LLVM Pass-PWN: 从理论到实践<\/h1>

环境搭建<\/h2>

推荐环境<\/h3>

Ubuntu 20.04 (推荐使用Docker搭建)<\/li>

安装必要组件：

sudo apt install clang-8 llvm-8 clang-10 llvm-10 clang-12 llvm-12
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
LLVM IR基础知识<\/h2>
LLVM IR的三种形式<\/h3>

.ll格式<\/strong>：人类可读的文本格式<\/li>
.bc格式<\/strong>：二进制格式，适合机器处理<\/li>
内存表示<\/strong>：LLVM运行时使用的内存数据结构<\/li>
<\/ol>
转换命令<\/h3>



转换类型<\/th>
命令<\/th>
<\/tr>
<\/thead>


.c → .ll<\/td>
clang -emit-llvm -S a.c -o a.ll<\/code><\/td>
<\/tr>

.c → .bc<\/td>
clang -emit-llvm -c a.c -o a.bc<\/code><\/td>
<\/tr>

.ll → .bc<\/td>
llvm-as a.ll -o a.bc<\/code><\/td>
<\/tr>

.bc → .ll<\/td>
llvm-dis a.bc -o a.ll<\/code><\/td>
<\/tr>

.bc → .s<\/td>
llc a.bc -o a.s<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>
IR示例分析<\/h3>
C代码：<\/p>
int<\/span> add<\/span>(int<\/span> a, int<\/span> b) {
<\/span><\/span>    return<\/span> a +<\/span> b;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>对应的LLVM IR：<\/p>
; ModuleID = 'example.c'
<\/span><\/span><\/span><\/span>source_filename<\/span> = "example.c"<\/span>
<\/span><\/span>define<\/span> i32<\/span> @add(i32<\/span> %a, i32<\/span> %b) {
<\/span><\/span>entry:
<\/span><\/span>  %0 = add<\/span> i32<\/span> %a, %b
<\/span><\/span>  ret<\/span> i32<\/span> %0
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>LLVM Pass基础<\/h2>
Pass的作用<\/h3>

对代码进行优化<\/li>
对代码插桩（插入新代码）<\/li>
<\/ul>
处理流程<\/h3>

继承LLVM核心库提供的Pass类<\/li>
实现关键方法<\/li>
对传入的LLVM IR进行遍历和操作<\/li>
<\/ol>
IR结构分析<\/h3>
LLVM IR由以下主要组件构成：<\/p>
1. Module<\/h4>

包含函数和全局变量的链表<\/li>
主要操作函数：
begin(), end(), size(), empty(), functions()
<\/span><\/span>getFunctionList(), getFunction()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. Function<\/h4>

包含基本块(BasicBlock)的双链表<\/li>
主要操作函数：
begin(), end(), size(), empty(), front(), back()
<\/span><\/span>arg_begin(), arg_end(), getArg(unsigned<\/span> i), args()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. BasicBlock<\/h4>

包含指令(Instruction)的链表<\/li>
主要操作函数：
begin(), end(), rbegin(), rend(), size(), empty(), front(), back()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4. Instruction<\/h4>

继承自Value和User<\/li>
主要操作函数：
getParent(), getOpcode(), clone()
<\/span><\/span>ReplaceInstWithInst() \/\/ 指令替换
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
常见指令类型及创建方法<\/h2>
1. AllocaInst (内存分配)<\/h3>
AllocaInst(Type *<\/span>Ty, unsigned<\/span> AddrSpace, Value *<\/span>ArraySize, 
<\/span><\/span>           Align Align, const<\/span> Twine &<\/span>Name, Instruction *<\/span>InsertBefore);
<\/span><\/span><\/code><\/pre>2. StoreInst (存储)<\/h3>
StoreInst(Value *<\/span>Val, Value *<\/span>Ptr, bool<\/span> isVolatile, 
<\/span><\/span>          Align Align, Instruction *<\/span>InsertBefore);
<\/span><\/span><\/code><\/pre>3. LoadInst (加载)<\/h3>
LoadInst(Type *<\/span>Ty, Value *<\/span>Ptr, const<\/span> Twine &<\/span>NameStr, 
<\/span><\/span>         bool<\/span> isVolatile, Align Align, BasicBlock *<\/span>InsertAtEnd);
<\/span><\/span><\/code><\/pre>4. BinaryOperator (二元运算)<\/h3>
BinaryOperator::<\/span>Create(BinaryOps Op, Value *<\/span>S1, Value *<\/span>S2, 
<\/span><\/span>                       const<\/span> Twine &<\/span>Name, BasicBlock *<\/span>InsertAtEnd);
<\/span><\/span><\/code><\/pre>5. ICmpInst (整数比较)<\/h3>
ICmpInst(Instruction *<\/span>InsertBefore, Predicate pred, 
<\/span><\/span>         Value *<\/span>LHS, Value *<\/span>RHS, const<\/span> Twine &<\/span>NameStr);
<\/span><\/span><\/code><\/pre>6. BranchInst (分支)<\/h3>
BranchInst::<\/span>Create(BasicBlock *<\/span>IfTrue, BasicBlock *<\/span>IfFalse, 
<\/span><\/span>                   Value *<\/span>Cond, BasicBlock *<\/span>InsertAtEnd);
<\/span><\/span><\/code><\/pre>7. ReturnInst (返回)<\/h3>
ReturnInst::<\/span>Create(LLVMContext &<\/span>C, Value *<\/span>retVal, BasicBlock *<\/span>InsertAtEnd);
<\/span><\/span><\/code><\/pre>8. CallInst (函数调用)<\/h3>
CallInst::<\/span>Create(FunctionType *<\/span>Ty, Value *<\/span>Func, 
<\/span><\/span>                 ArrayRef<<\/span>Value *><\/span> Args, const<\/span> Twine &<\/span>NameStr, 
<\/span><\/span>                 Instruction *<\/span>InsertBefore);
<\/span><\/span><\/code><\/pre>LLVM Pass-PWN实战<\/h2>
基本概念<\/h3>

LLVM PASS-PWN不是攻击.so文件，而是攻击加载.so文件的程序——opt<\/li>
CTF题目通常会提供特定版本的opt文件<\/li>
<\/ul>
调试技巧<\/h3>

编译测试文件：
clang-8 -emit-llvm -S exp.c -o exp.bc
<\/span><\/span><\/code><\/pre><\/li>
调试opt：
opt-8 -load .\/VMPass.so -VMPass .\/exp.bc
<\/span><\/span><\/code><\/pre><\/li>
关键断点：
llvm::<\/span>Pass::<\/span>preparePassManager
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
调试脚本示例<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>os.<\/span>system("clang-8 -emit-llvm -S exp.c -o exp.bc"<\/span>)
<\/span><\/span>p =<\/span> gdb.<\/span>debug([".\/opt-8"<\/span>, '-load'<\/span>, '.\/VMPass.so'<\/span>, '-VMPass'<\/span>, '.\/exp.bc'<\/span>], 
<\/span><\/span>              "b llvm::Pass::preparePassManager<\/span>\n<\/span>c"<\/span>)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>漏洞利用关键点<\/h2>

虚表定位<\/strong>：搜索vtable定位到虚表，最下面的函数通常是重写的虚函数runOnFunction<\/li>
内存布局<\/strong>：使用vmmap查看加载的模块和偏移<\/li>
断点设置<\/strong>：根据偏移将断点下在runOnFunction上<\/li>
<\/ol>
参考资源<\/h2>

LLVM PASS类pwn题总结<\/a><\/li>
LLVM设计提示<\/a><\/li>
LLVM Pass PWN详解<\/a><\/li>
LLVM安全研究<\/a><\/li>
<\/ol>

转换类型<\/th>	命令<\/th> <\/tr> <\/thead>
.c → .ll<\/td>	`clang -emit-llvm -S a.c -o a.ll<\/code><\/td> <\/tr>`
.c → .bc<\/td>	`clang -emit-llvm -c a.c -o a.bc<\/code><\/td> <\/tr>`
.ll → .bc<\/td>	`llvm-as a.ll -o a.bc<\/code><\/td> <\/tr>`
.bc → .ll<\/td>	`llvm-dis a.bc -o a.ll<\/code><\/td> <\/tr>`
.bc → .s<\/td>	llc a.bc -o a.s<\/code><\/td> <\/tr> <\/tbody> <\/table> IR示例分析<\/h3> C代码：<\/p> int<\/span> add<\/span>(int<\/span> a, int<\/span> b) { <\/span><\/span> return<\/span> a +<\/span> b; <\/span><\/span>} <\/span><\/span><\/code><\/pre>对应的LLVM IR：<\/p> ; ModuleID = 'example.c' <\/span><\/span><\/span><\/span>source_filename<\/span> = "example.c"<\/span> <\/span><\/span>define<\/span> i32<\/span> @add(i32<\/span> %a, i32<\/span> %b) { <\/span><\/span>entry: <\/span><\/span> %0 = add<\/span> i32<\/span> %a, %b <\/span><\/span> ret<\/span> i32<\/span> %0 <\/span><\/span>} <\/span><\/span><\/code><\/pre>LLVM Pass基础<\/h2> Pass的作用<\/h3> 对代码进行优化<\/li> 对代码插桩（插入新代码）<\/li> <\/ul> 处理流程<\/h3> 继承LLVM核心库提供的Pass类<\/li> 实现关键方法<\/li> 对传入的LLVM IR进行遍历和操作<\/li> <\/ol> IR结构分析<\/h3> LLVM IR由以下主要组件构成：<\/p> 1. Module<\/h4> 包含函数和全局变量的链表<\/li> 主要操作函数： begin(), end(), size(), empty(), functions() <\/span><\/span>getFunctionList(), getFunction() <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2. Function<\/h4> 包含基本块(BasicBlock)的双链表<\/li> 主要操作函数： begin(), end(), size(), empty(), front(), back() <\/span><\/span>arg_begin(), arg_end(), getArg(unsigned<\/span> i), args() <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. BasicBlock<\/h4> 包含指令(Instruction)的链表<\/li> 主要操作函数： begin(), end(), rbegin(), rend(), size(), empty(), front(), back() <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. Instruction<\/h4> 继承自Value和User<\/li> 主要操作函数： getParent(), getOpcode(), clone() <\/span><\/span>ReplaceInstWithInst() \/\/ 指令替换 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 常见指令类型及创建方法<\/h2> 1. AllocaInst (内存分配)<\/h3> AllocaInst(Type <\/span>Ty, unsigned<\/span> AddrSpace, Value <\/span>ArraySize, <\/span><\/span> Align Align, const<\/span> Twine &<\/span>Name, Instruction <\/span>InsertBefore); <\/span><\/span><\/code><\/pre>2. StoreInst (存储)<\/h3> StoreInst(Value <\/span>Val, Value <\/span>Ptr, bool<\/span> isVolatile, <\/span><\/span> Align Align, Instruction <\/span>InsertBefore); <\/span><\/span><\/code><\/pre>3. LoadInst (加载)<\/h3> LoadInst(Type <\/span>Ty, Value <\/span>Ptr, const<\/span> Twine &<\/span>NameStr, <\/span><\/span> bool<\/span> isVolatile, Align Align, BasicBlock <\/span>InsertAtEnd); <\/span><\/span><\/code><\/pre>4. BinaryOperator (二元运算)<\/h3> BinaryOperator::<\/span>Create(BinaryOps Op, Value <\/span>S1, Value <\/span>S2, <\/span><\/span> const<\/span> Twine &<\/span>Name, BasicBlock <\/span>InsertAtEnd); <\/span><\/span><\/code><\/pre>5. ICmpInst (整数比较)<\/h3> ICmpInst(Instruction <\/span>InsertBefore, Predicate pred, <\/span><\/span> Value <\/span>LHS, Value <\/span>RHS, const<\/span> Twine &<\/span>NameStr); <\/span><\/span><\/code><\/pre>6. BranchInst (分支)<\/h3> BranchInst::<\/span>Create(BasicBlock <\/span>IfTrue, BasicBlock <\/span>IfFalse, <\/span><\/span> Value <\/span>Cond, BasicBlock <\/span>InsertAtEnd); <\/span><\/span><\/code><\/pre>7. ReturnInst (返回)<\/h3> ReturnInst::<\/span>Create(LLVMContext &<\/span>C, Value <\/span>retVal, BasicBlock <\/span>InsertAtEnd); <\/span><\/span><\/code><\/pre>8. CallInst (函数调用)<\/h3> CallInst::<\/span>Create(FunctionType <\/span>Ty, Value <\/span>Func, <\/span><\/span> ArrayRef<<\/span>Value ><\/span> Args, const<\/span> Twine &<\/span>NameStr, <\/span><\/span> Instruction <\/span>InsertBefore); <\/span><\/span><\/code><\/pre>LLVM Pass-PWN实战<\/h2> 基本概念<\/h3> LLVM PASS-PWN不是攻击.so文件，而是攻击加载.so文件的程序——opt<\/li> CTF题目通常会提供特定版本的opt文件<\/li> <\/ul> 调试技巧<\/h3> 编译测试文件： clang-8 -emit-llvm -S exp.c -o exp.bc <\/span><\/span><\/code><\/pre><\/li> 调试opt： opt-8 -load .\/VMPass.so -VMPass .\/exp.bc <\/span><\/span><\/code><\/pre><\/li> 关键断点： llvm::<\/span>Pass::<\/span>preparePassManager <\/span><\/span><\/code><\/pre><\/li> <\/ol> 调试脚本示例<\/h3> from<\/span> pwn import<\/span> <\/span> <\/span><\/span>import<\/span> sys <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>os.<\/span>system("clang-8 -emit-llvm -S exp.c -o exp.bc"<\/span>) <\/span><\/span>p =<\/span> gdb.<\/span>debug([".\/opt-8"<\/span>, '-load'<\/span>, '.\/VMPass.so'<\/span>, '-VMPass'<\/span>, '.\/exp.bc'<\/span>], <\/span><\/span> "b llvm::Pass::preparePassManager<\/span>\n<\/span>c"<\/span>) <\/span><\/span>p.<\/span>interactive() <\/span><\/span><\/code><\/pre>漏洞利用关键点<\/h2> 虚表定位<\/strong>：搜索vtable定位到虚表，最下面的函数通常是重写的虚函数runOnFunction<\/li> 内存布局<\/strong>：使用vmmap查看加载的模块和偏移<\/li> 断点设置<\/strong>：根据偏移将断点下在runOnFunction上<\/li> <\/ol> 参考资源<\/h2> LLVM PASS类pwn题总结<\/a><\/li> LLVM设计提示<\/a><\/li> LLVM Pass PWN详解<\/a><\/li> LLVM安全研究<\/a><\/li> <\/ol>

LLVM Pass-PWN: 从理论到实践<\/h1>

环境搭建<\/h2>

LLVM IR基础知识<\/h2>

LLVM Pass基础<\/h2>

IR结构分析<\/h3> LLVM IR由以下主要组件构成：<\/p>

常见指令类型及创建方法<\/h2>

LLVM Pass-PWN实战<\/h2>

参考资源<\/h2> LLVM PASS类pwn题总结<\/a><\/li> LLVM设计提示<\/a><\/li> LLVM Pass PWN详解<\/a><\/li> LLVM安全研究<\/a><\/li> <\/ol>

IR结构分析<\/h3>
LLVM IR由以下主要组件构成：<\/p>

参考资源<\/h2>

LLVM PASS类pwn题总结<\/a><\/li>
LLVM设计提示<\/a><\/li>
LLVM Pass PWN详解<\/a><\/li>
LLVM安全研究<\/a><\/li> <\/ol>