python没有独立的库可以读取linux下的共享内存,下面使用ctypes调用系统的API读取共享内存的内容
使用C++创建共享内存
#include
#include
#include
#include
#include
#include
#include
#define MY_SHM_ID 67483
void get_buf(char *buf)
{
int i=0;
while((buf[i]=getchar())!='\n'&&i<1024)
i++;
}
int main( )
{
printf("page size=%d\n", getpagesize());
int shmid=0, ret=0;
shmid = shmget(MY_SHM_ID, 4096, 0666|IPC_CREAT);
if (shmid > 0)
{
printf("Create a shared memory segment %d\n", shmid);
}
struct shmid_ds shmds;
ret = shmctl( shmid, IPC_STAT, &shmds );
if (ret == 0 )
{
printf( "Size of memory segment is %d \n", shmds.shm_segsz );
printf( "Number of attaches %d \n", (int)shmds.shm_nattch );
}
else
{
printf( "shmctl () call failed \n");
}
// write data to share memary
char *buf = NULL;
if ((int)(buf=(char*)shmat(shmid, NULL, 0))==-1)
{
perror("Share memary can't get pointer\n");
exit(1);
}
get_buf(buf);
//ret = shmctl(shmid, IPC_RMID, 0);
if (ret == 0)
{
printf("Shared memary removed \n");
}
else
{
printf("Shared memory remove failed \n");
}
return 0;
}
查看共享内存:
$ipcs
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x0001079b 98305 postmast 666 4096 0
------ Semaphore Arrays --------
key semid owner perms nsems
------ Message Queues --------
key msqid owner perms used-bytes messages
0x000004d2 131073 abber 666 17 3
使用python读取共享内存 代码如下:
[postmast@xuanyuan-soft22 ~/test]$vi shm.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# This script dumps the content of a shared memory block
# used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
# when the machine is infected.
#
# Some of the data is encrypted. If your server is infected and you
# would like to help, please send the httpd_cdorked_config.bin
# to our lab for analysis. Thanks!
#
# Marc-Etienne M.Léveillé
#
from ctypes import *
SHM_SIZE = 4096
SHM_KEY = 67483
OUTFILE="httpd_cdorked_config.bin"
try:
rt = CDLL('librt.so')
except:
rt = CDLL('librt.so.1')
shmget = rt.shmget
shmget.argtypes = [c_int, c_size_t, c_int]
shmget.restype = c_int
shmat = rt.shmat
shmat.argtypes = [c_int, POINTER(c_void_p), c_int]
shmat.restype = c_void_p
shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
if shmid < 0:
print ("System not infected")
else:
addr = shmat(shmid, None, 0)
#f = file(OUTFILE, 'wb')
f=open(OUTFILE, 'wb')
f.write(string_at(addr,SHM_SIZE))
f.close()
print(addr, type(addr))
print ("Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE))
python 读取的结果存放在文件httpd_cdorked_config.bin中
$cat httpd_cdorked_config.bin
hello word!this is a test.
$