Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge
Introduction
One of the more interesting things for any person is to see how the internal engines from the server software work. The purpose of this article is to show how we can apply basic assembler knowledge to find interesting runtime information.
Few days ago, my friend was involved on PHP+MYSQL site development. He was experiencing some issues.
Ok, we can start.
- You will need MySQL installation download and install any version of MySQL. Please make sure that your MySQLD service is running successfully (In other words, ensure that your MySQL is working properly).
- Download the latest version of Windbg for Windows from the Microsoft site.
- Launch Windbg.
- Press F6 and attach the mysqld.exe process.
- Set the Windbg symbols properly by using File->Symbols File Path:srv*c:\windows*http://msdl.microsoft.com/download/symbols.
- On Windbg command line, execute
.reload
. - Press F5 to run the process (When you attach the process, this gets frozen). Using F5 or with G command, the process runs.
- Here is the tricky part. MYSQLD.exe process (or service in this case) is in charge of executing the SQL Queries from PHP pages, or MYSQL different clients. Navicat is a cool MYSQL client which allows us to see the MYSQL Server in a graphical mode, like Microsoft Management Studio does with SQL Server.
- Let's start navicat tool for educative purposes (if you want), or use your own PHP or any other application which is a MYSQL Client.
EXECUTE
is the magic word. The tricky part is: Why if MYSQLD.EXE process performs a SQL Query executing any kind ofEXECUTE
function on any part of their internal code? Let's put a breakpoint there.- Breakpoint: Stop the current
MYSQLD
Execution by CTRL+Break on Windbg and put the following command:bm *mysqld*!*execute*
(BM=break on mask, library all *mysqld* and function *execute*). - Press F5 and perform any client operation with PHP Page or Navicat or any other MYSQL client.
- You will see a freeze in your page or navicat: Why? Because MYSQLD was stopped. Lets see the windbg.
- Nice, the MYSQLD process stopped on
MYSQLD!MYSQL_EXECUTE_COMMAND
, let's see the Stack Trace: Use KB command: - As you can see, you can observe directly the input parameters for
MYSQL_EXECUTE_COMMAND
on Args to Child section. Every hexadecimal value there represents normally a pointer to any specified data structure. Is anystring
there on any of the Args to Child pointer? Let's examine this. - Click on View->Memory. On Address, write the Pointer (captured from Args to child) try with 01eb2630 and the other args to child:
- We did not see any interesting thing on all args to child parameters for
MYSQL_EXECUTE_COMMAND
, but what about the previous function:mysql_parse
? - Eureka! There is something interesting there. What if we print the value there? Let's execute:
.printf “%ma”.03b62a68
: - Yes, this is definitely a SQL Query captured from MYSQLD process. Now when we have the function that we want, delete all breakpoints by using the command
BC *
and usebp mysqld!mysql_parse
and continue the execution by using F5 or G windbg command line. - Now our windbg stopped on
mysqld!mysql_parse
. - The one million question is: everytime that any MYSQL Query executes something, it will freeze my app until press F5 app? The answer is no, if we use a more intelligent breakpoint. We know the function
mysql_parse
, but in which memory address it is stored? This is a call stack theory: - Let's explain this, when the process is starting a function, it pushes the Function parameters to be used. Then what happens with ESP processor register? Example:
VOID SUM(INT X,INT *Y)
.ESP
represents theTOP
of the stack, andEBP
the base address for theStack
. Let's assume thatESP=1000
. - The process pushes the pointer to the
Y
value andESP
decreases their value, decreases the top of the stack? Sounds confusing, Yes it'strue
, in the Windows operative system, theTOP
of the stack is in the lower part of memory than EBP (Base pointer of the stack)ESP=ESP-4 : 996
. - The process pushes the value of
X ESP=ESP-4 : 992
. - The process push the return address for the previous function:
ESP=ESP-4 : 998
. - When the Windbg stops, the stack is in the
c
state. For example, you can find the second parameter by just executing a simple math operation: 2º parameter is located in thePOI(ESP+8)
, as we can see the Windbg previous picture, YES, ourstring
is the second parameter. Let's try this: - Printing the 2º parameter:
.printf “%ma”,poi(esp+8)
. - Why POI? Poi in windbg represents or gets the pointer address of
ESP+8
,%ma
means or represent just a ASCII chars.%mu
represents Unicode. - Good, now we can put together in a simple breakpoint.
- The complete breakpoint:
bp mysqld!mysql_parse ".printf \"\\n%ma\",poi(esp+8);gc"
- When we set
Bp=breakpoint
in the functionmysqld!mysql_parse
, it prints an ASCIIstring
given a pointer to theesp+8
(second parameter, andgc
to continue the execution without stop.
License
This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)
Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge的更多相关文章
- 【MySQL笔记】解除输入的安全模式,Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconnect.
Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE tha ...
- Error Code: 1175. You are using safe update mode and you tried to update a table without a WHERE that uses a KEY column To disable safe mode, toggle the option in Preferences -> SQL Queries and reconn
使用MySQL执行update的时候报错: MySQL 在使用mysql执行update的时候,如果不是用主键当where语句,会报如下错误,使用主键用于where语句中正常. 异常内容: ...
- Monitor All SQL Queries in MySQL (alias mysql profiler)
video from youtube: http://www.youtube.com/watch?v=79NWqv3aPRI one blog post: Monitor All SQL Querie ...
- java.sql.SQLException: Streaming result set com.mysql.jdbc.RowDataDynamic@27ce24aa is still active. No statements may be issued when any streaming result sets are open and in use on a given connection
在Sqoop往mysql导出数据的时候报了这个错误,一开始还以为是jar包没有打进去或者打错位置了,未解便上网查询. Error reading from database: java.sql.SQL ...
- EF: Raw SQL Queries
Raw SQL Queries Entity Framework allows you to query using LINQ with your entity classes. However, t ...
- Executing Raw SQL Queries using Entity Framework
原文 Executing Raw SQL Queries using Entity Framework While working with Entity Framework developers m ...
- Thinkphp中查询复杂sql查询表达式,如何表达MYSQL中的某字段不为空is not null?
Thinkphp中查询复杂sql查询表达式,如何表达MYSQL中的某字段不为空is not null?先上两种实现方式的实例:$querys["house_type_image"] ...
- EF Core 2.1 Raw SQL Queries (转自MSDN)
Entity Framework Core allows you to drop down to raw SQL queries when working with a relational data ...
- Debezium SQL Server Source Connector+Kafka+Spark+MySQL 实时数据处理
写在前面 前段时间在实时获取SQLServer数据库变化时候,整个过程可谓是坎坷.然后就想在这里记录一下. 本文的技术栈: Debezium SQL Server Source Connector+K ...
随机推荐
- (二十一)Makefile例子
ROOT_PROJECT = .DIR_INC = -I$(ROOT_PROJECT)/include -I$(ROOT_PROJECT)/include/NE10 DIR_BIN = $(ROOT_ ...
- C语言调用Cmd命令以及执行系统软件
C语言调用Cmd命令以及执行系统软件 http://blog.csdn.net/qq_16814591/article/details/43676377
- 单文件组件(single-file components)
介绍 我们可以使用预处理器来构建简洁和功能更丰富的组件,比如 Pug,Babel (with ES2015 modules),和 Stylus.
- FineReport——插入行策略
1.空值是默认的选项,即每次插入新行时,格子都是空白的. 2.原值即单元格中原有内容是什么,就复制到新增的格子中,一般适用于单元格是使用公式定义的, 在插入单元格时,公式会保留下来. 3.默认值即通过 ...
- MAC Pro 2017款 无线上网慢
MAC Pro 2017款 在无线路由器和MAC相隔一个房间,上网很慢,怀疑是无线路由器有问题,但其他几台老款MAC和PC上网正常.后来将蓝牙关掉,上网就很快了.
- O(n)回文子串(Manacher)算法
O(n)回文子串(Manacher)算法 资料来源网络 参见:http://www.felix021.com/blog/read.php?2040 问题描述: 输入一个字符串,求出其中最大的回文子串. ...
- Zabbix历史数据库迁移 及分区
https://blog.csdn.net/hkyw000/article/details/78971201?utm_source=blogxgwz6
- Nmap误报1720端口开放的原因
在使用Nmap扫描服务器开放端口(全连接扫描)时,一直会发现误报1720端口开放,telnet也有时会连接成功.而实际上服务器并未开启此端口.经过查阅资料,确定原因如下: H.323协议在负载中放入了 ...
- java.util.regex包下的Pattern和Matcher详解(正则匹配)
java正则表达式通过java.util.regex包下的Pattern类与Matcher类实现(建议在阅读本文时,打开java API文档,当介绍到哪个方法时,查看java API中的方法说明,效果 ...
- Kbengine cocos2djs 地图问题
KBEngine.addSpaceGeometryMapping(self.spaceID, None, resPath) 问下这个resPath加载的文件在哪里,后端愣是没找到,前端倒是看到了,还是 ...