堆喷射
堆噴射主要用于繞過ASLR。下面演示堆噴射分析與效果。
1.代碼
void heap_spray()
{
char chunk[LEN] = { 0 };
memset(chunk, 0x90, LEN - 10);
strcat(chunk, "shellcode");
for (int i = 0;i < 100;i++)
{
void *p = malloc(LEN);
strcpy((char *)p, chunk);
printf("spray %d\n", i);
}
}
2.windbg分析
- ?!heap -stat:堆統計信息
_HEAP 002a0000
Segments 00000001
Reserved bytes 00100000
Committed bytes 0009c000
VirtAllocBlocks 00000000
VirtAlloc bytes 00000000
_HEAP 00020000...
-
?!heap -stat -h 002a0000//查看segement 2a0000堆塊大小統計情況
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
1000 65 - 65000 (94.88)//大小為0x1000,共0x65個,占比94.88%,可見堆噴射效果較好
20 6e - dc0 (0.81)
c00 1 - c00 (0.70)
bec 1 - bec (0.70... -
??!heap -flt s 1000:列出所有大小為0x1000的堆塊
_HEAP @ 2a0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
002c9e50 0201 0000 [00] 002c9e58 01000 - (busy)
002cae58 0201 0201 [00] 002cae60 01000 - (free)
002cbe60 0201 0201 [00] 002cbe68 01000 - (busy)
002cce68 0201 0201 [00] 002cce70 01000 - (busy)
002cde70 0201 0201 [00] 002cde78 01000 - (busy)
002cee78 0201 0201 [00] 002cee80 01000 - (busy)
?
-
0:000> dc 0032df90+0x1000-10//驗證到順序分配,并且相臨。同時包含0x8的堆頭。一個堆塊大小為0x1000+0x8.
0032ef80 90909090 68739090 636c6c65 0065646f ......shellcode.
0032ef90 1a394b70 88000000 90909090 90909090 pK9.............
0032efa0 90909090 90909090 90909090 90909090 ................ -
?!address:使用address查看內存屬性
BaseAddr EndAddr+1 RgnSize Type State Protect Usage
-----------------------------------------------------------------------------------------------
+ 0 10000 10000 MEM_FREE PAGE_NOACCESS Free
+ 10000 20000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 00010000; Type: Segment]
+ 20000 30000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap
Type:
| MEM_IMAGE | 映射的文件屬于可執行映像一部分的內存。 |
| MEM_MAPPED | 映射的文件不屬于可執行映像一部分的內存。這種內存包含哪些從頁面文件映射的內存。 |
| MEM_PRIVATE | 私有的(即不和其他進程共享)并且未用來映射任何文件的內存。 |
?
State
| MEM_COMMIT | 當前已提交給目標使用的所有內存。已經在物理內存或者頁面文件中為這些內存分配了物理的存儲空間。 |
| MEM_RESERVE | 所有為目標以后的使用保留的內存。這種內存還沒有分配物理上的存儲空間。 |
| MEM_FREE | 目標虛擬地址空間中所有可用內存。包括所有未提交并且未保留的內存。該Filter?值和RegionUsageFree一樣。 |
?
?
? ? ? ? ? ?Protect:
| PAGE_NOACCESS | Memory that cannot be accessed. |
| PAGE_READONLY | Memory that is readable, but not writable and not executable. |
| PAGE_READWRITE | Memory that is readable and writable, but not executable. |
| PAGE_WRITECOPY | Memory that has copy-on-write behavior. |
| PAGE_EXECUTE | Memory that is executable, but not readable and not writeable. |
| PAGE_EXECUTE_READ | Memory that is executable and readable, but not writable. |
| PAGE_EXECUTE_READWRITE | Memory that is executable, readable, and writable. |
| PAGE_EXECUTE_WRITECOPY | Memory that is executable and has copy-on-write behavior. |
| PAGE_GUARD | Memroy that acts as a guard page. |
| PAGE_NOCACHE | Memory that is not cached. |
| PAGE_WRITECOMBINE | Memory that has write-combine access enabled. |
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
-
!address 0032df90
Usage: Heap
Base Address: 002a0000
End Address: 0033c000
Region Size: 0009c000 ( 624.000 kB)
State: 00001000 MEM_COMMIT//已經在物理內存中分配
Protect: 00000004 PAGE_READWRITE//可讀寫,但不可執行
Type: 00020000 MEM_PRIVATE
Allocation Base: 002a0000
Allocation Protect: 00000004 PAGE_READWRITE - 修改寄存器命令?
r @eax=1 ?//將eax置為1
修改內存命令
ed 80505648 00001234
轉載于:https://www.cnblogs.com/studyskill/p/7404450.html
總結
- 上一篇: Fluid mechanics学习笔记-
- 下一篇: PG数据库插件扩展搭建(一)