虚拟内存黑客教学：C字符串与\/proc文件系统<\/h1>

1. 概述<\/h2>
本教程将指导你如何通过\/proc文件系统访问和修改运行中进程的虚拟内存内容，特别是堆中的C字符串。这是"Hack虚拟内存"系列的第一部分，重点介绍基础概念和实际操作。<\/p>

2. 环境准备<\/h2>

2.1 系统要求<\/h3>

Ubuntu 14.04 LTS<\/li>
Linux内核版本: 4.4.0-31-generic<\/li>
GCC版本: 4.8.4<\/li>

Python 3.4.3<\/li> <\/ul>

2.2 前提知识<\/h3>

C语言基础<\/li>
Python基础<\/li>

Linux文件系统和shell基础<\/li> <\/ul>

3. 虚拟内存基础<\/h2>

3.1 虚拟内存概念<\/h3>

虚拟内存是一种内存管理技术，它将程序使用的虚拟地址映射到物理内存地址。关键特点包括：<\/p>

每个进程有自己的虚拟地址空间<\/li>
虚拟内存大小取决于系统架构(32位或64位)<\/li>

操作系统负责管理虚拟地址空间<\/li> <\/ul>

3.2 虚拟内存布局<\/h3>

典型Linux进程的虚拟内存布局：<\/p>

高地址
-----------------
命令行参数和环境变量
栈(向下增长)
...
...
堆(向上增长)
程序可执行代码
低地址
<\/code><\/pre>
4. 关键工具：\/proc文件系统<\/h2>
\/proc是一个伪文件系统，提供内核数据结构的接口。我们将重点关注：<\/p>
4.1 \/proc\/[pid]\/maps<\/h3>
显示进程当前映射的内存区域及其权限，格式为：<\/p>
address perms offset dev inode pathname
00400000-00452000 r-xp 00000000 08:02 173521 \/usr\/bin\/dbus-daemon
00651000-00652000 r--p 00051000 08:02 173521 \/usr\/bin\/dbus-daemon
<\/code><\/pre>
4.2 \/proc\/[pid]\/mem<\/h3>
可用于访问进程内存页面，通过open、read和lseek系统调用。<\/p>
5. 实践示例<\/h2>
5.1 示例C程序<\/h3>
#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(void<\/span>) {
<\/span><\/span>    char<\/span> *<\/span>s;
<\/span><\/span>    s =<\/span> strdup("Holberton"<\/span>);
<\/span><\/span>    if<\/span> (s ==<\/span> NULL) {
<\/span><\/span>        fprintf(stderr, "Can't allocate mem with malloc<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        return<\/span> (EXIT_FAILURE);
<\/span><\/span>    }
<\/span><\/span>    printf("%p<\/span>\n<\/span>"<\/span>, (void<\/span> *<\/span>)s);
<\/span><\/span>    return<\/span> (EXIT_SUCCESS);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2 strdup函数分析<\/h3>

使用malloc分配内存<\/li>
返回新字符串的指针<\/li>
内存位于堆中<\/li>
<\/ul>
5.3 无限循环版本<\/h3>
#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(void<\/span>) {
<\/span><\/span>    char<\/span> *<\/span>s;
<\/span><\/span>    unsigned<\/span> long<\/span> int<\/span> i;
<\/span><\/span>    
<\/span><\/span>    s =<\/span> strdup("Holberton"<\/span>);
<\/span><\/span>    if<\/span> (s ==<\/span> NULL) {
<\/span><\/span>        fprintf(stderr, "Can't allocate mem with malloc<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        return<\/span> (EXIT_FAILURE);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    i =<\/span> 0<\/span>;
<\/span><\/span>    while<\/span> (s) {
<\/span><\/span>        printf("[%lu] %s (%p)<\/span>\n<\/span>"<\/span>, i, s, (void<\/span> *<\/span>)s);
<\/span><\/span>        sleep(1<\/span>);
<\/span><\/span>        i++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> (EXIT_SUCCESS);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 实际操作步骤<\/h2>
6.1 查找进程PID<\/h3>
ps aux | grep .\/loop | grep -v grep
<\/span><\/span><\/code><\/pre>6.2 检查\/proc\/[pid]\/maps<\/h3>
cat \/proc\/[<\/span>pid]<\/span>\/maps
<\/span><\/span><\/code><\/pre>示例输出：<\/p>
010ff000-01120000 rw-p 00000000 00:00 0 [heap]
<\/code><\/pre>
6.3 Python脚本修改内存<\/h3>
#!\/usr\/bin\/env python3<\/span>
<\/span><\/span>'''
<\/span><\/span><\/span>Locates and replaces the first occurrence of a string in the heap of a process
<\/span><\/span><\/span>Usage: .\/read_write_heap.py PID search_string replace_by_string
<\/span><\/span><\/span>'''<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>def<\/span> print_usage_and_exit<\/span>():
<\/span><\/span>    print('Usage: <\/span>{}<\/span> pid search write'<\/span>.<\/span>format(sys.<\/span>argv[0<\/span>]))
<\/span><\/span>    sys.<\/span>exit(1<\/span>)
<\/span><\/span>
<\/span><\/span># 检查参数<\/span>
<\/span><\/span>if<\/span> len(sys.<\/span>argv) !=<\/span> 4<\/span>:
<\/span><\/span>    print_usage_and_exit()
<\/span><\/span>
<\/span><\/span>pid =<\/span> int(sys.<\/span>argv[1<\/span>])
<\/span><\/span>search_string =<\/span> str(sys.<\/span>argv[2<\/span>])
<\/span><\/span>write_string =<\/span> str(sys.<\/span>argv[3<\/span>])
<\/span><\/span>
<\/span><\/span># 打开maps和mem文件<\/span>
<\/span><\/span>maps_filename =<\/span> "\/proc\/<\/span>{}<\/span>\/maps"<\/span>.<\/span>format(pid)
<\/span><\/span>mem_filename =<\/span> "\/proc\/<\/span>{}<\/span>\/mem"<\/span>.<\/span>format(pid)
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    maps_file =<\/span> open(maps_filename, 'r'<\/span>)
<\/span><\/span>except<\/span> IOError<\/span> as<\/span> e:
<\/span><\/span>    print("[ERROR] Can not open file <\/span>{}<\/span>:"<\/span>.<\/span>format(maps_filename))
<\/span><\/span>    print("I\/O error(<\/span>{}<\/span>): <\/span>{}<\/span>"<\/span>.<\/span>format(e.<\/span>errno, e.<\/span>strerror))
<\/span><\/span>    sys.<\/span>exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>for<\/span> line in<\/span> maps_file:
<\/span><\/span>    sline =<\/span> line.<\/span>split(' '<\/span>)
<\/span><\/span>    # 查找堆区域<\/span>
<\/span><\/span>    if<\/span> sline[-<\/span>1<\/span>][:-<\/span>1<\/span>] !=<\/span> "[heap]"<\/span>:
<\/span><\/span>        continue<\/span>
<\/span><\/span>    
<\/span><\/span>    print("[*] Found [heap]:"<\/span>)
<\/span><\/span>    # 解析行内容<\/span>
<\/span><\/span>    addr =<\/span> sline[0<\/span>]
<\/span><\/span>    perm =<\/span> sline[1<\/span>]
<\/span><\/span>    
<\/span><\/span>    # 检查读写权限<\/span>
<\/span><\/span>    if<\/span> perm[0<\/span>] !=<\/span> 'r'<\/span> or<\/span> perm[1<\/span>] !=<\/span> 'w'<\/span>:
<\/span><\/span>        print("[*] <\/span>{}<\/span> does not have read\/write permission"<\/span>.<\/span>format(pathname))
<\/span><\/span>        maps_file.<\/span>close()
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 获取堆的起始和结束地址<\/span>
<\/span><\/span>    addr =<\/span> addr.<\/span>split("-"<\/span>)
<\/span><\/span>    addr_start =<\/span> int(addr[0<\/span>], 16<\/span>)
<\/span><\/span>    addr_end =<\/span> int(addr[1<\/span>], 16<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 打开mem文件<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        mem_file =<\/span> open(mem_filename, 'rb+'<\/span>)
<\/span><\/span>    except<\/span> IOError<\/span> as<\/span> e:
<\/span><\/span>        print("[ERROR] Can not open file <\/span>{}<\/span>:"<\/span>.<\/span>format(mem_filename))
<\/span><\/span>        print("I\/O error(<\/span>{}<\/span>): <\/span>{}<\/span>"<\/span>.<\/span>format(e.<\/span>errno, e.<\/span>strerror))
<\/span><\/span>        maps_file.<\/span>close()
<\/span><\/span>        exit(1<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 读取堆内容<\/span>
<\/span><\/span>    mem_file.<\/span>seek(addr_start)
<\/span><\/span>    heap =<\/span> mem_file.<\/span>read(addr_end -<\/span> addr_start)
<\/span><\/span>    
<\/span><\/span>    # 查找字符串<\/span>
<\/span><\/span>    try<\/span>:
<\/span><\/span>        i =<\/span> heap.<\/span>index(bytes(search_string, "ASCII"<\/span>))
<\/span><\/span>    except<\/span> Exception<\/span>:
<\/span><\/span>        print("Can't find '<\/span>{}<\/span>'"<\/span>.<\/span>format(search_string))
<\/span><\/span>        maps_file.<\/span>close()
<\/span><\/span>        mem_file.<\/span>close()
<\/span><\/span>        exit(0<\/span>)
<\/span><\/span>    
<\/span><\/span>    print("[*] Found '<\/span>{}<\/span>' at <\/span>{:x}<\/span>"<\/span>.<\/span>format(search_string, i))
<\/span><\/span>    
<\/span><\/span>    # 写入新字符串<\/span>
<\/span><\/span>    print("[*] Writing '<\/span>{}<\/span>' at <\/span>{:x}<\/span>"<\/span>.<\/span>format(write_string, addr_start +<\/span> i))
<\/span><\/span>    mem_file.<\/span>seek(addr_start +<\/span> i)
<\/span><\/span>    mem_file.<\/span>write(bytes(write_string, "ASCII"<\/span>))
<\/span><\/span>    
<\/span><\/span>    # 关闭文件<\/span>
<\/span><\/span>    maps_file.<\/span>close()
<\/span><\/span>    mem_file.<\/span>close()
<\/span><\/span>    break<\/span>
<\/span><\/span><\/code><\/pre>6.4 运行脚本<\/h3>
sudo .\/read_write_heap.py [<\/span>pid]<\/span> "Holberton"<\/span> "Fun w vm!"<\/span>
<\/span><\/span><\/code><\/pre>7. 关键点总结<\/h2>


虚拟内存布局<\/strong>：理解进程内存布局是基础，特别是堆和栈的位置。<\/p>
<\/li>

\/proc文件系统<\/strong>：<\/p>

maps文件提供内存映射信息<\/li>
mem文件允许直接访问进程内存<\/li>
<\/ul>
<\/li>

权限检查<\/strong>：修改内存前必须确认区域有读写权限。<\/p>
<\/li>

地址转换<\/strong>：需要将虚拟地址转换为文件偏移量。<\/p>
<\/li>

字符串替换限制<\/strong>：新字符串长度不应超过原字符串，否则可能破坏内存结构。<\/p>
<\/li>
<\/ol>
8. 安全注意事项<\/h2>

必须以root权限运行脚本才能访问\/proc\/[pid]\/mem<\/li>
修改运行中进程的内存可能导致程序崩溃<\/li>
仅用于学习和研究目的<\/li>
<\/ol>
9. 扩展学习<\/h2>

尝试修改其他类型的数据(如整数)<\/li>
研究如何修改栈上的变量<\/li>
了解ELF文件格式与内存映射的关系<\/li>
探索更复杂的数据结构在内存中的布局<\/li>
<\/ol>
通过本教程，你应该已经掌握了如何利用\/proc文件系统访问和修改运行中进程内存的基本技术。这是理解Linux内存管理和进程间通信的重要一步。<\/p>

虚拟内存黑客教学：C字符串与\/proc文件系统<\/h1>

1. 概述<\/h2> 本教程将指导你如何通过\/proc文件系统访问和修改运行中进程的虚拟内存内容，特别是堆中的C字符串。这是"Hack虚拟内存"系列的第一部分，重点介绍基础概念和实际操作。<\/p>

2. 环境准备<\/h2>

3. 虚拟内存基础<\/h2>

4. 关键工具：\/proc文件系统<\/h2> \/proc是一个伪文件系统，提供内核数据结构的接口。我们将重点关注：<\/p>

4.2 \/proc\/[pid]\/mem<\/h3> 可用于访问进程内存页面，通过open、read和lseek系统调用。<\/p>

5. 实践示例<\/h2>

6. 实际操作步骤<\/h2>

1. 概述<\/h2>
本教程将指导你如何通过\/proc文件系统访问和修改运行中进程的虚拟内存内容，特别是堆中的C字符串。这是"Hack虚拟内存"系列的第一部分，重点介绍基础概念和实际操作。<\/p>

4. 关键工具：\/proc文件系统<\/h2>
\/proc是一个伪文件系统，提供内核数据结构的接口。我们将重点关注：<\/p>

4.2 \/proc\/[pid]\/mem<\/h3>
可用于访问进程内存页面，通过open、read和lseek系统调用。<\/p>