上一节完成了x86平台的简单代码注入,本节将该过程移植到x86_64平台下测试成功。
【测试环境】
CentOS 5.4 (Final)x86_64
Linux version 2.6.18-164.el5. x86_64
GCC version 4.4.2 20080704
【汇编编译环境】
CentOS 7 x86_64
Linux 3.10.0-229.7.2.el7.x86_64
NASM 2.10.07 x86_64
【A程序:counter.c】与先前一致
#include <sys/time.h>
#include <stdio.h>
long long timeum(){
struct timeval tim;
gettimeofday (&tim , NULL);
return (long long)tim.tv_sec*1000000+tim.tv_usec;
}
int main()
{
int i;
long long start,tmp;
start = timeum();
for(i = 0; i < 60; ++i){
printf("My Counter: %d\n", i);
sleep(1);
tmp = timeum();
printf("Time Interval: %lld\n",tmp-start);
start = tmp;
}
return 0;
}gcc -o counter counter.c
【C程序:hello64.asm】详细解释
global _start
_start:
jmp short string
code:
pop rsi
mov rax,1
mov rdi,1
mov rdx,13
syscall
int3
string:
call code
db 'Hello world!',0x0a编译hello64.asm:
nasm -f elf64 hello64.asm -o hello64.o
ld -s -o hello64 hello64.o命令提取Shellcode:
for i in $(objdump -d hello64 |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo\xeb\x13\x5e\xb8\x01\x00\x00\x00\xbf\x01\x00\x00\x00\xba\x0d\x00\x00\x00\x0f\x05\xcc\xe8\xe8\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x21\x0a【B程序:injecthello64.c】
相比于x86平台B程序,x86_64平台下的B程序进行了如下修改:
一是头文件由 sys/user.h 改成 linux/user.h;
二是getdata/putdata函数中涉及地址的位置由 *4 改成 *8;
三是user_regs_struct结构体的指令寄存器由 eip 改成 rip;
四是shellcode修改适用于x86_64平台。
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <linux/user.h>
#include <stdio.h>
#include <string.h>
const int long_size = sizeof(long);
void getdata(pid_t child, long addr, char *str, int len)
{
char *laddr;
int i,j;
union u{
long val;
char chars[long_size];
}data;
i = 0;
j = len / long_size;
laddr = str;
while(i < j){
data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);
memcpy(laddr, data.chars, long_size);
++i;
laddr += long_size;
}
j = len % long_size;
if(j != 0){
data.val = ptrace(PTRACE_PEEKDATA, child, addr + i*8, NULL);
memcpy(laddr, data.chars, j);
}
str[len] = ' ';
}
void putdata(pid_t child, long addr, char *str, int len)
{
char *laddr;
int i,j;
union u{
long val;
char chars[long_size];
}data;
long rst;
i = 0;
j = len / long_size;
laddr = str;
while(i < j){
memcpy(data.chars, laddr, long_size);
rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);
if (rst < 0) {
printf("Putdata Failed! \n");
return;
}
++i;
laddr += long_size;
}
j = len % long_size;
if(j != 0){
memcpy(data.chars, laddr, j);
rst = ptrace(PTRACE_POKEDATA, child, addr + i*8, data.val);
if (rst < 0) {
printf("Putdata Failed! \n");
return;
}
}
}
int main(int argc, char *argv[])
{
pid_t traced_process;
struct user_regs_struct regs;
int len = 39;
/* hello world */
char code[] =
"\xeb\x13\x5e\xb8\x01\x00\x00\x00"
"\xbf\x01\x00\x00\x00\xba\x0d\x00"
"\x00\x00\x0f\x05\xcc\xe8\xe8\xff"
"\xff\xff\x48\x65\x6c\x6c\x6f\x20"
"\x77\x6f\x72\x6c\x64\x21\x0a";
char backup[len+1];
if(argc != 2) {
printf("PID?\n");
return 1;
}
traced_process = atoi(argv[1]);
ptrace(PTRACE_ATTACH, traced_process, NULL, NULL);
int pid = wait(NULL);
printf("Attach Pid: %d\n",pid);
ptrace(PTRACE_GETREGS, traced_process, NULL, ®s);
/* Copy instructions into a backup variable */
getdata(traced_process, regs.rip, backup, len);
/* Put the shellcode & int3 */
putdata(traced_process, regs.rip, code, len);
/* Let the process continue and execute the int3 instruction */
ptrace(PTRACE_CONT, traced_process, NULL, NULL);
wait(NULL);
putdata(traced_process, regs.rip, backup, len);
/* Setting the rip back to the original instruction to let the process continue */
ptrace(PTRACE_SETREGS, traced_process, NULL, ®s);
ptrace(PTRACE_DETACH, traced_process, NULL, NULL);
return 0;
}
gcc -o injecthello64 injecthello64.c
【执行】
1. run counter
./counter
2. find pid of counter
ps aux | grep counter
3. run injecthello64(root)
./injecthello64 %pid%
【结果】
A进程部分输出如下,输出helloworld证明B进程代码注入成功。
My Counter: 0
1001261
My Counter: 1
1000606
My Counter: 2
1001603
My Counter: 3
1001570
My Counter: 4
1000590
My Counter: 5
Hello world!
1001774
My Counter: 6
1000391
My Counter: 7
Hello world!
1001757
…
【参考】
http://theantway.com/2013/01/notes-for-playing-with-ptrace-on-64-bits-ubuntu-12-10/
http://www.cnblogs.com/wangkangluo1/archive/2012/06/05/2535484.html