Created
August 22, 2017 00:43
-
-
Save dutc/2cc5de0d2f8877b8f463b86e8bd5231d to your computer and use it in GitHub Desktop.
/proc/self/mem allows arbitrary access to image virtual memory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from os.path import realpath | |
from sys import executable | |
from re import compile | |
from logging import getLogger, basicConfig, INFO | |
logger = getLogger(__name__) | |
basicConfig(level=INFO) | |
#4f2616000-4f2618000 r-xp 00000000 fe:02 3467051 /usr/bin/python3.6 | |
PATTERN = compile('^([0-9a-f]+)-([0-9a-f]+).+$') | |
def main(): | |
x = b'==sentinel value==' | |
y = b'==xxxxxxxxxxxxxx==' | |
logger.info(f'BEFORE: x = {x!r}') | |
logger.info(f'BEFORE: y = {y!r}') | |
memory_ranges = [] | |
with open('/proc/self/maps') as f: | |
for line in f: | |
from_addr, to_addr = PATTERN.search(line).groups() | |
from_addr, to_addr = int(from_addr, 16), int(to_addr, 16) | |
memory_ranges.append((from_addr, to_addr)) | |
memory_offsets = [] | |
with open('/proc/self/mem', 'rb') as f: | |
for from_addr, to_addr in memory_ranges: | |
try: | |
f.seek(from_addr) | |
buf = f.read(to_addr - from_addr) | |
offset = from_addr + buf.index(x) | |
memory_offsets.append(offset) | |
except Exception as e: | |
pass | |
with open('/proc/self/mem', 'wb') as f: | |
for offset in memory_offsets: | |
try: | |
f.seek(offset) | |
f.write(y) | |
logger.debug(f'wrote {y} at {offset}') | |
except Exception as e: | |
pass | |
logger.info(f'AFTER: x = {x!r}') | |
logger.info(f'AFTER: y = {y!r}') | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment