카테고리 없음

메모리릭 일어날 때 심볼 위치 알아내는 라이브러리

진모씨 2014. 11. 24. 01:24

던진다!


사용법:

elf = elfleak(leak=특정 메모리를 몇 사이즈만큼 leak해서 str 형식으로 리턴해주는 함수)


import struct


p4 = lambda x: struct.pack(">L", x)

u4 = lambda x: struct.unpack(">L", x)[0]


class elfleak:

leak = lambda x: x

elf_got_dynamic = False

elf_dynamic = -1

base = -1

sections = {}

def __init__(self, *args, **kwargs):

print kwargs

if 'leak' in kwargs:

self.leak = kwargs['leak']

def get_elf(self, start):

pages = 0;


start &= 0xfffff000;

while self.leak(start - pages + 1, 3) != 'ELF':

pages += 0x1000

self.base = start - pages

return start - pages


def get_prog_headers(self, base):

return u4(self.leak(base + 28, 4))


def get_dynamic(self, prog):

if self.elf_got_dynamic == True:

return self.elf_dynamic

i = 0


while u4(self.leak(prog + i, 4)) != 2:

i += 32


self.elf_got_dynamic = True

self.elf_dynamic = u4(self.leak(prog + i + 8, 4))

print hex(i)

return self.elf_dynamic


def get_str_symtab(self, dynamic):

strtab = symtab = type = 0


i = 0

while ((5 not in self.sections) or (6 not in self.sections)):

type = u4(self.leak(dynamic + i, 4))


self.sections[type] = u4(self.leak(dynamic + i + 4, 4))

if 5 in self.sections:

strtab = self.sections[5]

if 6 in self.sections:

symtab = self.sections[6]

print hex(type), hex(u4(self.leak(dynamic + i + 4, 4)))

i += 8;


return (strtab, symtab)


def get_symbol(self, symbol, strtab, symtab):

offset = 0

i = 0

len_symbol = len(symbol)


while (1):

offset = u4(self.leak(symtab + i, 4))


if self.leak(strtab + offset, len_symbol) == symbol:

return u4(self.leak(symtab + i + 4, 4))


i += 16;


m = elfleak(leak = lambda x, y: str(bytearray([Byte(x + i) for i in range(y)])));

print m.get_str_symtab(m.get_dynamic(0x400000 + m.get_prog_headers(m.get_elf(here()))))