可能为时已晚在这里,但我却能从process_vm_readv here
我们需要传递一个有效可读的远程地址,用于测试目的,我编一个简单的Hello World和使用gdb来的人复制的例子读一个有效的地址
(gdb) break main
Breakpoint 1 at 0x5a9: file hello.c, line 4.
(gdb) run
Starting program: /user/Desktop/hello
=> 0x800005a9 : sub esp,0xc
0x800005ac : lea edx,[eax-0x19b0]
0x800005b2 : push edx
0x800005b3 : mov ebx,eax
0x800005b5 : call 0x800003f0
0x800005ba : add esp,0x10
0x800005bd : nop
0x800005be : lea esp,[ebp-0x8]
0x800005c1 : pop ecx
0x800005c2 : pop ebx
(gdb) x/20b 0x800005a9
0x800005a9 : 0x83 0xec 0x0c 0x8d 0x90 0x50 0xe6 0xff
0x800005b1 : 0xff 0x52 0x89 0xc3 0xe8 0x36 0xfe 0xff
0x800005b9 : 0xff 0x83 0xc4 0x10
下面是Python代码来获取相同的结果
from ctypes import *
class iovec(Structure):
_fields_ = [("iov_base",c_void_p),("iov_len",c_size_t)]
local = (iovec*2)() #create local iovec array
remote = (iovec*1)()[0] #create remote iovec
buf1 = (c_char*10)()
buf2 = (c_char*10)()
pid = 25117
local[0].iov_base = cast(byref(buf1),c_void_p)
local[0].iov_len = 10
local[1].iov_base = cast(byref(buf2),c_void_p)
local[1].iov_len = 10
remote.iov_base = c_void_p(0x800005a9) #pass valid readable address
remote.iov_len = 20
libc = CDLL("libc.so.6")
vm = libc.process_vm_readv
vm.argtypes = [c_int, POINTER(iovec), c_ulong, POINTER(iovec), c_ulong, c_ulong]
nread = vm(pid,local,2,remote,1,0)
if nread != -1:
bytes = "[+] "
print "[+] received %s bytes" % (nread)
for i in buf1: bytes += hex(ord(i)) + " "
for i in buf2: bytes += hex(ord(i)) + " "
print bytes
输出
[email protected]:~/Desktop# python process_vm_readv.py
[+] received 20 bytes
[+] 0x83 0xec 0xc 0x8d 0x90 0x50 0xe6 0xff 0xff 0x52 0x89 0xc3 0xe8 0x36 0xfe 0xff 0xff 0x83 0xc4 0x10