如何在Python中調用linux系統調用PROCESS_VM_READV？

Question

我正試圖學習如何在Python中調用PROCESS_VM_READV。從the manual閱讀，我決定創建一個類似於他們的例子。

我已經打開python3在終端與root權限。然後，通過導入&初始化需要的模塊和變量

import ctypes 
libc = ctypes.CDLL('libc.so.6') 
vm=libc.process_vm_readv 

在這個例子中進行，有一個名爲iovec一個結構。所以，我需要在Python來重新創建它

class iovec(ctypes.Structure): 
    _fields_=[("iov_base",ctypes.c_void_p),("iov_len",ctypes.c_int)] 

然後創建變量的本地和遠程

p1=ctypes.c_char_p(b"") 
p1=ctypes.cast(p1,ctypes.c_void_p) 
local=iovec(p1,10) 
remote=iovec(0x00400000,20) # Address of ELF header 

最後，調用PROCESS_VM_READV與KMines

的PID

vm(2242,local,2,remote,1,0) 

但它返回-1，本地或遠程的iov_base沒有變化。我覺得我在這裏犯了一個非常簡單的錯誤，但不能完全放下手腳。

任何幫助表示讚賞，祝你有美好的一天。

Answer 1

可能爲時已晚在這裏，但我卻能從process_vm_readv here

我們需要傳遞一個有效可讀的遠程地址，用於測試目的，我編一個簡單的Hello World和使用gdb來的人複製的例子讀一個有效的地址

(gdb) break main 
Breakpoint 1 at 0x5a9: file hello.c, line 4. 
(gdb) run 
Starting program: /user/Desktop/hello 
=> 0x800005a9 <main+25>: sub esp,0xc 
    0x800005ac <main+28>: lea edx,[eax-0x19b0] 
    0x800005b2 <main+34>: push edx 
    0x800005b3 <main+35>: mov ebx,eax 
    0x800005b5 <main+37>: call 0x800003f0 <puts@plt> 
    0x800005ba <main+42>: add esp,0x10 
    0x800005bd <main+45>: nop 
    0x800005be <main+46>: lea esp,[ebp-0x8] 
    0x800005c1 <main+49>: pop ecx 
    0x800005c2 <main+50>: pop ebx 
(gdb) x/20b 0x800005a9 
0x800005a9 <main+25>: 0x83 0xec 0x0c 0x8d 0x90 0x50 0xe6 0xff 
0x800005b1 <main+33>: 0xff 0x52 0x89 0xc3 0xe8 0x36 0xfe 0xff 
0x800005b9 <main+41>: 0xff 0x83 0xc4 0x10 

下面是Python代碼來獲取相同的結果

from ctypes import * 

class iovec(Structure): 
    _fields_ = [("iov_base",c_void_p),("iov_len",c_size_t)] 

local = (iovec*2)()    #create local iovec array 
remote = (iovec*1)()[0]  #create remote iovec 
buf1 = (c_char*10)() 
buf2 = (c_char*10)() 
pid = 25117 

local[0].iov_base = cast(byref(buf1),c_void_p) 
local[0].iov_len = 10 
local[1].iov_base = cast(byref(buf2),c_void_p) 
local[1].iov_len = 10 
remote.iov_base = c_void_p(0x800005a9)  #pass valid readable address 
remote.iov_len = 20 


libc = CDLL("libc.so.6") 
vm = libc.process_vm_readv 

vm.argtypes = [c_int, POINTER(iovec), c_ulong, POINTER(iovec), c_ulong, c_ulong] 

nread = vm(pid,local,2,remote,1,0) 

if nread != -1: 
    bytes = "[+] " 
    print "[+] received %s bytes" % (nread) 
    for i in buf1: bytes += hex(ord(i)) + " " 
    for i in buf2: bytes += hex(ord(i)) + " " 
    print bytes 

輸出

user@ubuntu:~/Desktop# python process_vm_readv.py 
[+] received 20 bytes 
[+] 0x83 0xec 0xc 0x8d 0x90 0x50 0xe6 0xff 0xff 0x52 0x89 0xc3 0xe8 0x36 0xfe 0xff 0xff 0x83 0xc4 0x10