Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge

https://www.codeproject.com/Articles/43305/Tracing-SQL-Queries-in-Real-Time-for-MySQL-Databas

Assembly and MySQL

Introduction

One of the more interesting things for any person is to see how the internal engines from the server software work. The purpose of this article is to show how we can apply basic assembler knowledge to find interesting runtime information.

Few days ago, my friend was involved on PHP+MYSQL site development. He was experiencing some issues.

Ok, we can start.

  1. You will need MySQL installation download and install any version of MySQL. Please make sure that your MySQLD service is running successfully (In other words, ensure that your MySQL is working properly).
  2. Download the latest version of Windbg for Windows from the Microsoft site.
  3. Launch Windbg.
  4. Press F6 and attach the mysqld.exe process.
  5. Set the Windbg symbols properly by using File->Symbols File Path:srv*c:\windows*http://msdl.microsoft.com/download/symbols.
  6. On Windbg command line, execute .reload.
  7. Press F5 to run the process (When you attach the process, this gets frozen). Using F5 or with G command, the process runs.
  8. Here is the tricky part. MYSQLD.exe process (or service in this case) is in charge of executing the SQL Queries from PHP pages, or MYSQL different clients. Navicat is a cool MYSQL client which allows us to see the MYSQL Server in a graphical mode, like Microsoft Management Studio does with SQL Server.
  9. Let‘s start navicat tool for educative purposes (if you want), or use your own PHP or any other application which is a MYSQL Client.
  10. EXECUTE is the magic word. The tricky part is: Why if MYSQLD.EXE process performs a SQL Query executing any kind of EXECUTE function on any part of their internal code? Let‘s put a breakpoint there.
  11. Breakpoint: Stop the current MYSQLD Execution by CTRL+Break on Windbg and put the following command: bm *mysqld*!*execute* (BM=break on mask, library all *mysqld* and function *execute*).
  12. Press F5 and perform any client operation with PHP Page or Navicat or any other MYSQL client.
  13. You will see a freeze in your page or navicat: Why? Because MYSQLD was stopped. Lets see the windbg.

  14. Nice, the MYSQLD process stopped on MYSQLD!MYSQL_EXECUTE_COMMAND, let‘s see the Stack Trace: Use KB command:
  15. As you can see, you can observe directly the input parameters for MYSQL_EXECUTE_COMMAND on Args to Child section. Every hexadecimal value there represents normally a pointer to any specified data structure. Is any string there on any of the Args to Child pointer? Let‘s examine this.
  16. Click on View->Memory. On Address, write the Pointer (captured from Args to child) try with 01eb2630 and the other args to child:

  17. We did not see any interesting thing on all args to child parameters for MYSQL_EXECUTE_COMMAND, but what about the previous function: mysql_parse?

  18. Eureka! There is something interesting there. What if we print the value there? Let‘s execute: .printf “%ma”.03b62a68:

  19. Yes, this is definitely a SQL Query captured from MYSQLD process. Now when we have the function that we want, delete all breakpoints by using the command BC * and use bp mysqld!mysql_parse and continue the execution by using F5 or G windbg command line.
  20. Now our windbg stopped on mysqld!mysql_parse.
  21. The one million question is: everytime that any MYSQL Query executes something, it will freeze my app until press F5 app? The answer is no, if we use a more intelligent breakpoint. We know the functionmysql_parse, but in which memory address it is stored? This is a call stack theory:

  22. Let‘s explain this, when the process is starting a function, it pushes the Function parameters to be used. Then what happens with ESP processor register? Example: VOID SUM(INT X,INT *Y)ESP represents theTOP of the stack, and EBP the base address for the Stack. Let‘s assume that ESP=1000.
    1. The process pushes the pointer to the value and ESP decreases their value, decreases the top of the stack? Sounds confusing, Yes it‘s true, in the Windows operative system, the TOP of the stack is in the lower part of memory than EBP (Base pointer of the stack) ESP=ESP-4 : 996.
    2. The process pushes the value of X ESP=ESP-4 : 992.
    3. The process push the return address for the previous function: ESP=ESP-4 : 998.
  23. When the Windbg stops, the stack is in the state. For example, you can find the second parameter by just executing a simple math operation: 2o parameter is located in the POI(ESP+8), as we can see the Windbg previous picture, YES, our string is the second parameter. Let‘s try this:
  24. Printing the 2o parameter: .printf “%ma”,poi(esp+8).

  25. Why POI? Poi in windbg represents or gets the pointer address of ESP+8%ma means or represent just a ASCII chars. %mu represents Unicode.
  26. Good, now we can put together in a simple breakpoint.
  27. The complete breakpoint: bp mysqld!mysql_parse ".printf \"\\n%ma\",poi(esp+8);gc"
  28. When we set Bp=breakpoint in the function mysqld!mysql_parse, it prints an ASCII string given a pointer to the esp+8 (second parameter, and gc to continue the execution without stop.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

时间: 2024-10-24 21:55:01

Tracing SQL Queries in Real Time for MySQL Databases using WinDbg and Basic Assembler Knowledge的相关文章

Monitor All SQL Queries in MySQL (alias mysql profiler)

video from youtube: http://www.youtube.com/watch?v=79NWqv3aPRI one blog post: Monitor All SQL Queries in MySQL http://www.howtogeek.com/howto/database/monitor-all-sql-queries-in-mysql/ more: Using the New MySQL Query Profiler http://web.archive.org/w

将SQL Server 2000数据导入到MySQL 5.5的方法

一.安装MySQL 5.5(可以与SQL Server不在同一台服务器上),并新建一个空的数据库(一般用utf-8编码),用于接收导入的数据. 二.在SQL Server的服务器上安装mysql-connector-odbc-5.3.2-win32. 三.在SQL Server的服务器上运行"管理工具"->"数据源(ODBC)",切换到"系统DSN"面板,添加"MySQL ODBC 5.3 Unicode Driver"

InstallShield在MySQL和Oracle中执行SQL脚本的方法InstallShield在MySQL和Oracle中执行SQL脚本的方法

简述 InstallShield已经内建了对MySQL和Oracle的支持.但是这个功能是通过ODBC实现的,它对SQL脚本的格式要求非常严格,因此已经通过官方客户端测试的脚本在IS中执行时往往就会报错. 一般来说,数据库脚本只保证通过官方客户端测试即可,同时维护一份供IS执行的脚本费时费力.因此,考虑安装程序对两数据库的支持通过官方客户端实现. MySQL   function InstallMySQLComponent(szComponent) NUMBER nResult; STRING

SQL数据类型对比之access,mysql,sql server

Microsoft Access.MySQL 以及 SQL Server 所使用的数据类型和范围,详见W3School,http://www.w3school.com.cn/sql/sql_datatypes.asp SQL数据类型对比之access,mysql,sql server

EF: Raw SQL Queries

Raw SQL Queries Entity Framework allows you to query using LINQ with your entity classes. However, there may be times that you want to run queries using raw SQL directly against the database. This includes calling stored procedures, which can be help

sql学习笔记(15)-----------MySQL 索引与优化总结

索引对查询的速度有着至关重要的影响,理解索引也是进行数据库性能调优的起点. 考虑如下情况,假设数据库中一个表有10^6条记录,DBMS的页面大小为4K,并存储100条记录.如果没有索引,查询将对整个表进行扫描,最坏的情况下,如果所有数据页都不在内存,需要读取10^4个页面,如果这10^4个页面在磁盘上随机分布,需要进行10^4次I/O,假设磁盘每次I/O时间为10ms(忽略数据传输时间),则总共需要100s(但实际上要好很多很多).如果对之建立B-Tree索引,则只需要进行log100(10^6

自学SQL语言的例子(使用MySQL实现)

SQL语言作为一种数据库管理的标准语言有着极为广泛的应用场景,菜鸟入门选用的数据库软件是轻量级的免费(这个极为重要)的MySQL,下载链接如下:http://www.mysql.com/downloads/ ,笔者的程序在MySQL可视化界面WorkBench下编写脚本文件并执行,这比在命令行模式下执行更加便捷且直观.安利一本MySQL菜鸟入门的书籍刘少杰和曾少军编著的<MySQL5.5——从零开始学>这本书(资源自寻,为避免侵权这里就不给出链接了,当然也欢迎直接买本纸质书支持作者). 例子:

SQL Server 用链接server 同步MySQL

--測试环境SQL 2014 在MySql环境: use test ; Create Table Demo(ID int,Name varchar(50)) 在控制面板-管理工具-数据源(ODBC)-系统 DSN --加入 --下一步(完毕) 下一步(OK) 正常显示配置(MySql_Link),记住名称 在SQL Server查询分析器或SSMS界面操作 方法1:以SSMS为例 --打开企业管理器-server对象-链接server-右健(新建) 下一步,登陆信息 watermark/2/te

SQL Queries from Transactional Plugin Pipeline

Sometimes the LINQ, Query Expressions or Fetch just doesn't give you the ability to quickly query your data in the way you want to. A good example of this is the lack of left outer join support if you want a where clause to filter results based on th