Qemu-user :远程调试时获取内存映射

tag-icon tag-icon qemu debugging gdb procfs
Qemu-user :远程调试时获取内存映射

我正在尝试获取我正在远程调试的进程的内存映射(peda 拉取请求链接),该过程使用 qemu-user 运行,例如:

qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./ch47

调试是用gdb完成的,命令:

$ gdb-multiarch --nx -q ch47

(gdb) target remote localhost:1234

Remote debugging using localhost:1234
warning: remote target does not support file transfer, attempting to access files from local filesystem.
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.

(gdb) info inferiors 
  Num  Description       Executable        
* 1    Remote target     /home/redouane/infosec/arm_uaf/ch47 

(gdb) remote get /proc/self/maps /tmp/map
Remote I/O error: Fonction non implantée

正如我所见,调试的进程没有 PID(它在 qemu-arm 的地址空间中运行,而不是单独的进程)。

我想知道,扩展怎么样密码数据库远程调试时检索内存映射,并且目标不支持文件传输?

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
   0x10000    0x13000 r-xp     3000 0      /home/redouane/infosec/arm_uaf/ch47
   0x13000    0x22000 ---p     f000 2000   /home/redouane/infosec/arm_uaf/ch47
   0x22000    0x23000 r--p     1000 2000   /home/redouane/infosec/arm_uaf/ch47
   0x23000    0x24000 rw-p     1000 3000   /home/redouane/infosec/arm_uaf/ch47
0xff7c5000 0xff7dd000 r-xp    18000 0      [linker]
0xff7dd000 0xff7ed000 ---p    10000 18000  [linker]
0xff7ed000 0xff7ee000 r--p     1000 18000  [linker]
0xff7ee000 0xff7ef000 rw-p     1000 19000  [linker]
0xfffee000 0xffff0000 rw-p     2000 0      [stack]

答案1

如果您不是像我以前那样寻找整个内存映射,而只是寻找 libc 的基址,则可以使用-straceQEMU 选项,然后读取结果。

这是 qemu-mips 的示例:

$ qemu-mips -noaslr -nx -strace ./test
...
25631 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3
25631 read(3,0x7ffff4ac,512) = 512
25631 prctl(46,13,2147480748,512,1928908800,0) = -1 errno=22 (Invalid argument)
25631 _llseek(3,0,520,0x7ffff250,SEEK_SET) = 0
25631 read(3,0x7ffff280,36) = 36
25631 _llseek(3,0,828,0x7ffff228,SEEK_SET) = 0
25631 read(3,0x7ffff258,32) = 32
25631 fstat64(3,0x7ffff360) = 0
25631 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f655000
...

在这里,您可以看到成功定位并加载 libc 后的基地址为0x7f655000

对于更完整的内存映射,您可以使用该-mmap选项,但它不会显示内存映射的用途。例如,对于同一张地图:

mmap: start=0x00000000 len=0x00190030 prot=r-x flags=MAP_PRIVATE fd=3 offset=00000000
ret=0x7f655000
start    end      size     prot
00400000-00401000 00001000 r-x
00410000-00412000 00002000 rw-
6ae9c000-6aec0000 00024000 r-x
6aec0000-6aecf000 0000f000 ---
6aecf000-6aed1000 00002000 rw-
7f655000-7f7e6000 00191000 r-x
7f7e6000-7f7fd000 00017000 r--
7f7fd000-7f7ff000 00002000 rw-
7f7ff000-7f800000 00001000 ---
7f800000-00000000 80800000 rw-

在这里您看到提供给的文件描述符mmap2 ()3,但您不知道它是什么文件。

相关内容