[Ptrace]Linux内存替换（五）x86_64平台代码注入

来源：互联网发布：美国读博士条件知乎编辑：程序博客网时间：2024/06/01 09:03

上一节完成了x86平台的简单代码注入，本节将该过程移植到x86_64平台下测试成功。

【测试环境】
CentOS 5.4 （Final）x86_64
Linux version 2.6.18-164.el5. x86_64
GCC version 4.4.2 20080704

【汇编编译环境】
CentOS 7 x86_64
Linux 3.10.0-229.7.2.el7.x86_64
NASM 2.10.07 x86_64

【A程序：counter.c】与先前一致

#include <sys/time.h>#include <stdio.h>long long timeum(){    struct timeval tim;     gettimeofday (&tim , NULL);    return (long long)tim.tv_sec*1000000+tim.tv_usec;}int main(){    int i;    long long start,tmp;    start = timeum();    for(i = 0; i < 60; ++i){        printf("My Counter: %d\n", i);        sleep(1);        tmp = timeum();        printf("Time Interval: %lld\n",tmp-start);        start = tmp;    }    return 0;}

gcc -o counter counter.c

【C程序：hello64.asm】详细解释

global _start_start:    jmp short stringcode:    pop rsi    mov rax,1    mov rdi,1    mov rdx,13    syscall    int3string:    call code    db 'Hello world!',0x0a

编译hello64.asm：

nasm -f elf64 hello64.asm -o hello64.old -s -o hello64 hello64.o

命令提取Shellcode：

for i in $(objdump -d hello64 |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo

\xeb\x13\x5e\xb8\x01\x00\x00\x00\xbf\x01\x00\x00\x00\xba\x0d\x00\x00\x00\x0f\x05\xcc\xe8\xe8\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x21\x0a

【B程序：injecthello64.c】
相比于x86平台B程序，x86_64平台下的B程序进行了如下修改：
一是头文件由 sys/user.h 改成 linux/user.h；
二是getdata/putdata函数中涉及地址的位置由 *4 改成 *8；
三是user_regs_struct结构体的指令寄存器由 eip 改成 rip；
四是shellcode修改适用于x86_64平台。

#include <sys/ptrace.h>#include <sys/types.h>#include <sys/wait.h>#include <linux/user.h>#include <stdio.h>#include <string.h>const int long_size = sizeof(long);void getdata(pid_t child, long addr, char *str, int len){    char *laddr;    int i,j;    union u{        long val;        char chars[long_size];    }data;    i = 0;    j = len / long_size;    laddr = str;    while(i < j){        data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);        memcpy(laddr, data.chars, long_size);        ++i;        laddr += long_size;    }    j = len % long_size;    if(j != 0){        data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);        memcpy(laddr, data.chars, j);    }    str[len] = ' ';}void putdata(pid_t child, long addr, char *str, int len){    char *laddr;    int i,j;    union u{        long val;        char chars[long_size];    }data;    long rst;     i = 0;    j = len / long_size;    laddr = str;    while(i < j){        memcpy(data.chars, laddr, long_size);        rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);        if (rst < 0) {            printf("Putdata Failed! \n");            return;        }        ++i;        laddr += long_size;    }    j = len % long_size;    if(j != 0){        memcpy(data.chars, laddr, j);        rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);        if (rst < 0) {            printf("Putdata Failed! \n");            return;        }    }}int main(int argc, char *argv[]){    pid_t traced_process;    struct user_regs_struct regs;    int len = 39;    /* hello world */    char code[] =        "\xeb\x13\x5e\xb8\x01\x00\x00\x00"        "\xbf\x01\x00\x00\x00\xba\x0d\x00"        "\x00\x00\x0f\x05\xcc\xe8\xe8\xff"        "\xff\xff\x48\x65\x6c\x6c\x6f\x20"        "\x77\x6f\x72\x6c\x64\x21\x0a";    char backup[len+1];    if(argc != 2) {        printf("PID?\n");        return 1;    }    traced_process = atoi(argv[1]);    ptrace(PTRACE_ATTACH, traced_process, NULL, NULL);    int pid = wait(NULL);    printf("Attach Pid: %d\n",pid);    ptrace(PTRACE_GETREGS, traced_process, NULL, &regs);    /* Copy instructions into a backup variable */    getdata(traced_process, regs.rip, backup, len);    /* Put the shellcode & int3 */    putdata(traced_process, regs.rip, code, len);    /* Let the process continue and execute         the int3 instruction */    ptrace(PTRACE_CONT, traced_process, NULL, NULL);    wait(NULL);    putdata(traced_process, regs.rip, backup, len);    /* Setting the rip back to the original         instruction to let the process continue */    ptrace(PTRACE_SETREGS, traced_process, NULL, &regs);    ptrace(PTRACE_DETACH, traced_process, NULL, NULL);    return 0;}

gcc -o injecthello64 injecthello64.c

【执行】
1. run counter
./counter
2. find pid of counter
ps aux | grep counter
3. run injecthello64(root)
./injecthello64 %pid%

【结果】
A进程部分输出如下，输出helloworld证明B进程代码注入成功。
My Counter: 0
1001261
My Counter: 1
1000606
My Counter: 2
1001603
My Counter: 3
1001570
My Counter: 4
1000590
My Counter: 5
Hello world!
1001774
My Counter: 6
1000391
My Counter: 7
Hello world!
1001757
…

【参考】
http://theantway.com/2013/01/notes-for-playing-with-ptrace-on-64-bits-ubuntu-12-10/
http://www.cnblogs.com/wangkangluo1/archive/2012/06/05/2535484.html

0 0