From b3ff465812d476203b70299220b247228cc4927e Mon Sep 17 00:00:00 2001 From: firmianay Date: Sat, 30 Dec 2017 12:42:44 +0800 Subject: [PATCH] update 1.3_linux_basic.md --- doc/1.3_linux_basic.md | 196 ++++++++++++++++++++++++++++++++ doc/7.1.1_tcpdump_2017-11543.md | 2 +- 2 files changed, 197 insertions(+), 1 deletion(-) diff --git a/doc/1.3_linux_basic.md b/doc/1.3_linux_basic.md index 25f3ff1..6ee0b3f 100644 --- a/doc/1.3_linux_basic.md +++ b/doc/1.3_linux_basic.md @@ -12,6 +12,7 @@ - [核心转储](#核心转储) - [调用约定](#调用约定) - [环境变量](#环境变量) +- [/proc/[pid]](#procpid) ## 常用基础命令 @@ -489,3 +490,198 @@ $ file ~/libc.so.6 /home/firmy/libc.so.6: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=088a6e00a1814622219f346b41e775b8dd46c518, for GNU/Linux 2.6.32, stripped ``` 一个在 `interpreter /usr/lib/ld-linux-x86-64.so.2`,而另一个在 `interpreter /lib64/ld-linux-x86-64.so.2`。 + + +## /proc/[pid] +proc 文件系统是 Linux 内核提供的,为访问系统内核数据的操作提供接口。在该文件系统下,有一些以数字命名的目录,这些数字是进程的 PID 号,而这些目录是进程目录。 + +目录下的所有文件如下,然后会介绍几个比较重要的: +``` +$ cat - & +[1] 2865 +$ ls /proc/2865/ +attr cpuset limits ns root statm +autogroup cwd map_files numa_maps sched status +auxv environ maps oom_adj schedstat syscall +cgroup exe mem oom_score setgroups task +clear_refs fd mountinfo oom_score_adj smaps timers +cmdline fdinfo mounts pagemap smaps_rollup timerslack_ns +comm gid_map mountstats personality stack uid_map +coredump_filter io net projid_map stat wchan + +[1]+ Stopped cat - +``` + +#### /proc/[pid]/maps +这个文件大概是最常用的,用于显示进程的内存区域映射信息: +``` +$ cat /proc/2865/maps +5580631c6000-5580631ce000 r-xp 00000000 08:01 4981196 /usr/bin/cat +5580633cd000-5580633ce000 r--p 00007000 08:01 4981196 /usr/bin/cat +5580633ce000-5580633cf000 rw-p 00008000 08:01 4981196 /usr/bin/cat +558063c7d000-558063c9e000 rw-p 00000000 00:00 0 [heap] +7f6301cd7000-7f6302027000 r--p 00000000 08:01 4993768 /usr/lib/locale/locale-archive +7f6302027000-7f63021d5000 r-xp 00000000 08:01 4982395 /usr/lib/libc-2.26.so +7f63021d5000-7f63023d5000 ---p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so +7f63023d5000-7f63023d9000 r--p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so +7f63023d9000-7f63023db000 rw-p 001b2000 08:01 4982395 /usr/lib/libc-2.26.so +7f63023db000-7f63023df000 rw-p 00000000 00:00 0 +7f63023df000-7f6302404000 r-xp 00000000 08:01 4982398 /usr/lib/ld-2.26.so +7f63025c1000-7f63025c3000 rw-p 00000000 00:00 0 +7f63025e1000-7f6302603000 rw-p 00000000 00:00 0 +7f6302603000-7f6302604000 r--p 00024000 08:01 4982398 /usr/lib/ld-2.26.so +7f6302604000-7f6302605000 rw-p 00025000 08:01 4982398 /usr/lib/ld-2.26.so +7f6302605000-7f6302606000 rw-p 00000000 00:00 0 +7fff2ab81000-7fff2aba2000 rw-p 00000000 00:00 0 [stack] +7fff2abef000-7fff2abf2000 r--p 00000000 00:00 0 [vvar] +7fff2abf2000-7fff2abf4000 r-xp 00000000 00:00 0 [vdso] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] +``` + +#### /proc/[pid]/stack +这个文件表示当前进程的内核调用栈信息: +``` +$ sudo cat /proc/2865/stack +[] do_signal_stop+0xae/0x1f0 +[] get_signal+0x18c/0x5a0 +[] do_signal+0x36/0x610 +[] exit_to_usermode_loop+0x69/0xa0 +[] syscall_return_slowpath+0x9b/0xb0 +[] entry_SYSCALL_64_fastpath+0x7b/0x7d +[] 0xffffffffffffffff +``` + +#### /proc/[pid]/auxv +该文件包含了传递给进程的解释器信息,即 auxv(AUXiliary Vector),每一项都是由一个 unsigned long 长度的 ID 加上一个 unsigned long 长度的值构成: +``` +$ xxd -e -g8 /proc/2865/auxv +00000000: 0000000000000021 00007fff2abf2000 !........ .*.... +00000010: 0000000000000010 00000000bfebfbff ................ +00000020: 0000000000000006 0000000000001000 ................ +00000030: 0000000000000011 0000000000000064 ........d....... +00000040: 0000000000000003 00005580631c6040 ........@`.c.U.. +00000050: 0000000000000004 0000000000000038 ........8....... +00000060: 0000000000000005 0000000000000009 ................ +00000070: 0000000000000007 00007f63023df000 ..........=.c... +00000080: 0000000000000008 0000000000000000 ................ +00000090: 0000000000000009 00005580631c8290 ...........c.U.. +000000a0: 000000000000000b 00000000000003e8 ................ +000000b0: 000000000000000c 00000000000003e8 ................ +000000c0: 000000000000000d 00000000000003e8 ................ +000000d0: 000000000000000e 00000000000003e8 ................ +000000e0: 0000000000000017 0000000000000000 ................ +000000f0: 0000000000000019 00007fff2ab9ff39 ........9..*.... +00000100: 000000000000001a 0000000000000000 ................ +00000110: 000000000000001f 00007fff2aba1feb ...........*.... +00000120: 000000000000000f 00007fff2ab9ff49 ........I..*.... +00000130: 0000000000000000 0000000000000000 ................ +``` +每个值具体是做什么的,可以用下面的办法显示出来,对比看一看,更详细的可以查看 `/usr/include/elf.h` 和 `man ld.so`: +``` +$ LD_SHOW_AUXV=1 cat - +AT_SYSINFO_EHDR: 0x7fff6afb3000 +AT_HWCAP: bfebfbff +AT_PAGESZ: 4096 +AT_CLKTCK: 100 +AT_PHDR: 0x557b68217040 +AT_PHENT: 56 +AT_PHNUM: 9 +AT_BASE: 0x7f41e5689000 +AT_FLAGS: 0x0 +AT_ENTRY: 0x557b68219290 +AT_UID: 1000 +AT_EUID: 1000 +AT_GID: 1000 +AT_EGID: 1000 +AT_SECURE: 0 +AT_RANDOM: 0x7fff6aedc0a9 +AT_HWCAP2: 0x0 +AT_EXECFN: /usr/bin/cat +AT_PLATFORM: x86_64 +``` +值得一提的是,`AT_SYSINFO_EHDR` 所对应的值是一个叫做的 VDSO(Virtual Dynamic Shared Object) 的地址。在 ret2vdso 漏洞利用方法中会用到(参考章节6.1.6)。 + +#### /proc/[pid]/environ +该文件包含了进程的环境变量: +``` +$ strings /proc/2865/environ +``` + +#### /proc/[pid]/fd +该文件包含了进程打开文件的情况: +``` +$ ls -al /proc/2865/fd +total 0 +dr-x------ 2 firmy firmy 0 12月 30 11:13 . +dr-xr-xr-x 9 firmy firmy 0 12月 30 11:13 .. +lrwx------ 1 firmy firmy 64 12月 30 12:31 0 -> /dev/pts/2 +lrwx------ 1 firmy firmy 64 12月 30 12:31 1 -> /dev/pts/2 +lrwx------ 1 firmy firmy 64 12月 30 12:31 2 -> /dev/pts/2 +``` + +#### /proc/[pid]/status +该文件包含了进程的状态信息: +``` +$ cat /proc/2865/status +Name: cat +Umask: 0022 +State: T (stopped) +Tgid: 2865 +Ngid: 0 +Pid: 2865 +PPid: 2059 +TracerPid: 0 +Uid: 1000 1000 1000 1000 +Gid: 1000 1000 1000 1000 +FDSize: 256 +Groups: 3 7 10 56 90 91 93 95 96 98 1000 +NStgid: 2865 +NSpid: 2865 +NSpgid: 2865 +NSsid: 2059 +VmPeak: 7828 kB +VmSize: 7828 kB +VmLck: 0 kB +VmPin: 0 kB +VmHWM: 788 kB +VmRSS: 788 kB +RssAnon: 64 kB +RssFile: 724 kB +RssShmem: 0 kB +VmData: 312 kB +VmStk: 132 kB +VmExe: 32 kB +VmLib: 1876 kB +VmPTE: 40 kB +VmPMD: 12 kB +VmSwap: 0 kB +HugetlbPages: 0 kB +Threads: 1 +SigQ: 2/47723 +SigPnd: 0000000000000000 +ShdPnd: 0000000000000000 +SigBlk: 0000000000000000 +SigIgn: 0000000000000000 +SigCgt: 0000000000000000 +CapInh: 0000000000000000 +CapPrm: 0000000000000000 +CapEff: 0000000000000000 +CapBnd: 0000003fffffffff +CapAmb: 0000000000000000 +NoNewPrivs: 0 +Seccomp: 0 +Cpus_allowed: ff +Cpus_allowed_list: 0-7 +Mems_allowed: 00000001 +Mems_allowed_list: 0 +voluntary_ctxt_switches: 1 +nonvoluntary_ctxt_switches: 0 +``` + +#### /proc/[pid]/syscall +该文件包含了进程正在执行的系统调用: +``` +$ sudo cat /proc/2865/syscall +0 0x0 0x7f63025e2000 0x20000 0x22 0xffffffffffffffff 0x0 0x7fff2ab9f958 0x7f630210ea11 +``` +第一个值是系统调用号,后面跟着是六个参数,最后两个值分别是堆栈指针和指令计数器的值。 diff --git a/doc/7.1.1_tcpdump_2017-11543.md b/doc/7.1.1_tcpdump_2017-11543.md index 7eae322..187e67e 100644 --- a/doc/7.1.1_tcpdump_2017-11543.md +++ b/doc/7.1.1_tcpdump_2017-11543.md @@ -518,7 +518,7 @@ reading from file slip-bad-direction.pcap, link-type SLIP (SLIP) ``` 具体代码的修改如下所示,文件 `print-sl.c` 用于打印 CSLIP(Compressed Serial Line Internet Protocol),即压缩的 SLIP: -```C +```diff $ git diff 09b1185 378ac56 print-sl.c diff --git a/print-sl.c b/print-sl.c index 3fd7e898..a02077b3 100644