled with gcc (cygwin), it does not load symbol names properly. I.e. instead of real function names, you see things like sub_401064.

The problem is that gcc uses stores symbol information in slightly different manner, which IDA does not understand. The macro below fixes this.

DownloadBACK TO TOC

Grab it here.

Installation and useBACK TO TOC

To install it, do the following:

1. Close all instances of IDA.
2. Put it in idc directory, in IDA’s installation directory.
3. Start IDA

After installing the script, the script will automatically process every binary file you open and fix the symbols if it sees gcc‘s symbol table format.

You can see it works if you see following line in the log window.

-------- PE/COFF Symbol Name Parser ------------------

Same script but in a standalone versionBACK TO TOC

This is a standalone version of the same script. Grab it here. To run it, save it somewhere on your computer and run it via File->IDC File menu.

This article describes how lack of swap partition affects behavior of your Linux system. It is right here.

Table of contents

IntroductionBACK TO TOC

This short article deals with simple question. How exactly lack of swap partition affects Linux’s performance. What would happen if you turn the swap off?

The obviousBACK TO TOC

Memory leaksBACK TO TOC

The obvious price one would have to pay for turning the swap off is lack of so called virtual memory. The term virtual memory refers to several different things really. What I mean is that when a program leaks memory, the memory it has leaked will remain unused as long as the program still running.

On the contrary, when swap is on, operating system copies memory that is not in use to the swap partition, by that freeing actual memory. So when one of the programs has memory leaks, memory that being lost by the program finds its way to hard drive instead of continuing to take precious memory.

I never heart of a program that claims that it has no memory leaks. Every program looses memory. It is a matter of time until it will ran out of memory and then the program will crash. Swap is not an ultimate solution for this problem because swap space can run out too, yet it significantly prologues live of the individual processes and the overall system.

HibernationBACK TO TOC

It is being referred to as hibernation and perhaps few other ways. At the bottom line this is a method to fast turn on and off the computer.

Instead of turning off all services and programs and then initializing them again, operating system suspends execution of all processes, then writes all used memory to swap space and then turns off the computer.

When you turn your computer back on, instead of starting a brand new session from scratch, operating system restores memory from swap and resumes all programs that were running, without reinitializing them.

By the way, one of the reasons why recommended swap space size is twice the size of the RAM that is in the computer is to let the operating system to accommodate all your RAM in swap partition – to allow hibernation of course.

Obviously, when you don’t have swap partition, you cannot do hibernation anymore.

The less obviousBACK TO TOC

I/O cacheBACK TO TOC

Linux uses all available memory to do I/O cache – that is to save portions of the hard disk space and to serve it straight from the memory avoiding relatively long disk access. This is why for instance when you copy several large files from one place to another several times in a row, second copy takes significantly fewer time then the first. This is also the reason why, in Linux, it takes a second to write a megabyte to a floppy disk, a device known for its slowliness – the data being written to the memory and not to an actual disk.

Also, disks optimized to read and write large chunks of data. Average program on the contrary reads and writes small chunks of data. To speed up the process, Linux collects several small read and write requests into bigger thus increasing disk performance. This however requires memory.

What many people don’t realize is that Linux uses all available memory and always tries to free even more memory for caching. When it sees a piece of memory that some program did claim, but doesn’t use very often, it will copy it to swap partition and use the actual memory for caching. Once the program will try to do something with this memory piece, Linux will detect this and read the contents of the memory piece from swap partition back to the real RAM.

By the way, this is the reason why when you minimize a program and after a while restore it, it takes it a few seconds to become fully functional – Linux had moved pieces of its memory to swap partition and now this memory has to be restored. Reading data from disk takes more time than actual memory access, thus the delay you see when you restore the program. You can change how hard the operating system tries to free memory for cache by changing value in the /proc/sys/vm/swappiness. The value varies between 0 and 100. Value of 100 means that operating system will not wait much time to move memory to cache. Note that whatever swappiness value you have, Linux tries to keep your system stable and will move pieces of memory into cache if it thinks it is necessary.

The real issue here is that this mechanism should be very balanced. Linux is optimized to use all available memory for caching. When it doesn’t have enough memory, time it takes to access data on disks will rise! Since all programs leak memory, over the time Linux will have less and less memory for caching and disk access speed will drop.

Bottom lineBACK TO TOC

Bottom line is that, without swap:

1. Your system will be less stable.
2. Your system will not be able to hibernate.
3. Disk access speed in your system will be slower compared to a system that has swap partition. Moreover, disk access speed will drop in the course of time.

In case you have further questions, please email me to alexander.sandler@gmail.com.

One of the things I like in wordpress is plug-ins thing. There are literally thousands of plug-ins for wordpress and you just peek things that you need.

At the moment I use something like three different statistic plug-ins, a plug-in that filters out spam comments, SEO plug-in, smileys plug-in. The quick links menu on your right created using NAVT plug-in.

I myself have written a couple of plug-ins – for instance, table of contents that you can find on almost any of my articles automatically generated by the smart-toc plug-in, which I am going to publish soon

Yet there’s something that frightens me a bit. I am now using over 15 different plug-ins. Almost all of them do something, each increasing size of the PHP code that being executed every time someone accesses my web-site. I do use a plug-in that caches (how convenient ) PHP generated HTML and serves it instead of running PHP code for each client. Despite that number of plug-ins I am using is overwhelming and I am wondering whether this is going to boomerang me one day

Just finished adopting a new theme to my web-site. Hope you like it.

Adaptation took quiet some time. You know… There are those small things that perhaps no one else sees, but you. But once you see the web-site you just can skip them. So I had to fix quiet a few things.

I would like to thank developers of the StudioPress wordpress theme for doing such a great work. Theme I use, although modified, shares its roots with this wonderful theme.

In case you wonder, in this theme, there’s a place for little picture of me – quiet remarkable addition Also, it has more space for ads. Sorry, but I had to have them. At the moment this web-site doesn’t pay-off very well and I hope to improve this state of affairs. And I think the most distinguishable diffirenece is in it’s colorfulness. It is very colorful. Again, I hope you will like it.

I have finished writing a new article. This article gives solutions to common problems that one may encounter when booting Linux. From faulty service scripts to corrupted initrd, it’s all there.

You can find the article here.

Table of contents

IntroductionBACK TO TOC

I thought I’d write a few things that I do with kernel when administrating my Linux machines. There are plenty of “how to compile your kernel” guides out there and I won’t write another one. Instead I want to mention few things that often neglected in those guides.

Let me give you an example. One very common situation is when you are trying to boot with your newly compiled kernel and it won’t boot. Or something got wrong and your network card isn’t working anymore. Are you familiar with these problems? If so, this article is for you.

Understanding the kernel installationBACK TO TOC

Lets start with simple understanding of the structure of the Linux kernel. In this section we’re not going to dig into kernel source tree. Instead we’ll talk a bit about kernel in its binary form.

Kernel binaryBACK TO TOC

No matter what Linux distribution you have, Linux kernel installed on your machine can be divided into two parts. First comes kernel binary. It is a single file that usually resides in /boot/ directory. The name of the file is usually vmlinuz followed by version number. For instance, vmlinuz-2.6.18.2-34-default. Some distributions have symbolic link /boot/vmlinuz pointing to real kernel file (still somewhere in /boot/). This however is not a necessity.

When I am thinking about why kernel file is compressed, I can’t think of a reasonable explanation. Today disk space is so cheap that we can safely spare few megabytes for uncompressed version of the kernel. I guess its a backward compatibility thing. Anyway, face it. Kernel binary file is compressed.

In case you’re wondering if you can decompress it, the answer is no. The problem is that the compressed portion of the kernel prepended with some uncompressed data. The size of the uncompressed portion varies. I’ve seen few people managing to extract uncompressed kernel image out of compressed one, but its fairly complex process.

Instead, it is a common practice to place an uncompressed version of the kernel in /boot/ directory. Common practice is to place file named vmlinux followed by the kernel version name and set /boot/vmlinux symbolic link to point to the uncompressed kernel (usually residing in the same directory).

Kernel version numberBACK TO TOC

You can have several kernels on one system. Each kernel has a version number. It might be a little long – version numbers like 2.6.21-8-default are common. Modern kernels start with 2.6. You can find the later version of kernel at the moment on kernel.org web-site. 2.6 actually is a major version of the latest stable kernel. Kernel developers use odd numbers to indicate development versions of the kernel and even numbers to indicate stable versions. Hence, 2.6 is stable and 2.5 is a development version.

In case you’re wondering what version of the kernel you have, you can always check this with uname -r command. Like this:

# uname -r
2.6.21-8-default

Kernel modulesBACK TO TOC

Other part of kernel resides in many smaller files under /lib/modules/ directory. These are kernel modules.

Under /lib/modules/ there is a directory per kernel installed on your system. Each sub-directory named as kernel version. I.e if you’re running kernel 2.6.21-8-default, you’ll find directory named 2.6.21-8-default in /lib/modules/.

Every kernel directory under /lib/modules/ contains several files and directories. Few of them are important to remember. For instance, build is a symbolic pointing for directory where the kernel has been built (usually somewhere in /usr/src although it can be anywhere). kernel directory contains several sub-directories that contain actual modules (or directories that contain modules – anyway no module reside outside of kernel). Finally, it contains several files that start with modules. These files used by different utilities such as modprobe to locate right modules and resolve dependencies between them.

Linux boot process explainedBACK TO TOC

Now I would like to say few words about how Linux boots. The overall boot process involves several complicated steps, eventually leading to the kernel.

First, kernel being loaded into memory, decompressed and started. One of the first things kernel does when it starts is loading something called initrd. You may’ve met this name before. I would like to explain what it is.

Initial ram-diskBACK TO TOC

In case you didn’t know, you can create a small virtual hard drive in your RAM. Eventually it does not matter what medium sits beneath the file-system. As long as you can read and write it, you can create a file-system on it, thus you can mount it and work with it as if it was a real hard disk.

RAM disk is exactly this – virtual hard disk that resides in the memory. You can format it and you can mount it.

When you create one, you usually create it empty. However, ram-disks are not necessarily empty. You can create a ram-disk, write some data to it, save the ram-disk image into a file and then mount it again. This is exactly what Linux developers did with initial ram-disk.

Initial ram-disk or shorter initrd is a file-system in a file. When system boots kernel loads it from hard drive into RAM. In case you want to know more about initrd, read my article about internal structure of initrd. You can find it here.

Mounting root file-systemBACK TO TOC

This is where most of the fresh kernel compilations fail. Next thing kernel does after loading initrd and running the script is trying to mount the real root file-system. At this moment it should have a file-system driver, disk driver and proper device file configuration.

You need a file-system driver because kernel has to understand the structure of the data on the disk. File-systems usually implemented in one or several kernel modules – mostly one. One very common exception is ext3 file-system. It’s built of two modules, ext3.ko and jbd.ko.

Having right disk driver can be more complicated. Generic IDE controller support is now built into the kernel in vast majority of distributions. Yet SCSI controllers support may be a bit of a problem. With SCSI disks you need three modules:

1. scsi_mod.ko – This module contains generic SCSI support.
2. sd_mod.ko – This module contains SCSI disks driver.
3. Kernel module with driver for you SCSI controller.

Missing any of these will cause your system to fail to boot.

Finally, last thing that required for your system to boot are device files. Each represent a device, as you know. In particular, SCSI disks should have device files. Each partition on the device should have a device files and most important device files should point to right locations.

A common problem occurs when you introduce a new SCSI disk into your system. Deciding how to present a new SCSI disk to your system is up to SCSI controller and the controller driver. You may find yourself in a situation when before the change in RAID configuration your root file-system was on /dev/sda, but after the change it is on /dev/sdb. This often occurs when you have RAID with sparse LUNs and you fill in the gaps between SCSI LUNs.

Different distributions use different ways to create required device files. In some Linux distributions, mkinitrd itself creates all needed device files. In others initrd carries udev daemon that creates needed files on the go.

In any case, lack of appropriate device files can definitely be a good reason for the system to stop operating properly.

init and servicesBACK TO TOC

Next thing kernel does after mounting real root file-system is running a program named init. This program becomes first process that runs in your system. The executable file usually resides in /sbin/ directory. The way this program works differs from distribution to distribution. Actually this is one of the major differences between different distributions.

One thing that remains unchanged is the fact that there’s a manual page for init that tells how it works. On some systems it runs scripts located in /etc/init.d. On other systems it will run scripts from /etc/event.d directory. Yet it will always run some scripts.

init levelsBACK TO TOC

The scripts divided into several categories. Such division is merely a compatibility issue – older Unix system had them, so Linux has them too. Categories don’t have names. Instead they are numbered from 0 to 6. Each category responsible for certain stage of the session. By session I mean everything that happens from the moment machine boots, until the moment it’s being shut down. During this period, machine is always in one of the init levels, meaning it has executed scripts belonging to all categories from 0 up to the current one.

For instance, normally you work in either init level 3 or level 5. 3 stands for multi-user environment that supports networking – meaning that at level 3 system has ran all scripts needed to allow several users to login and do some networking stuff. Level 5 includes everything that is in level 3 and also support for X windows. Hence when you work in graphical environment, you are at level 5 and if you are working with console, you are in level 3. On the contrary, level 1 stands for single-user no-network environment. Level 6 is a reboot level, switched to when system shuts down.

Some levels are not in use. Different distributions use level 2 and 4 in different manner, but most of the time they do nothing meaningful.

ServicesBACK TO TOC

By the way, in nearly all Linux distributions, init scripts start so called services. Services are programs that run in the background and so some useful stuff, e.g SSH server usually runs as a service. Each service has a script that starts and stops it.

One of the things that may go wrong when booting your system is one of the service scripts (or script that runs service scripts). Perhaps you’ve changed something yourself. Or one of the system variables that affect one of the scripts can get wrong and cause the script to misbehave.

Booting Linux with broken init scriptsBACK TO TOC

Luckily, there’s a simple way to boot the system even if you don’t have a rescue disk or don’t have an option to stop boot process at level 1, before most of the init scripts are executed (in RedHat Linux descendants you can press I to stop boot process on level 1). You can pass init=/bin/bash argument to the kernel, when booting the system. This will cause the system to execute /bin/bash instead of init. If you do that, instead of regular boot process you will find youself in a shell. In this environment you probably won’t have PATH variable set properly so don’t be surprised when it cannot find vi – help it by providing full path to the executable you would like to run. You can use this limited shell to fix whatever got wrong with scripts that being involved in the boot process.

Passing arguments to kernel is easy. You can do this via GRUB boot menu. Usually you select configuration you would like to boot with from the list and then press ‘e’ key to edit it. Then you select line starting with kernel, press ‘e’ again to edit it and append init=/bin/bash to the end. Then you just press enter few times to boot the system.

ConclusionBACK TO TOC

There’s always a place for surprise of course. Also, there’re so many different types of Linux, so it is nearly impossible to describe how to boot a faulty system. Yet I think I’ve covered most of the important and common stuff. In case you have problems, suggestions or just things to say about this article, please fill free to leave a comment or email me at alexander.sandler@gmail.com.

Few days ago I’ve found a blogspot user that consistently copies my articles, without asking my permission and without keeping original copyright notice intact. I asked that user to include original copyright notice, but the person chose to ignore my requests. Therefore, I am in process of filing DMCA complaint to google. Sad

This article describes sed, an excellent tool that I often use in shell scripts that I write. In the article I explain it’s most common features and also show some often overlooked features. You can find it here. Enjoy it!

Table of contents

IntroductionBACK TO TOC

sed is an exceptionally powerful and often overlooked tool. Its most common use is in scripts, where we want to replace part of the string matching certain pattern. While this is the most common use, it’s far from being its only use.

In this manual I’ll try to describe sed‘s most useful features.

Why sed rules?BACK TO TOC

As with most of the Unix command line utilities, sed reads data from the standard input and writes the result into the standard output. One thing that I like about sed is that it doesn’t have many command line switches. Actually, I often use only one of them. We’ll talk about it a little later in this manual.

sed is special. Special because it turns some common and quiet complex tasks into simple. For instance, what if you want to delete last line in a file? I can think of at least four ways to achieve this, but sed is the only way to do this with one command. And how about deleting lines 5 through 10? You can write bash script that does the job of course. Yet same effect can be achieved with single sed command.

And of course its most common use. That is to find and replace a pattern with some other pattern. It is absolutely irreplaceable. The later used so widely, so I guess I have no choice but to start with it.

sed simple case – search and replaceBACK TO TOC

Let’s say we have a file with numbers. Each number occupies a single line in the file. I’ll use this file as a sample input file in this article. Obviously, you’ll have your own input information and you will do your own stuff with it, but for the sake of the demonstration, let’s think our input file contains plain numbers. By the way, you can produce the file with

$ seq 20 > file

command. This will print numbers from 1 to 20, one in a line.

sed accepts commands as command line last argument. It is common practice to place sed‘s commands into single quotes, to tell the shell it should not try to interpret and manipulate sed‘s command.

sed commands designated with single characters, followed by optional argument. Let’s see a sample sed command. Since we’re talking about search and replace, this is the command we’ll see.

$ cat file | sed 's/<search pattern>/<replace pattern>/[optional switches]'

The search and replace command is in single quotes. Both patterns are regular expressions, meaning that . will be interpreted as any character, etc. You may omit optional switches at the end. Let’s see some examples of sed‘s search and replace in action.

$ cat file | sed 's/1/x/'

This is perhaps the simplest case of search and replace. This particular command replaces all instances of 1 digit with x character. You’re right. Not very handy. Let’s try something more complicated and perhaps meaningful.

$ cat file | sed 's/1/x/'

This command replaces every instance of 1 character with x, affecting all numbers between 10 and 19 and 1. Well, this is not exactly true. This command changes 11 into x1, instead of changing it into xx. This is wrong, isn’t it?

The truth is that unless explicitly told to replace all occurrences of the search pattern with replace pattern, sed will replace only first occurance. I.e. 11 will turn into x1 instead of xx. This is where optional switches become handy. You can use g switch to tell sed to replace all occurrences of the search pattern in each line. This is how:

$ cat file | sed 's/1/x/g'

Unlike previous command, this one will cause 11 to be replaced with xx.

Now let’s see few search and replace commands that envolve regular expressions. sed supports common regular expression syntax out of the box.

Search and replace with regular expressionsBACK TO TOC

There are plenty of resources describing regular expressions on the web and I assume that you possess some degree of knowledge in regular expression syntax. Yet, here is a wonderful resource on regular expressions that I myself often use.

$ cat file | sed 's/^1./-/'

This command replaces every two digit number starting with 1, with dash character. I.e. it will replace numbers 10-19 with ‘-‘. The ‘^’ character that you see at the front of the search pattern indicates that following characters should be first characters in the line of text.

Here’s another, more complex example.

$ cat file | sed 's/^\(.\)$/1\1/'

This example is more interesting because it demonstrates one of the more powerful feature of regular expressions and that is grouping. The sample sed command above places 1 before all one character long numbers. I.e numbers 1-9 will turn to 11-19.

sed‘s other halfBACK TO TOC

sed accepts several different commands. We’ve seen only one of them, but the rest are no less useful than search and replace.

In general, sed commands consist of two parts. First part specifies what line of input to manipulate. Second part of the command specifies the actual manipulation. The command may be search and replace that we’ve already seen. Or it may be simply delete one of the input lines or print it twice. Oh and you can run several sed commands one after another for each input line.

It is true that search and replace is perhaps the most common sed command, but other commands combined with addressing features of sed, are no less useful.

Generic sed commandBACK TO TOC

Generic sed command looks like this:

sed '[address] <command>[;[address] <command>]

Note that I used square brackets for address. That is because address is optional (common designation of optional argument) – when we did search and replace we didn’t specify any address.

You can specify several sed commands one after another, delimited with semicolon. sed will apply commands on every line of input, command by command, line by line.

The additional two sed commands that I would like to explain here are ‘d’ and ‘p’ – the delete and print commands. The truth is that I rarely use any other sed command. Combined with sed‘s powerful addressing, these two and perhaps search and replace are the commands that you will use the most.

sed addressesBACK TO TOC

The idea behind addressing in sed is to let you specify what lines of input you want to alter. This is a unique feature because no other command line utility allows you to modify very specific line of text in the input with such ease. Throughout this section of this article, I’ll use the ‘d’ command to demonstrate use of addresses. This command deletes the line. So if we tell sed to modify only the 10th line and then do ‘d’ command it will delete the line from the output.

Simple addressing, by line numberBACK TO TOC

You can specify a number of line that we want to alter. As you remember, each sed command consists of address followed by a command, delimited by a space character. Let’s see few examples.

$ cat file | sed '10 d'

This command will delete 10th line in the input file, meaning that we will see all numbers but number 10.

In case you want to specify last line of the input file, you can use $ sign as address specification. Following example will print numbers 1 through 19.

$ cat file | sed '$ d'

Complex addressingBACK TO TOC

You can specify a range of lines. To do this, you specify first line of the range and the last one with comma in between.

$ cat file | sed '1,9 d'

Will print lines 10 through 20. Next example on the other hand, will print lines 1 to 9.

$ cat file | sed '10,$ d'

Now here’s something neat. You can also tell sed that address lines appear starting line X every Y lines. To do this, you specify X~Y as an address. Here’s an example.

$ cat file | sed '1~2 d'

This will print the even numbers out of 1-20 range. On the contrary, following command will print only the odd numbers.

$ cat file | sed '0~2 d'

Finally, we can specify addresses using regular expressions. You can do this by specifying regular expression in between two slash characters.

$ cat file | sed '/^1./ d'

This command will delete all two character lines starting with 1. I.e. it will print numbers 1-9 and 20. Here’s another regular expression example.

$ cat file | sed '// d'

Putting it all togetherBACK TO TOC

Last command that I would like to demonstrate you is ‘p’ command. As you could have guessed, it prints input line as is. There’s one caveat in using it. sed will print the input line (or what may have left of it) anyway, so when telling it to print the line it will do it twice. It is easy to overcome this problem is using -n command line switch – remember I mentioned a command line switch that I use from time to time, this is it

Let’s see few examples of the ‘p’ command in action.

$ cat file | sed 'p'

As expected, this command will simply print every line of text twice. Let’s see something more complex.

$ cat file | sed -n '1,5 p'

In this command I used the addressing feature of sed. It will print all numbers from 1 to 5. Finally, let’s try to put it all together.

$ cat file | sed -n '/^.$/ d; /^2./ d; /^1./ s/1/2/; p'

What you see here is three sed commands in a row. First one deletes all lines of text one character long. This will delete all numbers from 1 to 9. Next, it deletes all two digit numbers that start with 2. This will delete number 20. Finally, it searches for all two digit numbers starting from 1 and replaces 1 with 2. Eventually, we use ‘p’ command to print the result. Last ‘p’ command needed only because we used -n command line switch. Eventually it will print numbers 20 to 29.

Here’s another a slightly complex example, that does however exactly the same – prints numbers 20 through 29.

$ cat file | sed '1,9 d; $ d; s/1/2/g;'

This concludes this introductionary article on sed. Hope you found it interesting. If you have further questions, drop me an email or leave a comment here.