Linux Dump的几种姿势

January 12, 2021 Linux 访问: 65 次

GDB

1、在gdb里attach上某一个进程
2、dump memory [filename] [start_addr] [end_addr]

其实原理也是ptrace

ptrace

1、首先使用ptrace附加到一个进程上
2、然后用PTRACE_PEEKTEXT or PTRACE_PEEKDATA来进行dump

#include<stdio.h>
#include<string.h>
#include<sys/ptrace.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>

void dump_memery(pid_t pro_id,size_t *buf,size_t addr,size_t length)
{
    //以字为单位读 PTRACE_PEEKTEXT, PTRACE_PEEKDATA
    size_t tmp;
    int idx;
    for(idx=0;idx<length/8;idx++)
    {
        tmp = ptrace(PTRACE_PEEKDATA,pro_id,addr+(idx*8),0);
        buf[idx]=tmp;
    }
}
int main(int argc,char * argv[])
{
    FILE *fp;
    char buf;
    size_t *data=malloc(0x1010);
    if(argc!=2){
        printf("Usage: %s pid\n",argv[0]);
        exit(0);
    }
    pid_t process_id = atoi(argv[1]);
    int sign=0;
    sign = ptrace(PTRACE_ATTACH,process_id,0,0);
    if(sign!=0)
    {
        printf("ptrace error!");
        exit(0);
    }
    wait(NULL);
    dump_memery(process_id,data,0x400000,0x1000);
    fp=fopen("./data.bin","a");
    fwrite(data,0x1000,1,fp);
    return 0;
}

劫持动态链接库dump内存

当时在中关村那场比赛中,并不会这种方法来进行dump文件。

hook.c

#include <stdio.h>
#include <dlfcn.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#define PATH "./data.bin"

__attribute__((constructor)) void hack_func()
{
    char *image_base;
    int result, fd;
    unsigned  long long offset;
    setbuf(stdout, NULL);
    image_base = *(char **)dlopen(NULL, RTLD_LAZY);
    fd = open(PATH, O_RDWR|O_CREAT|O_NOCTTY, 0644);
    if(fd < 0)
    {
        perror("open");
        exit(EXIT_FAILURE);
    }

    offset = 0;
    while(offset < 0x1000000 )
    {
        result = write(fd, image_base + offset, 0x1000);
        if(result > 0)
        {
            printf("%p\n", image_base + offset);
        }
        offset += 0x1000;
    }
}

demo.c

#include<stdio.h>
int main()
{
    puts("hello radish");
    return 0;
}

效果:

❯ LD_PRELOAD=./hack.so ./demo
0x400000
0x600000
0x601000
hello radish
root@ubuntu ~/桌面/linux_inject/2 6s

16104332564845.jpg

成功dump出内存

动态注入so文件来dump

还是利用ptrace来注入shellcode

shellcode实现调用__libc_dlopen_mode加载恶意so文件

    mov rax,0x6f732e6b
    push rax
    mov rax,0x6361682f706d742f//恶意so文件路径字符串
    push rax
    xor rdx,rdx
    xor rcx,rcx
    mov rdi,rsp
    mov rsi,1
    mov rax,0x7efeb77086d0//__libc_dlopen_mode函数的地址
    call rax
    pop rax
    pop rax
    xor rax,rax

实现效果:
16104419675888.jpg

添加新评论