mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2025-01-27 05:57:33 +07:00
add llvm
This commit is contained in:
parent
063b771759
commit
6b41f36a7f
@ -43,6 +43,7 @@
|
||||
- 在开始编写某一个内容之前,请先在下面的表格里注明,以避免重复和冲突。如果是已经完成的章节,则可以直接进行修改。
|
||||
- 每个章节开头需要有一个目录,增加或删除内容时需要做相应的修改,关于 GitHub 独特的页面跳转写法请参考 [Page Jumping in Github](https://github.com/firmianay/Life-long-Learner/blob/master/misc/github-tips.md#page-jumping-in-github)。
|
||||
- [中文文案排版指北](https://github.com/sparanoid/chinese-copywriting-guidelines)
|
||||
- 如果你新添加一个章节,需要在 **README.md**、**SUMMARY.md** 和章节所属部分相应的文件中添加条目。
|
||||
|
||||
|
||||
| 章节 | 作者 | 进度 |
|
||||
|
@ -54,6 +54,7 @@
|
||||
- [5.3 angr 二进制自动化分析](doc/5.3_angr.md)
|
||||
- [5.4 反调试技术](doc/5.4_antidbg.md)
|
||||
- [5.5 Symbolic Execution 符号执行技术](doc/5.5_symbolic.md)
|
||||
- [5.6 LLVM](doc/5.6_llvm.md)
|
||||
|
||||
- [六、附录](doc/6_appendix.md)
|
||||
- [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
||||
|
@ -51,6 +51,7 @@
|
||||
* [5.3 angr 二进制自动化分析](doc/5.3_angr.md)
|
||||
* [5.4 反调试技术](doc/5.4_antidbg.md)
|
||||
* [5.5 Symbolic Execution 符号执行](doc/5.5_symbolic.md)
|
||||
* [5.6 LLVM](doc/5.6_llvm.md)
|
||||
* [六、附录](doc/6_appendix.md)
|
||||
* [6.1 更多 Linux 工具](doc/6.1_Linuxtools.md)
|
||||
* [6.2 更多 Windows 工具](doc/6.2_wintools.md)
|
||||
|
@ -198,6 +198,9 @@ long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data);
|
||||
|
||||
|
||||
## gdb-peda
|
||||
当 gdb 启动时,它会在当前用户的主目录中寻找一个名为 `.gdbinit` 的文件;如果该文件存在,则 gdb 就执行该文件中的所有命令。通常,该文件用于简单的配置命令。但是 `.gdbinit` 的配置十分繁琐,因此对 gdb 的扩展通常用插件的方式来实现,通过 python 的脚本可以很方便的实现需要的功能。
|
||||
|
||||
PEDA(Python Exploit Development Assistance for GDB)是一个强大的 gdb 插件。它提供了高亮显示反汇编代码、寄存器、内存信息等人性化的功能。同时,PEDA 还有一些实用的新命令,比如 checksec 可以查看程序开启了哪些安全机制等等。
|
||||
|
||||
#### 安装
|
||||
```shell
|
||||
@ -212,29 +215,91 @@ $ yaourt -S peda
|
||||
```
|
||||
|
||||
#### peda命令
|
||||
- `aslr` - 显示/设置 gdb 的 ASLR
|
||||
- `checksec` - 检查二进制文件的安全选项
|
||||
- `dumpargs` - 在调用指令停止时显示传递给函数的参数
|
||||
- `dumprop` - 在特定的内存范围显示 ROP gadgets
|
||||
- `elfheader` - 获取正在调试的 ELF 文件的头信息
|
||||
- `elfsymbol` - 从 ELF 文件中获取没有调试信息的符号信息
|
||||
- `lookup` - 搜索属于内存范围的地址的所有地址/引用
|
||||
- `patch` - 使用字符串/十六进制字符串/整形数
|
||||
- `pattern` - 生成,搜索或写入循环 pattern 到内存
|
||||
- `procinfo` - 显示调试进程的 /proc/pid/
|
||||
- `pshow` - 显示各种 PEDA 选项和其他设置
|
||||
- `pset` - 设置各种PEDA选项和其他设置
|
||||
- `readelf` - 获取 ELF 的文件头信息
|
||||
- `ropgadget` - 获取二进制或库的常见 ROP gadgets
|
||||
- `ropsearch` - 搜索内存中的 ROP gadgets
|
||||
- `searchmem|find` - 搜索内存中的 pattern; 支持正则表达式搜索
|
||||
- `shellcode` - 生成或下载常见的 shellcode
|
||||
- `skeleton` - 生成 python exploit 代码模板
|
||||
- `vmmap` - 在调试过程中获取段的虚拟映射地址范围
|
||||
- `xormem` - 用一个 key 来对一个内存区域执行 XOR 操作
|
||||
- **`aslr`** -- 显示/设置 gdb 的 ASLR
|
||||
- `asmsearch` -- Search for ASM instructions in memory
|
||||
- `assemble` -- On the fly assemble and execute instructions using NASM
|
||||
- **`checksec`** -- 检查二进制文件的安全选项
|
||||
- `cmpmem` -- Compare content of a memory region with a file
|
||||
- `context` -- Display various information of current execution context
|
||||
- `context_code` -- Display nearby disassembly at $PC of current execution context
|
||||
- `context_register` -- Display register information of current execution context
|
||||
- `context_stack` -- Display stack of current execution context
|
||||
- `crashdump` -- Display crashdump info and save to file
|
||||
- `deactive` -- Bypass a function by ignoring its execution (eg sleep/alarm)
|
||||
- `distance` -- Calculate distance between two addresses
|
||||
- **`dumpargs`** -- 在调用指令停止时显示传递给函数的参数
|
||||
- `dumpmem` -- Dump content of a memory region to raw binary file
|
||||
- **`dumprop`** -- 在特定的内存范围显示 ROP gadgets
|
||||
- `eflags` -- Display/set/clear/toggle value of eflags register
|
||||
- **`elfheader`** -- 获取正在调试的 ELF 文件的头信息
|
||||
- **`elfsymbol`** -- 从 ELF 文件中获取没有调试信息的符号信息
|
||||
- `gennop` -- Generate abitrary length NOP sled using given characters
|
||||
- `getfile` -- Get exec filename of current debugged process
|
||||
- `getpid` -- Get PID of current debugged process
|
||||
- `goto` -- Continue execution at an address
|
||||
- `help` -- Print the usage manual for PEDA commands
|
||||
- `hexdump` -- Display hex/ascii dump of data in memory
|
||||
- `hexprint` -- Display hexified of data in memory
|
||||
- `jmpcall` -- Search for JMP/CALL instructions in memory
|
||||
- `loadmem` -- Load contents of a raw binary file to memory
|
||||
- **`lookup`** -- 搜索属于内存范围的地址的所有地址/引用
|
||||
- `nearpc` -- Disassemble instructions nearby current PC or given address
|
||||
- `nextcall` -- Step until next 'call' instruction in specific memory range
|
||||
- `nextjmp` -- Step until next 'j*' instruction in specific memory range
|
||||
- `nxtest` -- Perform real NX test to see if it is enabled/supported by OS
|
||||
- **`patch`** -- 使用字符串/十六进制字符串/整形数
|
||||
- **`pattern`** -- 生成,搜索或写入循环 pattern 到内存
|
||||
- `pattern_arg` -- Set argument list with cyclic pattern
|
||||
- `pattern_create` -- Generate a cyclic pattern
|
||||
- `pattern_env` -- Set environment variable with a cyclic pattern
|
||||
- `pattern_offset` -- Search for offset of a value in cyclic pattern
|
||||
- `pattern_patch` -- Write a cyclic pattern to memory
|
||||
- `pattern_search` -- Search a cyclic pattern in registers and memory
|
||||
- `payload` -- Generate various type of ROP payload using ret2plt
|
||||
- `pdisass` -- Format output of gdb disassemble command with colors
|
||||
- `pltbreak` -- Set breakpoint at PLT functions match name regex
|
||||
- **`procinfo`** -- 显示调试进程的 /proc/pid/
|
||||
- `profile` -- Simple profiling to count executed instructions in the program
|
||||
- `pyhelp` -- Wrapper for python built-in help
|
||||
- **`pshow`** -- 显示各种 PEDA 选项和其他设置
|
||||
- **`pset`** -- 设置各种 PEDA 选项和其他设置
|
||||
- **`readelf`** -- 获取 ELF 的文件头信息
|
||||
- `refsearch` -- Search for all references to a value in memory ranges
|
||||
- `reload` -- Reload PEDA sources, keep current options untouch
|
||||
- **`ropgadget`** -- 获取二进制或库的常见 ROP gadgets
|
||||
- **`ropsearch`** -- 搜索内存中的 ROP gadgets
|
||||
- **`searchmem|find`** -- 搜索内存中的 pattern; 支持正则表达式搜索
|
||||
- `searchmem` -- Search for a pattern in memory; support regex search
|
||||
- `session` -- Save/restore a working gdb session to file as a script
|
||||
- `set` -- Set various PEDA options and other settings
|
||||
- `sgrep` -- Search for full strings contain the given pattern
|
||||
- **`shellcode`** -- 生成或下载常见的 shellcode
|
||||
- `show` -- Show various PEDA options and other settings
|
||||
- **`skeleton`** -- 生成 python exploit 代码模板
|
||||
- `skipi` -- Skip execution of next count instructions
|
||||
- `snapshot` -- Save/restore process's snapshot to/from file
|
||||
- `start` -- Start debugged program and stop at most convenient entry
|
||||
- `stepuntil` -- Step until a desired instruction in specific memory range
|
||||
- `strings` -- Display printable strings in memory
|
||||
- `substr` -- Search for substrings of a given string/number in memory
|
||||
- `telescope` -- Display memory content at an address with smart dereferences
|
||||
- `tracecall` -- Trace function calls made by the program
|
||||
- `traceinst` -- Trace specific instructions executed by the program
|
||||
- `unptrace` -- Disable anti-ptrace detection
|
||||
- `utils` -- Miscelaneous utilities from utils module
|
||||
- **`vmmap`** -- 在调试过程中获取段的虚拟映射地址范围
|
||||
- `waitfor` -- Try to attach to new forked process; mimic "attach -waitfor"
|
||||
- `xinfo` -- Display detail information of address/registers
|
||||
- **`xormem`** -- 用一个 key 来对一个内存区域执行 XOR 操作
|
||||
- `xprint` -- Extra support to GDB's print command
|
||||
- `xrefs` -- Search for all call/data access references to a function/variable
|
||||
- `xuntil` -- Continue execution until an address or function
|
||||
|
||||
#### 更多资料
|
||||
http://ropshell.com/peda/
|
||||
|
||||
|
||||
## GEF/pwndbg
|
||||
除了 peda 外还有一些优秀的 gdb 增强工具,功能大致相同,可以看情况选用。
|
||||
除了 PEDA 外还有一些优秀的 gdb 增强工具,功能大致相同,可以看情况选用。
|
||||
- [GEF](https://github.com/hugsy/gef) - Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers
|
||||
- [pwndbg](https://github.com/pwndbg/pwndbg) - Exploit Development and Reverse Engineering with GDB Made Easy
|
||||
|
@ -1,8 +1,26 @@
|
||||
# 2.5 IDA Pro
|
||||
|
||||
- [常用插件](#常用插件)
|
||||
- [内存 dump 脚本](#内存-dump-脚本)
|
||||
|
||||
|
||||
## 常用插件
|
||||
- [IDA FLIRT Signature Database](https://github.com/push0ebp/sig-database) -- 用于识别静态编译的可执行文件中的库函数
|
||||
- [Find Crypt](https://github.com/polymorf/findcrypt-yara) -- 寻找常用加密算法中的常数(需要安装 [yara-python](https://github.com/VirusTotal/yara-python))
|
||||
- [IDA signsrch](https://github.com/nihilus/IDA_Signsrch) -- 寻找二进制文件所使用的加密、压缩算法
|
||||
- [Ponce](https://github.com/illera88/Ponce) -- 污点分析和符号化执行工具
|
||||
- [snowman decompiler](https://github.com/yegord/snowman/tree/v0.1.0) -- C/C++反汇编插件(F3 进行反汇编)
|
||||
- [keystone](https://github.com/keystone-engine/keypatch) -- 二进制文件修改工具,可以直接修改汇编
|
||||
- [CodeXplorer](https://github.com/REhints/HexRaysCodeXplorer) -- 自动类型重建以及对象浏览(C++)(jump to disasm)
|
||||
- [IDA Ref](https://github.com/nologic/idaref) -- 汇编指令注释(支持arm,x86,mips)
|
||||
- [auto re](https://github.com/a1ext/auto_re) -- 函数自动重命名
|
||||
- [nao](https://github.com/tkmru/nao) -- dead code 清除
|
||||
- [HexRaysPyTools](https://github.com/igogo-x86/HexRaysPyTools) -- 类/结构体创建和虚函数表检测
|
||||
- [DIE](https://github.com/ynvb/DIE) -- 动态调试增强工具,保存函数调用上下文信息
|
||||
- [sk3wldbg](https://github.com/cseagle/sk3wldbg) -- IDA动态调试器,支持多平台
|
||||
- [idaemu](https://github.com/36hours/idaemu) -- 模拟代码执行(支持X86、ARM平台)
|
||||
|
||||
|
||||
#### 内存 dump 脚本
|
||||
调试程序时偶尔会需要 dump 内存,但 IDA Pro 没有直接提供此功能,可以通过脚本来实现。
|
||||
```python
|
||||
|
1
doc/5.6_llvm.md
Normal file
1
doc/5.6_llvm.md
Normal file
@ -0,0 +1 @@
|
||||
# 5.6_LLVM
|
@ -5,3 +5,4 @@
|
||||
- [5.3 angr 二进制自动化分析](5.3_angr.md)
|
||||
- [5.4 反调试技术](5.4_antidbg.md)
|
||||
- [5.5 Symbolic Execution 符号执行技术](5.5_symbolic.md)
|
||||
- [5.6 LLVM](5.6_llvm.md)
|
||||
|
@ -33,6 +33,11 @@ bs=BYTES read and write up to BYTES bytes at a time
|
||||
$ dd if=[file1] of=[file2] skip=[size] bs=[bytes]
|
||||
```
|
||||
|
||||
dump 运行时的内存镜像:
|
||||
- `cat /proc/<pid>/maps`
|
||||
- 找到内存中 text 段和 data 段
|
||||
- `dd if=/proc/<pid>/mem of=/path/a.out skip=xxxx bs= 1 count=xxxx`
|
||||
|
||||
|
||||
## file
|
||||
**file** 命令用来探测给定文件的类型。
|
||||
|
@ -13,10 +13,14 @@
|
||||
- [Stanford Computer Security Laboratory](http://seclab.stanford.edu/)
|
||||
- [CS642 Fall 2014: Computer Security](http://pages.cs.wisc.edu/~rist/642-fall-2014/)
|
||||
- [Offensive Computer Security Spring 2014](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/)
|
||||
- [System Security and Binary Code Analysis](http://www.utdallas.edu/~zhiqiang.lin/spring2012.html#toc7)
|
||||
- [System Security and Binary Code Analysis](http://www.utdallas.edu/~zhiqiang.lin/spring2012.html)
|
||||
- [SATSMT Summer School 2011](https://wikis.mit.edu/confluence/display/satsmtschool11/SATSMT+Summer+School+2011;jsessionid=994854C69CABD6B1DC53F381A3CFF5E8)
|
||||
- [CS 161 : Computer Security Spring 2017](https://www.icir.org/vern/cs161-sp17/)
|
||||
- [Introduction to Computer Security Fall 2015](https://users.ece.cmu.edu/~dbrumley/courses/18487-f15/#lectures)
|
||||
- [格式化字符串blind pwn详细教程](http://bobao.360.cn/ctf/detail/189.html)
|
||||
- [软件分析技术](http://sei.pku.edu.cn/~xiongyf04/SA/2016/main.htm)
|
||||
- [Compiler Design](http://www.cs.cmu.edu/~fp/courses/15411-f14/index.html)
|
||||
- [Optimizing Compilers](http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15745-s14/www/index.html)
|
||||
|
||||
|
||||
## 站点
|
||||
|
Loading…
Reference in New Issue
Block a user