Python 字节对象与虚拟内存操作详解<\/h1>

1. 概述<\/h2>
本教程将深入探讨如何通过虚拟内存操作来修改Python 3中运行的字节对象。我们将学习Python字节对象在内存中的表示方式，以及如何定位和修改这些对象。<\/p>

2. 前提知识<\/h2>

在开始之前，需要掌握以下基础知识：<\/p>

C语言基础<\/li>
Python基础<\/li>
Linux文件系统和shell基础<\/li>

\/proc文件系统基础<\/li> <\/ul>

3. 环境准备<\/h2>

测试环境：<\/p>

Ubuntu 14.04 LTS<\/li>
Linux内核版本：4.4.0-31-generic<\/li>
gcc 4.8.4<\/li>

Python 3.4.3<\/li> <\/ul>

4. Python字节对象基础<\/h2>

4.1 字节对象与字符串的区别<\/h3>

在Python 3中，字节对象(bytes)和字符串(str)是不同的类型：<\/p>

s =<\/span> "Betty"<\/span>  # <class 'str'><\/span>
<\/span><\/span>s =<\/span> b<\/span>"Betty"<\/span>  # <class 'bytes'><\/span>
<\/span><\/span><\/code><\/pre>4.2 Python字节对象的内存表示<\/h3>
Python中的所有东西都是对象，包括字节对象。字节对象在CPython中的内部表示如下（来自bytesobject.h）：<\/p>
typedef<\/span> struct<\/span> {
<\/span><\/span>    PyObject_VAR_HEAD
<\/span><\/span>    Py_hash_t ob_shash;
<\/span><\/span>    char<\/span> ob_sval[1<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/* 不变量：
<\/span><\/span><\/span>     * ob_sval包含'ob_size+1'个元素的空间
<\/span><\/span><\/span>     * ob_sval[ob_size] == 0
<\/span><\/span><\/span>     * ob_shash是字符串的哈希值，如果尚未计算则为-1
<\/span><\/span><\/span>     *\/<\/span>
<\/span><\/span>} PyBytesObject;
<\/span><\/span><\/code><\/pre>其中：<\/p>

PyObject_VAR_HEAD<\/code> 包含引用计数和类型信息<\/li>
ob_size<\/code> 存储字符串长度<\/li>
ob_sval<\/code> 存储实际的字节数据，以null结尾<\/li>
<\/ul>
5. 定位字节对象的内存地址<\/h2>
5.1 使用id()函数<\/h3>
Python的id()<\/code>函数返回对象的内存地址：<\/p>
s =<\/span> b<\/span>"Holberton"<\/span>
<\/span><\/span>print(hex(id(s)))  # 输出对象地址<\/span>
<\/span><\/span><\/code><\/pre>5.2 检查\/proc\/[pid]\/maps<\/h3>
通过检查进程的maps文件，可以确定对象所在的虚拟内存区域：<\/p>
cat \/proc\/[<\/span>pid]<\/span>\/maps
<\/span><\/span><\/code><\/pre>6. 创建C扩展来检查字节对象<\/h2>
为了更深入地检查字节对象，我们可以创建一个C扩展：<\/p>
6.1 C函数实现<\/h3>
#include<\/span> "Python.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> print_python_bytes<\/span>(PyObject *<\/span>p) {
<\/span><\/span>    PyBytesObject *<\/span>s;
<\/span><\/span>    unsigned<\/span> int<\/span> i;
<\/span><\/span>    
<\/span><\/span>    printf("[.] bytes object info<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    s =<\/span> (PyBytesObject *<\/span>)p;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (s &&<\/span> PyBytes_Check(s)) {
<\/span><\/span>        printf(" address of the object: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)s);
<\/span><\/span>        printf(" size: %ld<\/span>\n<\/span>"<\/span>, s-><\/span>ob_base.ob_size);
<\/span><\/span>        printf(" trying string: %s<\/span>\n<\/span>"<\/span>, s-><\/span>ob_sval);
<\/span><\/span>        printf(" address of the data: %p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)(s-><\/span>ob_sval));
<\/span><\/span>        printf(" bytes:"<\/span>);
<\/span><\/span>        
<\/span><\/span>        for<\/span> (i =<\/span> 0<\/span>; i <<\/span> s-><\/span>ob_base.ob_size +<\/span> 1<\/span>; i++<\/span>) {
<\/span><\/span>            printf(" %02x"<\/span>, s-><\/span>ob_sval[i] &<\/span> 0xff<\/span>);
<\/span><\/span>        }
<\/span><\/span>        printf("<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        fprintf(stderr, " [ERROR] Invalid Bytes Object<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 编译动态库<\/h3>
gcc -Wall -Wextra -pedantic -Werror -std=<\/span>c99 -shared -Wl,-soname,libPython.so -o libPython.so -fPIC -I\/usr\/include\/python3.4 bytes.c
<\/span><\/span><\/code><\/pre>6.3 Python中调用<\/h3>
import<\/span> ctypes
<\/span><\/span>lib =<\/span> ctypes.<\/span>CDLL('.\/libPython.so'<\/span>)
<\/span><\/span>lib.<\/span>print_python_bytes.<\/span>argtypes =<\/span> [ctypes.<\/span>py_object]
<\/span><\/span>
<\/span><\/span>s =<\/span> b<\/span>"Holberton"<\/span>
<\/span><\/span>lib.<\/span>print_python_bytes(s)
<\/span><\/span><\/code><\/pre>7. 修改内存中的字节对象<\/h2>
7.1 内存搜索与替换脚本<\/h3>
创建一个可以搜索和替换所有可读写内存区域的Python脚本：<\/p>
#!\/usr\/bin\/env python3<\/span>
<\/span><\/span>'''
<\/span><\/span><\/span>Locates and replaces all occurrences of an ASCII string in the 
<\/span><\/span><\/span>entire virtual memory of a process.
<\/span><\/span><\/span>'''<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>def<\/span> print_usage_and_exit<\/span>():
<\/span><\/span>    print('Usage: <\/span>{}<\/span> pid search write'<\/span>.<\/span>format(sys.<\/span>argv[0<\/span>]))
<\/span><\/span>    exit(1<\/span>)
<\/span><\/span>
<\/span><\/span># 检查参数<\/span>
<\/span><\/span>if<\/span> len(sys.<\/span>argv) !=<\/span> 4<\/span>:
<\/span><\/span>    print_usage_and_exit()
<\/span><\/span>
<\/span><\/span># 获取参数<\/span>
<\/span><\/span>pid =<\/span> int(sys.<\/span>argv[1<\/span>])
<\/span><\/span>if<\/span> pid <=<\/span> 0<\/span>:
<\/span><\/span>    print_usage_and_exit()
<\/span><\/span>
<\/span><\/span>search_string =<\/span> str(sys.<\/span>argv[2<\/span>])
<\/span><\/span>if<\/span> search_string ==<\/span> ""<\/span>:
<\/span><\/span>    print_usage_and_exit()
<\/span><\/span>
<\/span><\/span>write_string =<\/span> str(sys.<\/span>argv[3<\/span>])
<\/span><\/span>if<\/span> search_string ==<\/span> ""<\/span>:
<\/span><\/span>    print_usage_and_exit()
<\/span><\/span>
<\/span><\/span># 打开进程的maps和mem文件<\/span>
<\/span><\/span>maps_filename =<\/span> "\/proc\/<\/span>{}<\/span>\/maps"<\/span>.<\/span>format(pid)
<\/span><\/span>mem_filename =<\/span> "\/proc\/<\/span>{}<\/span>\/mem"<\/span>.<\/span>format(pid)
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    maps_file =<\/span> open(maps_filename, 'r'<\/span>)
<\/span><\/span>except<\/span> IOError<\/span> as<\/span> e:
<\/span><\/span>    print("[ERROR] Can not open file <\/span>{}<\/span>:"<\/span>.<\/span>format(maps_filename))
<\/span><\/span>    print(" I\/O error(<\/span>{}<\/span>): <\/span>{}<\/span>"<\/span>.<\/span>format(e.<\/span>errno, e.<\/span>strerror))
<\/span><\/span>    exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>for<\/span> line in<\/span> maps_file:
<\/span><\/span>    # 解析maps文件行<\/span>
<\/span><\/span>    sline =<\/span> line.<\/span>split(' '<\/span>)
<\/span><\/span>    name =<\/span> sline[-<\/span>1<\/span>][:-<\/span>1<\/span>]
<\/span><\/span>    addr =<\/span> sline[0<\/span>]
<\/span><\/span>    perm =<\/span> sline[1<\/span>]
<\/span><\/span>    
<\/span><\/span>    # 只检查可读写的内存区域<\/span>
<\/span><\/span>    if<\/span> perm[0<\/span>] !=<\/span> 'r'<\/span> or<\/span> perm[1<\/span>] !=<\/span> 'w'<\/span>:
<\/span><\/span>        continue<\/span>
<\/span><\/span>        
<\/span><\/span>    # 获取内存区域起始和结束地址<\/span>
<\/span><\/span>    addr_start, addr_end =<\/span> [int(x, 16<\/span>) for<\/span> x in<\/span> addr.<\/span>split("-"<\/span>)]
<\/span><\/span>    
<\/span><\/span>    try<\/span>:
<\/span><\/span>        mem_file =<\/span> open(mem_filename, 'rb+'<\/span>)
<\/span><\/span>        mem_file.<\/span>seek(addr_start)
<\/span><\/span>        region =<\/span> mem_file.<\/span>read(addr_end -<\/span> addr_start)
<\/span><\/span>        
<\/span><\/span>        # 查找并替换字符串<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            i =<\/span> region.<\/span>index(bytes(search_string, "ASCII"<\/span>))
<\/span><\/span>            while<\/span> True<\/span>:
<\/span><\/span>                print("Found '<\/span>{}<\/span>' at <\/span>{:x}<\/span>"<\/span>.<\/span>format(search_string, addr_start +<\/span> i))
<\/span><\/span>                mem_file.<\/span>seek(addr_start +<\/span> i)
<\/span><\/span>                mem_file.<\/span>write(bytes(write_string, "ASCII"<\/span>))
<\/span><\/span>                mem_file.<\/span>flush()
<\/span><\/span>                
<\/span><\/span>                # 更新缓冲区继续搜索<\/span>
<\/span><\/span>                region =<\/span> region[:i] +<\/span> bytes(write_string, "ASCII"<\/span>) +<\/span> region[i+<\/span>len(search_string):]
<\/span><\/span>                i =<\/span> region.<\/span>index(bytes(search_string, "ASCII"<\/span>))
<\/span><\/span>        except<\/span> ValueError<\/span>:
<\/span><\/span>            pass<\/span>
<\/span><\/span>            
<\/span><\/span>        mem_file.<\/span>close()
<\/span><\/span>    except<\/span> IOError<\/span>:
<\/span><\/span>        continue<\/span>
<\/span><\/span>
<\/span><\/span>maps_file.<\/span>close()
<\/span><\/span><\/code><\/pre>8. 操作步骤<\/h2>

运行目标Python脚本：<\/li>
<\/ol>
.\/main_bytes.py
<\/span><\/span><\/code><\/pre>
获取进程ID：<\/li>
<\/ol>
ps aux | grep main_bytes.py | grep -v grep
<\/span><\/span><\/code><\/pre>
运行内存修改脚本：<\/li>
<\/ol>
sudo .\/rw_all.py [<\/span>pid]<\/span> Holberton "~ Betty ~"<\/span>
<\/span><\/span><\/code><\/pre>
在目标脚本中按Enter键查看修改结果<\/li>
<\/ol>
9. 关键发现<\/h2>


Python字节对象在内存中的表示包含：<\/p>

对象头信息<\/li>
字符串长度(ob_size)<\/li>
实际数据(ob_sval)，以null结尾<\/li>
<\/ul>
<\/li>

Python对象不是存储在堆或栈中，而是在特定的内存区域<\/p>
<\/li>

通过\/proc文件系统可以访问和修改进程的虚拟内存<\/p>
<\/li>

id()函数返回的是Python对象的内存地址<\/p>
<\/li>
<\/ol>
10. 未解决的问题<\/h2>

为什么在堆内存区域也能找到字符串"Holberton"？<\/li>
Python如何在堆外分配内存？<\/li>
如果Python没有使用堆，object.h中"对象是在堆上分配的结构"是什么意思？<\/li>
<\/ol>
这些问题将在后续教程中探讨。<\/p>
11. 总结<\/h2>
本教程详细介绍了：<\/p>

Python字节对象的内存结构<\/li>
如何通过\/proc文件系统访问进程内存<\/li>
创建C扩展来检查Python对象<\/li>
编写脚本搜索和修改内存中的字符串<\/li>
<\/ul>
通过这些技术，我们能够深入理解Python内部实现，并实现对运行中Python程序的内存操作。<\/p>

Python 字节对象与虚拟内存操作详解<\/h1>

1. 概述<\/h2> 本教程将深入探讨如何通过虚拟内存操作来修改Python 3中运行的字节对象。我们将学习Python字节对象在内存中的表示方式，以及如何定位和修改这些对象。<\/p>

4. Python字节对象基础<\/h2>

5. 定位字节对象的内存地址<\/h2>

6. 创建C扩展来检查字节对象<\/h2> 为了更深入地检查字节对象，我们可以创建一个C扩展：<\/p>

7. 修改内存中的字节对象<\/h2>

1. 概述<\/h2>
本教程将深入探讨如何通过虚拟内存操作来修改Python 3中运行的字节对象。我们将学习Python字节对象在内存中的表示方式，以及如何定位和修改这些对象。<\/p>

6. 创建C扩展来检查字节对象<\/h2>
为了更深入地检查字节对象，我们可以创建一个C扩展：<\/p>