在 osx 上查找变量的虚拟内存地址
[英]Finding virtual memory address of variable on osx
问题描述
Consider the following code in mono/domain.c:
考虑 mono/domain.c 中的以下代码:
static MonoDomain *mono_root_domain = NULL;
...
MonoDomain* mono_get_root_domain (void)
{
return mono_root_domain;
}
My task is to read the struct data pointed by the mono_root_domain pointer in runtime from another process.我的任务是在运行时从另一个进程读取 mono_root_domain 指针指向的结构体数据。 (Attaching, reading, locating dylibs, etc. from this other process is solved already) (从这个其他过程中附加、读取、定位 dylib 等已经解决了)
Looking into the generated libmono dylib I can find the corresponding symbol:查看生成的 libmono dylib 我可以找到相应的符号:
This symbol points to the address of 0x2621A8 which in the local relocation section (__DATA, __bss):该符号指向本地重定位部分 (__DATA, __bss) 中 0x2621A8 的地址:
This points to the address of 0x1A7690 (__TEXT, __symbol_stub):这指向 0x1A7690 (__TEXT, __symbol_stub) 的地址:
The target is目标是
so 0x1A7DF8 (__TEXT, __stub_helper):所以 0x1A7DF8 (__TEXT, __stub_helper):
At this point I am completely lost of how to retrieve the actual pointer to the MonoDomain struct.在这一点上,我完全不知道如何检索指向 MonoDomain 结构的实际指针。 Any help is appreciated.任何帮助表示赞赏。
1 个解决方案
解决方案1
2 2016-12-22 19:31:29
For security reasons and to prevent buffer overflow attacks and other exploits, you can't know that, because of a security measure called PIE or ASLR (address space layout randomization).出于安全原因并防止缓冲区溢出攻击和其他漏洞利用,您无法知道这一点,因为有一种称为 PIE 或 ASLR(地址空间布局随机化)的安全措施。 However, this can be disabled for debugging purposes.但是,可以出于调试目的禁用此功能。 LLDB and GDB do/did it in order to debug executables. LLDB 和 GDB 这样做是为了调试可执行文件。 The way this can be done with a CLI app is as follows:使用 CLI 应用程序完成此操作的方式如下:
- Copy or download this python script from GitHub https://github.com/thlorenz/chromium-build/blob/master/mac/change_mach_o_flags.py从 GitHub https://github.com/thlorenz/chromium-build/blob/master/mac/change_mach_o_flags.py复制或下载此 python 脚本
- Save the python script, for example, next to your executable例如,将 python 脚本保存在可执行文件旁边
- If so, open Terminal and
cdto where your executable is如果是这样,请打开终端并cd到您的可执行文件所在的位置 - enter
chmod +x ./change_mach_o_flags.pyto make the script executable输入chmod +x ./change_mach_o_flags.py使脚本可执行 - enter
./change_mach_o_flags.py --no-pie ./YourExecutable输入./change_mach_o_flags.py --no-pie ./YourExecutable
Now the addresses of your executable should not be randomized anymore.现在,您的可执行文件的地址不应再随机化了。 Because of that, to calculate the addresses of your static / global variables is possible.因此,可以计算静态/全局变量的地址。 To do that, do the following in Terminal (I am assuming you are using a 64-bit machine):为此,请在终端中执行以下操作(我假设您使用的是 64 位机器):
otool -v -l ./YourExecutable | open -fotool -v -l ./YourExecutable | open -f(this will generate a file text with the commands inside your executable of how to layout DATA, TEXT, etc. in memory)otool -v -l ./YourExecutable | open -f(这将生成一个文件文本,其中包含如何在内存中布局数据、文本等的可执行文件中的命令)Look for the section you are interested in. Look at the
addrfield.查找您感兴趣的部分。查看addr字段。 If it contains let's say0x0000000100001020then the variable will be placed exactly there with ASLR disabled.如果它包含比方说0x0000000100001020则该变量将被准确地放置在那里并且禁用 ASLR。
I am not sure if this works with dylibs but you can try it.我不确定这是否适用于 dylib,但您可以尝试一下。 Now I ran out of time, but I can try at home and see if this is doable with dylibs.现在我没时间了,但我可以在家里尝试一下,看看这是否可以用 dylibs 实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.