Protocol Buffers (Protobuf) 结构分析与逆向工程指南<\/h1>

1. Protobuf 简介<\/h2>
Protocol Buffers (Protobuf) 是 Google 开发的一种数据序列化协议，具有以下特点：<\/p>
类似于 XML 但更高效<\/li>
用于结构化数据序列化<\/li>
适用于数据存储和通信协议<\/li>
跨平台和异构系统 RPC 调用<\/li>
序列化\/反序列化效率高<\/li>
体积比 XML 和 JSON 小得多，适合网络传输<\/li> <\/ul>
2. Protobuf 开发环境搭建<\/h2>

2.1 安装 Protobuf 编译器<\/h3>
# 下载 Protobuf<\/span>
<\/span><\/span>git clone https:\/\/github.com\/protocolbuffers\/protobuf
<\/span><\/span>
<\/span><\/span># 编译安装<\/span>
<\/span><\/span>cd protobuf
<\/span><\/span>.\/configure &&<\/span> make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>2.2 安装 C 语言支持库<\/h3>
# 下载 protobuf-c<\/span>
<\/span><\/span>git clone https:\/\/github.com\/protobuf-c\/protobuf-c
<\/span><\/span>
<\/span><\/span># 编译安装<\/span>
<\/span><\/span>cd protobuf-c
<\/span><\/span>.\/configure &&<\/span> make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>3. Protobuf 基本使用示例<\/h2>
3.1 定义 .proto 文件<\/h3>
syntax =<\/span> "proto3"<\/span>;
<\/span><\/span><\/span><\/span>package<\/span> example;
<\/span><\/span><\/span>
<\/span><\/span><\/span><\/span>message<\/span> Person<\/span> {
<\/span><\/span><\/span><\/span>    string<\/span> name =<\/span> 1<\/span>;
<\/span><\/span><\/span><\/span>    int32<\/span> id =<\/span> 2<\/span>;
<\/span><\/span><\/span><\/span>    string<\/span> email =<\/span> 3<\/span>;
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>3.2 生成 C 语言代码<\/h3>
protoc --c_out=<\/span>. message.proto
<\/span><\/span><\/code><\/pre>这将生成两个文件：<\/p>

message.pb-c.c<\/code> - 实现文件<\/li>
message.pb-c.h<\/code> - 头文件<\/li>
<\/ul>
3.3 关键数据结构分析<\/h3>
3.3.1 ProtobufCMessage 基础结构<\/h4>
struct<\/span> ProtobufCMessage {
<\/span><\/span>    const<\/span> ProtobufCMessageDescriptor *<\/span>descriptor;  \/\/ 消息描述符
<\/span><\/span><\/span><\/span>    unsigned<\/span> n_unknown_fields;                     \/\/ 未知字段数量
<\/span><\/span><\/span><\/span>    ProtobufCMessageUnknownField *<\/span>unknown_fields;  \/\/ 未知字段
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.3.2 字段描述符 ProtobufCFieldDescriptor<\/h4>
struct<\/span> ProtobufCFieldDescriptor {
<\/span><\/span>    const<\/span> char<\/span> *<\/span>name;            \/\/ 字段名称
<\/span><\/span><\/span><\/span>    uint32_t<\/span> id;                \/\/ 字段标签号
<\/span><\/span><\/span><\/span>    ProtobufCLabel label;        \/\/ 字段标签类型
<\/span><\/span><\/span><\/span>    ProtobufCType type;          \/\/ 字段数据类型
<\/span><\/span><\/span><\/span>    unsigned<\/span> quantifier_offset;  \/\/ 量词偏移
<\/span><\/span><\/span><\/span>    unsigned<\/span> offset;             \/\/ 字段偏移
<\/span><\/span><\/span><\/span>    \/\/ ... 其他成员
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.3.3 消息描述符 ProtobufCMessageDescriptor<\/h4>
const<\/span> ProtobufCMessageDescriptor example__person__descriptor =<\/span> {
<\/span><\/span>    PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
<\/span><\/span>    "example.Person"<\/span>,           \/\/ 完整消息名称
<\/span><\/span><\/span><\/span>    "Person"<\/span>,                   \/\/ 简短消息名称
<\/span><\/span><\/span><\/span>    "Example__Person"<\/span>,          \/\/ C结构体名称
<\/span><\/span><\/span><\/span>    "example"<\/span>,                  \/\/ 包名
<\/span><\/span><\/span><\/span>    sizeof<\/span>(Example__Person),    \/\/ 消息大小
<\/span><\/span><\/span><\/span>    3<\/span>,                         \/\/ 字段数量
<\/span><\/span><\/span><\/span>    example__person__field_descriptors, \/\/ 字段描述符数组
<\/span><\/span><\/span><\/span>    \/\/ ... 其他成员
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.4 字段类型和标签枚举<\/h3>
3.4.1 ProtobufCType 字段类型<\/h4>
typedef<\/span> enum<\/span> {
<\/span><\/span>    PROTOBUF_C_TYPE_INT32,      \/\/ int32
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_SINT32,     \/\/ signed int32
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_SFIXED32,   \/\/ signed int32 (4 bytes)
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_INT64,      \/\/ int64
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_SINT64,     \/\/ signed int64
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_SFIXED64,   \/\/ signed int64 (8 bytes)
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_UINT32,     \/\/ unsigned int32
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_FIXED32,    \/\/ unsigned int32 (4 bytes)
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_UINT64,     \/\/ unsigned int64
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_FIXED64,    \/\/ unsigned int64 (8 bytes)
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_FLOAT,      \/\/ float
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_DOUBLE,     \/\/ double
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_BOOL,       \/\/ boolean
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_ENUM,       \/\/ enumerated type
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_STRING,     \/\/ UTF-8 or ASCII string
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_BYTES,      \/\/ arbitrary byte sequence
<\/span><\/span><\/span><\/span>    PROTOBUF_C_TYPE_MESSAGE,    \/\/ nested message
<\/span><\/span><\/span><\/span>} ProtobufCType;
<\/span><\/span><\/code><\/pre>3.4.2 ProtobufCLabel 字段标签<\/h4>
typedef<\/span> enum<\/span> {
<\/span><\/span>    PROTOBUF_C_LABEL_REQUIRED,  \/\/ 必须字段
<\/span><\/span><\/span><\/span>    PROTOBUF_C_LABEL_OPTIONAL,  \/\/ 可选字段
<\/span><\/span><\/span><\/span>    PROTOBUF_C_LABEL_REPEATED,  \/\/ 可重复字段
<\/span><\/span><\/span><\/span>    PROTOBUF_C_LABEL_NONE,      \/\/ 无标签(proto3)
<\/span><\/span><\/span><\/span>} ProtobufCLabel;
<\/span><\/span><\/code><\/pre>3.5 二进制数据表示<\/h3>
struct<\/span> ProtobufCBinaryData {
<\/span><\/span>    size_t len;     \/\/ 数据长度
<\/span><\/span><\/span><\/span>    uint8_t<\/span> *<\/span>data;  \/\/ 数据指针
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>4. Protobuf 逆向工程方法<\/h2>
4.1 逆向分析流程<\/h3>

定位 ProtobufCMessageDescriptor 结构体<\/li>
分析字段描述符数组 ProtobufCFieldDescriptor<\/li>
提取每个字段的:

name: 字段名称<\/li>
id: 字段标签号<\/li>
label: 字段标签类型<\/li>
type: 字段数据类型<\/li>
<\/ul>
<\/li>
根据偏移量确定字段在结构体中的位置<\/li>
<\/ol>
4.2 IDA 逆向分析技巧<\/h3>


识别 ProtobufCMessageDescriptor 结构体特征:<\/p>

包含 magic number<\/li>
包含消息名称字符串<\/li>
包含字段数量和字段描述符数组指针<\/li>
<\/ul>
<\/li>

字段描述符分析:<\/p>

name 字段: 指向字段名称字符串<\/li>
id 字段: 字段标签号<\/li>
label 字段: 对应 ProtobufCLabel 枚举<\/li>
type 字段: 对应 ProtobufCType 枚举<\/li>
offset 字段: 字段在结构体中的偏移量<\/li>
<\/ul>
<\/li>

结构体布局:<\/p>

前 0x18 字节为 ProtobufCMessage 基础结构<\/li>
后续为自定义字段<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 还原 .proto 文件<\/h3>
通过逆向分析可以还原出原始 .proto 文件定义，例如:<\/p>
syntax =<\/span> "proto3"<\/span>;
<\/span><\/span><\/span><\/span>package<\/span> example;
<\/span><\/span><\/span>
<\/span><\/span><\/span><\/span>message<\/span> Person<\/span> {
<\/span><\/span><\/span><\/span>    string<\/span> name =<\/span> 1<\/span>;
<\/span><\/span><\/span><\/span>    int32<\/span> id =<\/span> 2<\/span>;
<\/span><\/span><\/span><\/span>    string<\/span> email =<\/span> 3<\/span>;
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>5. 实战案例分析<\/h2>
5.1 [CISCN 2023 初赛]StrangeTalkBot<\/h3>
分析过程:<\/h4>


定位到 ProtobufCMessageDescriptor 结构体<\/p>
<\/li>

分析字段描述符数组:<\/p>

第一个字段 actionid:

id: 1<\/li>
label: PROTOBUF_C_LABEL_REQUIRED (0)<\/li>
type: PROTOBUF_C_TYPE_SINT64 (4)<\/li>
offset: 0x18<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

还原 .proto 文件<\/p>
<\/li>
<\/ol>
漏洞利用:<\/h4>

UAF (Use-After-Free) 漏洞<\/li>
利用思路:

泄漏 libc 和堆地址<\/li>
修改指针申请到 free_hook<\/li>
构造 ORW 链<\/li>
触发漏洞<\/li>
<\/ol>
<\/li>
<\/ul>
5.2 [CISCN 2024]protoverflow<\/h3>
分析过程:<\/h4>

识别 C++ 版本的 Protobuf 结构<\/li>
手撕 IDA 还原 .proto 文件<\/li>
发现栈溢出漏洞<\/li>
<\/ol>
利用方法:<\/h4>

构造恶意 Protobuf 数据<\/li>
触发栈溢出控制流劫持<\/li>
<\/ol>
6. 工具推荐<\/h2>

pbtk<\/strong> - Protobuf 逆向工具<\/li>
半自动化 IDAPython 脚本<\/strong> - 用于快速提取 Protobuf 结构<\/li>
protoc<\/strong> - 官方编译器，用于验证还原的 .proto 文件<\/li>
<\/ol>
7. 总结<\/h2>
Protobuf 逆向工程关键点:<\/p>

理解 Protobuf 的核心数据结构<\/li>
掌握 IDA 中识别 Protobuf 结构的方法<\/li>
能够从二进制中还原 .proto 文件定义<\/li>
了解不同语言实现(C\/C++\/Python)的差异<\/li>
熟悉常见漏洞模式和利用方法<\/li>
<\/ol>
通过系统分析 Protobuf 的结构和逆向方法，可以有效应对相关二进制分析挑战。<\/p>