玩弄Meltdown / Spectre。
有这个小程序:
pass.c
#include <stdio.h>
int main(void) {
char buf[7];
printf("Password : ");
fgets(buf, 7, stdin);
sscanf(buf, "%s", buf);
printf("addr %p\n",buf);
while(1)
{
}
printf("Password : %s\n",buf);
return 0;
}
想要从内存中读取物理映射的地址值。
./pass
Password : secret
addr 0x7ffc9098b780
发现这个程序从用户空间获取虚拟物理地址:
https://github.com/dwks/pagemap
输出:
./pagemap2 18135
=== Maps for pid 18135
0x400000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x600000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x601000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x206a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [heap]
0x206b000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206c000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2070000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2071000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2072000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2073000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2074000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2075000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2076000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2077000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2078000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2079000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207b000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207c000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2080000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2081000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2082000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2083000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2084000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2085000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2086000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2087000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2088000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2089000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x208a000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x7f27b2365000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b253d000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b253e000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b253f000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2563000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2564000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7f27b2565000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2566000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2567000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library
0x7ffe2498c000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498d000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498e000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498f000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24990000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24991000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24992000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24993000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24994000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24995000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24996000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24997000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24998000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24999000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499a000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499b000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499c000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499d000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499e000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499f000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a0000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a1000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a2000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a3000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a4000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a5000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a6000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a7000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a8000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a9000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249aa000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ab000 : pfn 0 soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249ac000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ca000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cb000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cc000 : pfn 0 soft-dirty 1 file/shared 1 swapped 0 present 1 library [vdso]
0x7ffe249cd000 : pfn 0 soft-dirty 1 file/shared 0 swapped 0 present 0 library [vdso]
我的“秘密”字符串位于何处?在堆栈上?我应该尝试哪个物理地址?
谢谢,
答案 0 :(得分:2)
使用适用于Windows的WinDbg等Linux调试程序。 Linux也应该存在类似的调试器,可能是gdb。
用户模式部分:
0:002> !heap -s
SEGMENT HEAP ERROR: failed to initialize the extention
LFH Key : 0x0000002452efc0db
Termination on corruption : ENABLED
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast
(k) (k) (k) (k) length blocks cont. heap
-------------------------------------------------------------------------------------
0000000000400000 00000002 2048 1104 2048 690 6 2 0 0 LFH
0:002> dd 400000
00000000`00400000 00000000 00000000 8d12536f 01001481
00000000`00400010 ffeeffee 00000000 040c0018 00000000
00000000`00400020 00400128 00000000 00400000 00000000
00000000`00400030 00400000 00000000 00000100 00000000
00000000`00400040 00400a80 00000000 00500000 00000000
00000000`00400050 00000042 00000001 00000000 00000000
00000000`00400060 004bdfe0 00000000 004bdfe0 00000000
00000000`00400070 00000002 00000000 00000000 00100000
内核模式部分:
0: kd> !process 0 0 notepad.exe
PROCESS fffffa801d440640
SessionId: 1 Cid: 0fec Peb: 7fffffdb000 ParentCid: 0dec
DirBase: 4e7480000 ObjectTable: fffff8a008f3ddd0 HandleCount: 66.
Image: notepad.exe
0: kd> .process fffffa801d440640
Implicit process is now fffffa80`1d440640
0: kd> !vtop 0 400000
Amd64VtoP: Virt 00000000`00400000, pagedir 00000004`e7480000
Amd64VtoP: PML4E 00000004`e7480000
Amd64VtoP: PDPE 00000006`4519b000
Amd64VtoP: PDE 00000006`4521e010
Amd64VtoP: PTE 00000006`51db9000
Amd64VtoP: Mapped phys 00000006`45c3a000
Virtual address 400000 translates to physical address 645c3a000.
0: kd> !dd 645c3a000
#645c3a000 00000000 00000000 8d12536f 01001481
#645c3a010 ffeeffee 00000000 040c0018 00000000
#645c3a020 00400128 00000000 00400000 00000000
#645c3a030 00400000 00000000 00000100 00000000
#645c3a040 00400a80 00000000 00500000 00000000
#645c3a050 00000042 00000001 00000000 00000000
#645c3a060 004bdfe0 00000000 004bdfe0 00000000
#645c3a070 00000002 00000000 00000000 00100000
如您所见,虚拟用户模式地址00000000'00400000中的值与物理地址645c3a000中的值相同。您找到了正确的物理地址,无论您喜欢什么,都可以使用它。