我正在尝试获取我正在远程调试的进程的内存映射(peda 拉取请求链接),该过程使用 qemu-user 运行,例如:
qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./ch47
调试是用gdb完成的,命令:
$ gdb-multiarch --nx -q ch47
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
warning: remote target does not support file transfer, attempting to access files from local filesystem.
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
(gdb) info inferiors
Num Description Executable
* 1 Remote target /home/redouane/infosec/arm_uaf/ch47
(gdb) remote get /proc/self/maps /tmp/map
Remote I/O error: Fonction non implantée
正如我所见,调试的进程没有 PID(它在 qemu-arm 的地址空间中运行,而不是单独的进程)。
我想知道,扩展怎么样密码数据库远程调试时检索内存映射,并且目标不支持文件传输?
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
0x10000 0x13000 r-xp 3000 0 /home/redouane/infosec/arm_uaf/ch47
0x13000 0x22000 ---p f000 2000 /home/redouane/infosec/arm_uaf/ch47
0x22000 0x23000 r--p 1000 2000 /home/redouane/infosec/arm_uaf/ch47
0x23000 0x24000 rw-p 1000 3000 /home/redouane/infosec/arm_uaf/ch47
0xff7c5000 0xff7dd000 r-xp 18000 0 [linker]
0xff7dd000 0xff7ed000 ---p 10000 18000 [linker]
0xff7ed000 0xff7ee000 r--p 1000 18000 [linker]
0xff7ee000 0xff7ef000 rw-p 1000 19000 [linker]
0xfffee000 0xffff0000 rw-p 2000 0 [stack]
答案1
如果您不是像我以前那样寻找整个内存映射,而只是寻找 libc 的基址,则可以使用-strace
QEMU 选项,然后读取结果。
这是 qemu-mips 的示例:
$ qemu-mips -noaslr -nx -strace ./test
...
25631 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3
25631 read(3,0x7ffff4ac,512) = 512
25631 prctl(46,13,2147480748,512,1928908800,0) = -1 errno=22 (Invalid argument)
25631 _llseek(3,0,520,0x7ffff250,SEEK_SET) = 0
25631 read(3,0x7ffff280,36) = 36
25631 _llseek(3,0,828,0x7ffff228,SEEK_SET) = 0
25631 read(3,0x7ffff258,32) = 32
25631 fstat64(3,0x7ffff360) = 0
25631 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f655000
...
在这里,您可以看到成功定位并加载 libc 后的基地址为0x7f655000
。
对于更完整的内存映射,您可以使用该-mmap
选项,但它不会显示内存映射的用途。例如,对于同一张地图:
mmap: start=0x00000000 len=0x00190030 prot=r-x flags=MAP_PRIVATE fd=3 offset=00000000
ret=0x7f655000
start end size prot
00400000-00401000 00001000 r-x
00410000-00412000 00002000 rw-
6ae9c000-6aec0000 00024000 r-x
6aec0000-6aecf000 0000f000 ---
6aecf000-6aed1000 00002000 rw-
7f655000-7f7e6000 00191000 r-x
7f7e6000-7f7fd000 00017000 r--
7f7fd000-7f7ff000 00002000 rw-
7f7ff000-7f800000 00001000 ---
7f800000-00000000 80800000 rw-
在这里您看到提供给的文件描述符mmap2 ()
是3
,但您不知道它是什么文件。