update 1.3_linux_basic.md

This commit is contained in:
firmianay 2017-12-30 12:42:44 +08:00
parent af7e3a810a
commit b3ff465812
2 changed files with 197 additions and 1 deletions

View File

@ -12,6 +12,7 @@
- [核心转储](#核心转储) - [核心转储](#核心转储)
- [调用约定](#调用约定) - [调用约定](#调用约定)
- [环境变量](#环境变量) - [环境变量](#环境变量)
- [/proc/[pid]](#procpid)
## 常用基础命令 ## 常用基础命令
@ -489,3 +490,198 @@ $ file ~/libc.so.6
/home/firmy/libc.so.6: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=088a6e00a1814622219f346b41e775b8dd46c518, for GNU/Linux 2.6.32, stripped /home/firmy/libc.so.6: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=088a6e00a1814622219f346b41e775b8dd46c518, for GNU/Linux 2.6.32, stripped
``` ```
一个在 `interpreter /usr/lib/ld-linux-x86-64.so.2`,而另一个在 `interpreter /lib64/ld-linux-x86-64.so.2` 一个在 `interpreter /usr/lib/ld-linux-x86-64.so.2`,而另一个在 `interpreter /lib64/ld-linux-x86-64.so.2`
## /proc/[pid]
proc 文件系统是 Linux 内核提供的,为访问系统内核数据的操作提供接口。在该文件系统下,有一些以数字命名的目录,这些数字是进程的 PID 号,而这些目录是进程目录。
目录下的所有文件如下,然后会介绍几个比较重要的:
```
$ cat - &
[1] 2865
$ ls /proc/2865/
attr cpuset limits ns root statm
autogroup cwd map_files numa_maps sched status
auxv environ maps oom_adj schedstat syscall
cgroup exe mem oom_score setgroups task
clear_refs fd mountinfo oom_score_adj smaps timers
cmdline fdinfo mounts pagemap smaps_rollup timerslack_ns
comm gid_map mountstats personality stack uid_map
coredump_filter io net projid_map stat wchan
[1]+ Stopped cat -
```
#### /proc/[pid]/maps
这个文件大概是最常用的,用于显示进程的内存区域映射信息:
```
$ cat /proc/2865/maps
5580631c6000-5580631ce000 r-xp 00000000 08:01 4981196 /usr/bin/cat
5580633cd000-5580633ce000 r--p 00007000 08:01 4981196 /usr/bin/cat
5580633ce000-5580633cf000 rw-p 00008000 08:01 4981196 /usr/bin/cat
558063c7d000-558063c9e000 rw-p 00000000 00:00 0 [heap]
7f6301cd7000-7f6302027000 r--p 00000000 08:01 4993768 /usr/lib/locale/locale-archive
7f6302027000-7f63021d5000 r-xp 00000000 08:01 4982395 /usr/lib/libc-2.26.so
7f63021d5000-7f63023d5000 ---p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so
7f63023d5000-7f63023d9000 r--p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so
7f63023d9000-7f63023db000 rw-p 001b2000 08:01 4982395 /usr/lib/libc-2.26.so
7f63023db000-7f63023df000 rw-p 00000000 00:00 0
7f63023df000-7f6302404000 r-xp 00000000 08:01 4982398 /usr/lib/ld-2.26.so
7f63025c1000-7f63025c3000 rw-p 00000000 00:00 0
7f63025e1000-7f6302603000 rw-p 00000000 00:00 0
7f6302603000-7f6302604000 r--p 00024000 08:01 4982398 /usr/lib/ld-2.26.so
7f6302604000-7f6302605000 rw-p 00025000 08:01 4982398 /usr/lib/ld-2.26.so
7f6302605000-7f6302606000 rw-p 00000000 00:00 0
7fff2ab81000-7fff2aba2000 rw-p 00000000 00:00 0 [stack]
7fff2abef000-7fff2abf2000 r--p 00000000 00:00 0 [vvar]
7fff2abf2000-7fff2abf4000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
```
#### /proc/[pid]/stack
这个文件表示当前进程的内核调用栈信息:
```
$ sudo cat /proc/2865/stack
[<ffffffffa008d05e>] do_signal_stop+0xae/0x1f0
[<ffffffffa008e50c>] get_signal+0x18c/0x5a0
[<ffffffffa002ac26>] do_signal+0x36/0x610
[<ffffffffa0003019>] exit_to_usermode_loop+0x69/0xa0
[<ffffffffa00038eb>] syscall_return_slowpath+0x9b/0xb0
[<ffffffffa06926e4>] entry_SYSCALL_64_fastpath+0x7b/0x7d
[<ffffffffffffffff>] 0xffffffffffffffff
```
#### /proc/[pid]/auxv
该文件包含了传递给进程的解释器信息,即 auxv(AUXiliary Vector),每一项都是由一个 unsigned long 长度的 ID 加上一个 unsigned long 长度的值构成:
```
$ xxd -e -g8 /proc/2865/auxv
00000000: 0000000000000021 00007fff2abf2000 !........ .*....
00000010: 0000000000000010 00000000bfebfbff ................
00000020: 0000000000000006 0000000000001000 ................
00000030: 0000000000000011 0000000000000064 ........d.......
00000040: 0000000000000003 00005580631c6040 ........@`.c.U..
00000050: 0000000000000004 0000000000000038 ........8.......
00000060: 0000000000000005 0000000000000009 ................
00000070: 0000000000000007 00007f63023df000 ..........=.c...
00000080: 0000000000000008 0000000000000000 ................
00000090: 0000000000000009 00005580631c8290 ...........c.U..
000000a0: 000000000000000b 00000000000003e8 ................
000000b0: 000000000000000c 00000000000003e8 ................
000000c0: 000000000000000d 00000000000003e8 ................
000000d0: 000000000000000e 00000000000003e8 ................
000000e0: 0000000000000017 0000000000000000 ................
000000f0: 0000000000000019 00007fff2ab9ff39 ........9..*....
00000100: 000000000000001a 0000000000000000 ................
00000110: 000000000000001f 00007fff2aba1feb ...........*....
00000120: 000000000000000f 00007fff2ab9ff49 ........I..*....
00000130: 0000000000000000 0000000000000000 ................
```
每个值具体是做什么的,可以用下面的办法显示出来,对比看一看,更详细的可以查看 `/usr/include/elf.h``man ld.so`
```
$ LD_SHOW_AUXV=1 cat -
AT_SYSINFO_EHDR: 0x7fff6afb3000
AT_HWCAP: bfebfbff
AT_PAGESZ: 4096
AT_CLKTCK: 100
AT_PHDR: 0x557b68217040
AT_PHENT: 56
AT_PHNUM: 9
AT_BASE: 0x7f41e5689000
AT_FLAGS: 0x0
AT_ENTRY: 0x557b68219290
AT_UID: 1000
AT_EUID: 1000
AT_GID: 1000
AT_EGID: 1000
AT_SECURE: 0
AT_RANDOM: 0x7fff6aedc0a9
AT_HWCAP2: 0x0
AT_EXECFN: /usr/bin/cat
AT_PLATFORM: x86_64
```
值得一提的是,`AT_SYSINFO_EHDR` 所对应的值是一个叫做的 VDSO(Virtual Dynamic Shared Object) 的地址。在 ret2vdso 漏洞利用方法中会用到参考章节6.1.6)。
#### /proc/[pid]/environ
该文件包含了进程的环境变量:
```
$ strings /proc/2865/environ
```
#### /proc/[pid]/fd
该文件包含了进程打开文件的情况:
```
$ ls -al /proc/2865/fd
total 0
dr-x------ 2 firmy firmy 0 12月 30 11:13 .
dr-xr-xr-x 9 firmy firmy 0 12月 30 11:13 ..
lrwx------ 1 firmy firmy 64 12月 30 12:31 0 -> /dev/pts/2
lrwx------ 1 firmy firmy 64 12月 30 12:31 1 -> /dev/pts/2
lrwx------ 1 firmy firmy 64 12月 30 12:31 2 -> /dev/pts/2
```
#### /proc/[pid]/status
该文件包含了进程的状态信息:
```
$ cat /proc/2865/status
Name: cat
Umask: 0022
State: T (stopped)
Tgid: 2865
Ngid: 0
Pid: 2865
PPid: 2059
TracerPid: 0
Uid: 1000 1000 1000 1000
Gid: 1000 1000 1000 1000
FDSize: 256
Groups: 3 7 10 56 90 91 93 95 96 98 1000
NStgid: 2865
NSpid: 2865
NSpgid: 2865
NSsid: 2059
VmPeak: 7828 kB
VmSize: 7828 kB
VmLck: 0 kB
VmPin: 0 kB
VmHWM: 788 kB
VmRSS: 788 kB
RssAnon: 64 kB
RssFile: 724 kB
RssShmem: 0 kB
VmData: 312 kB
VmStk: 132 kB
VmExe: 32 kB
VmLib: 1876 kB
VmPTE: 40 kB
VmPMD: 12 kB
VmSwap: 0 kB
HugetlbPages: 0 kB
Threads: 1
SigQ: 2/47723
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs: 0
Seccomp: 0
Cpus_allowed: ff
Cpus_allowed_list: 0-7
Mems_allowed: 00000001
Mems_allowed_list: 0
voluntary_ctxt_switches: 1
nonvoluntary_ctxt_switches: 0
```
#### /proc/[pid]/syscall
该文件包含了进程正在执行的系统调用:
```
$ sudo cat /proc/2865/syscall
0 0x0 0x7f63025e2000 0x20000 0x22 0xffffffffffffffff 0x0 0x7fff2ab9f958 0x7f630210ea11
```
第一个值是系统调用号,后面跟着是六个参数,最后两个值分别是堆栈指针和指令计数器的值。

View File

@ -518,7 +518,7 @@ reading from file slip-bad-direction.pcap, link-type SLIP (SLIP)
``` ```
具体代码的修改如下所示,文件 `print-sl.c` 用于打印 CSLIPCompressed Serial Line Internet Protocol即压缩的 SLIP 具体代码的修改如下所示,文件 `print-sl.c` 用于打印 CSLIPCompressed Serial Line Internet Protocol即压缩的 SLIP
```C ```diff
$ git diff 09b1185 378ac56 print-sl.c $ git diff 09b1185 378ac56 print-sl.c
diff --git a/print-sl.c b/print-sl.c diff --git a/print-sl.c b/print-sl.c
index 3fd7e898..a02077b3 100644 index 3fd7e898..a02077b3 100644