如何从核心转储中撤消字符串的虚拟地址?

时间:2018-06-13 19:41:41

标签: python gdb gcore

我正在尝试在进程的内存中找到一个特定的字符串。具体来说,我想找到存储它的虚拟地址。我编写了一个python脚本来调用进程上的gcore并扫描生成的文件以查找所有匹配项。然后我调用pmap并遍历那里的条目。我的想法是找到每个索引对应的内存部分,然后减去前面部分的大小总和,得到正确部分的偏移量,将其添加到基数,并获取虚拟地址。但是,当我在使用gdb计算的虚拟地址中搜索字符串时,我找不到正确的字符串。为什么我的方法不起作用? gcore是否按顺序转储虚拟内存的全部内容?

#!/usr/bin/python3
import sys
import ctypes
import ctypes.util
import subprocess
import os
import ptrace
import re

if(len(sys.argv) != 2):
    print("Usage: search_and_replace.py target_pid")
    sys.exit(-1)

pid = sys.argv[1]
if not pid.isdigit():
    print("Invalid PID specified.  Make sure PID is an integer")
    sys.exit(-1)

bash_cmd = "sudo gcore -a {}".format(pid)
os.system(bash_cmd)

with open("core." + sys.argv[1], 'rb') as f:
    s = f.read()
# with open("all.dump", 'rb') as f:
#   s = f.read()

str_query = b'a random string in program\'s memory'
str_replc = b'This is an inserted string, replacing the original.'
indices = []
for match in re.finditer(str_query, s):
    indices.append(match.start())
print("number of indices is " + str(len(indices)))

#index = s.find(str_query)

# print("offset is " + str(index))
# if(index == 0):
#   print("error: String not found")
#   sys.exit(-1)

bash_cmd = "sudo pmap -x {} > maps".format(pid)
print(bash_cmd)
subprocess.call(bash_cmd, shell=True)

with open("maps") as m:
    lines = m.readlines()

#calculate the virtual address of the targeted string the running process via parsing the pmap output
pages = []
v_addrs = []

for index in indices:
    sum = 0
    offset = 0
    v_addr = 0  
    #print(index)
    for i in range(2, len(lines) - 2):
        line = lines[i]
        items = line.split()
        v_addr = int(items[0], 16)
        old_sum = sum
        sum += int(items[1]) * 1024
        if sum > index:
            offset = index - old_sum
            print("max is " + hex(v_addr + int(items[1]) * 1024))
            print("offset is " + str(offset) + " hex " + hex(offset))
            print("final va is " + hex(v_addr + offset))
            pages.append(hex(v_addr) + ", " + hex(v_addr + int(items[1]) * 1024))
            v_addrs.append(hex(v_addr + offset))
            break

print("base va is " + hex(v_addr))
v_addr += offset

for page in set(pages):
    print(page)

for va in v_addrs:
    print(va)

在相关的说明中,我还尝试使用gdb手动扫描文件 - 当我使用其find命令扫描区域中的字符串时,似乎找不到几乎相同的匹配项有问题的记忆(确切数字变化很大)。那是为什么?

1 个答案:

答案 0 :(得分:1)

您可以使用python代码在核心文件中定位各种内容。 structer软件包包括一个elf模块,该模块的Elf类为此提供了方法。 gdb会话的以下输出包含有关如何使用该代码的示例。

该会话的第一段摘录显示gdb打开由gcore生成的核心文件,并为后续搜索提供一些数据。

18:33:00 $ gdb -q /home/efuller/gnu/bin/gdb core.17856 
Reading symbols from /home/efuller/gnu/bin/gdb...done.
[New LWP 17856]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/efuller/gnu/bin/gdb /home/efuller/gnu/bin/gdb'.
Program terminated with signal SIGINT, Interrupt.
#0  0x00007ffff62c5660 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:84
84  ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) backtrace
#0  0x00007ffff62c5660 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1  0x00005555557f7ea6 in gdb_wait_for_event (block=1) at event-loop.c:772
#2  0x00005555557f7185 in gdb_do_one_event () at event-loop.c:347
#3  0x00005555557f71bd in start_event_loop () at event-loop.c:371
#4  0x00005555557f003a in captured_command_loop (data=0x0) at main.c:324
#5  0x00005555557eb2e9 in catch_errors (func=0x5555557efff8 <captured_command_loop(void*)>, func_args=0x0, errstring=0x555555b4f733 "", mask=RETURN_MASK_ALL) at exceptions.c:236
#6  0x00005555557f16e2 in captured_main (data=0x7fffffffea10) at main.c:1149
#7  0x00005555557f170b in gdb_main (args=0x7fffffffea10) at main.c:1159
#8  0x00005555555f2daa in main (argc=2, argv=0x7fffffffeb18) at gdb.c:32
(gdb) frame 6
#6  0x00005555557f16e2 in captured_main (data=0x7fffffffea10) at main.c:1149
1149              catch_errors (captured_command_loop, 0, "", RETURN_MASK_ALL);
(gdb) info locals
context = 0x7fffffffea10
argc = 2
argv = 0x7fffffffeb18
quiet = 0
set_args = 0
inhibit_home_gdbinit = 0
symarg = 0x7fffffffed8e "/home/efuller/gnu/bin/gdb"
execarg = 0x7fffffffed8e "/home/efuller/gnu/bin/gdb"
pidarg = 0x0
corearg = 0x0
pid_or_core_arg = 0x0
cdarg = 0x0
ttyarg = 0x0
print_help = 0
print_version = 0
print_configuration = 0
cmdarg_vec = 0x0
cmdarg_p = 0x0
dirarg = 0x555555fdeb80
dirsize = 1
ndir = 0
system_gdbinit = 0x0
home_gdbinit = 0x555556174960 "/home/efuller/.gdbinit"
local_gdbinit = 0x0
i = 0
save_auto_load = 1
objfile = 0x0
pre_stat_chain = 0x555555b2c000 <sentinel_cleanup>
(gdb)

下一个摘录显示gdb导入python代码,并基于局部变量的值执行两次搜索。第一次搜索显示出现该值的多个地址(其中symargexecarg的值)。 findbytes方法需要一个bytes对象,而不是str对象。第二个搜索仅显示一个地址,其中包含第一个搜索的第一个匹配项的地址,该地址恰好在符号表中有一个名称。

(gdb) pi
>>> from structer import memmap, elf
>>> core = elf.Elf(memmap('core.17856'))
>>> from pprint import pprint
>>> 
(gdb) python pprint(tuple(hex(a) for a in core.findbytes(b"/home/efuller/gnu/bin/gdb")))
('0x555555fdef30',
 '0x55555606fce0',
 '0x55555614ff72',
 '0x5555562496a0',
 '0x55555624b915',
 '0x55555625f250',
 '0x5555562c6c4b',
 '0x55555689f2b5',
 '0x7ffff5f2d490',
 '0x7fffffffed74',
 '0x7fffffffed8e',
 '0x7fffffffedf0',
 '0x7fffffffefde')
(gdb) python pprint(tuple(hex(a) for a in core.findwords(0x555555fdef30)))
('0x555555faea38',)
(gdb) x/a 0x555555faea38
0x555555faea38 <_ZL16gdb_program_name>:     0x555555fdef30
(gdb)

下一个摘录显示了搜索的其他变化。搜索第一个搜索模式的dirname会显示多个匹配项,其中包括来自第一次搜索的所有匹配项。随后的搜索通过要求使用空终止符来过滤掉常见匹配,然后进行后续搜索以过滤不以空终止符开头的匹配。前两个搜索报告的结果相同,尽管地址相差一个,因为搜索需要在前导空点处输入前导空点。 

(gdb) python pprint(tuple(hex(a) for a in core.findbytes(b"/home/efuller/gnu/bin")))
('0x555555b4f701',
 '0x555555bd33f0',
 '0x555555fdef30',
 '0x55555606fce0',
 '0x55555614ff72',
 '0x5555562496a0',
 '0x55555624b915',
 '0x55555625f250',
 '0x5555562c6c4b',
 '0x55555689f2b5',
 '0x7ffff5f2d490',
 '0x7fffffffed74',
 '0x7fffffffed8e',
 '0x7fffffffedf0',
 '0x7fffffffefde')
(gdb) python pprint(tuple(hex(a) for a in core.findbytes(b"/home/efuller/gnu/bin\x00")))
('0x555555b4f701', '0x555555bd33f0')
(gdb) python pprint(tuple(hex(a) for a in core.findbytes(b"\x00/home/efuller/gnu/bin\x00")))
('0x555555b4f700', '0x555555bd33ef')
(gdb)

最后的摘录将匹配结果与第一次搜索分为两种情况,即前导空值和前导空值。后者使用最通用的搜索类型(findbytesfindwords都依赖的搜索类型),以便可以在搜索模式的固定部分之前包含非空字符。

(gdb) python pprint(tuple(hex(a) for a in core.findbytes(b"\x00/home/efuller/gnu/bin/gdb")))
('0x555555fdef2f',
 '0x55555606fcdf',
 '0x55555624969f',
 '0x55555625f24f',
 '0x7fffffffed73',
 '0x7fffffffed8d',
 '0x7fffffffefdd')
(gdb) python import re
(gdb) python pprint(tuple(hex(a) for a in core.find(re.compile(rb"\x00[^\x00]+/home/efuller/gnu/bin/gdb"))))
('0x55555614ff6f',
 '0x55555624b8ff',
 '0x5555562c6c37',
 '0x55555689f297',
 '0x7ffff5f2d487',
 '0x7fffffffeded')
(gdb) x/s 0x55555614ff6f + 1
0x55555614ff70:     "_=/home/efuller/gnu/bin/gdb"
(gdb)

最后一条命令中的+ 1会跳过该搜索命中的前导null,尽管也可以将其合并到搜索代码中,如下所示。

(gdb) python pprint(tuple(hex(a+1) for a in core.find(re.compile(rb"\x00[^\x00]+/home/efuller/gnu/bin/gdb"))))
('0x55555614ff70',
 '0x55555624b900',
 '0x5555562c6c38',
 '0x55555689f298',
 '0x7ffff5f2d488',
 '0x7fffffffedee')
(gdb)

structer代码不需要gdb;它可以在gdb之外的python解释器中运行。它与python2不兼容,因此在gdb中运行它需要与python3链接的gdb二进制文件。

在核心文件中搜索模式可以报告structer代码中的搜索方法未报告的结果。这有两个原因。 structer代码仅搜索负载段,因此不会找到音符段的内容,该音符段包含与内核中的虚拟地址不对应的各种内容。 structer代码找不到跨多个负载段的结果。报告这样的结果对于两个相邻的带有间隙(段之间的未映射区域)的段是不正确的。该代码可以合并相邻的相邻段,但是无论如何都不会这样做。

相关问题
最新问题