mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
update 1.3_linux_basic.md
This commit is contained in:
parent
af7e3a810a
commit
b3ff465812
@ -12,6 +12,7 @@
|
||||
- [核心转储](#核心转储)
|
||||
- [调用约定](#调用约定)
|
||||
- [环境变量](#环境变量)
|
||||
- [/proc/[pid]](#procpid)
|
||||
|
||||
|
||||
## 常用基础命令
|
||||
@ -489,3 +490,198 @@ $ file ~/libc.so.6
|
||||
/home/firmy/libc.so.6: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=088a6e00a1814622219f346b41e775b8dd46c518, for GNU/Linux 2.6.32, stripped
|
||||
```
|
||||
一个在 `interpreter /usr/lib/ld-linux-x86-64.so.2`,而另一个在 `interpreter /lib64/ld-linux-x86-64.so.2`。
|
||||
|
||||
|
||||
## /proc/[pid]
|
||||
proc 文件系统是 Linux 内核提供的,为访问系统内核数据的操作提供接口。在该文件系统下,有一些以数字命名的目录,这些数字是进程的 PID 号,而这些目录是进程目录。
|
||||
|
||||
目录下的所有文件如下,然后会介绍几个比较重要的:
|
||||
```
|
||||
$ cat - &
|
||||
[1] 2865
|
||||
$ ls /proc/2865/
|
||||
attr cpuset limits ns root statm
|
||||
autogroup cwd map_files numa_maps sched status
|
||||
auxv environ maps oom_adj schedstat syscall
|
||||
cgroup exe mem oom_score setgroups task
|
||||
clear_refs fd mountinfo oom_score_adj smaps timers
|
||||
cmdline fdinfo mounts pagemap smaps_rollup timerslack_ns
|
||||
comm gid_map mountstats personality stack uid_map
|
||||
coredump_filter io net projid_map stat wchan
|
||||
|
||||
[1]+ Stopped cat -
|
||||
```
|
||||
|
||||
#### /proc/[pid]/maps
|
||||
这个文件大概是最常用的,用于显示进程的内存区域映射信息:
|
||||
```
|
||||
$ cat /proc/2865/maps
|
||||
5580631c6000-5580631ce000 r-xp 00000000 08:01 4981196 /usr/bin/cat
|
||||
5580633cd000-5580633ce000 r--p 00007000 08:01 4981196 /usr/bin/cat
|
||||
5580633ce000-5580633cf000 rw-p 00008000 08:01 4981196 /usr/bin/cat
|
||||
558063c7d000-558063c9e000 rw-p 00000000 00:00 0 [heap]
|
||||
7f6301cd7000-7f6302027000 r--p 00000000 08:01 4993768 /usr/lib/locale/locale-archive
|
||||
7f6302027000-7f63021d5000 r-xp 00000000 08:01 4982395 /usr/lib/libc-2.26.so
|
||||
7f63021d5000-7f63023d5000 ---p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so
|
||||
7f63023d5000-7f63023d9000 r--p 001ae000 08:01 4982395 /usr/lib/libc-2.26.so
|
||||
7f63023d9000-7f63023db000 rw-p 001b2000 08:01 4982395 /usr/lib/libc-2.26.so
|
||||
7f63023db000-7f63023df000 rw-p 00000000 00:00 0
|
||||
7f63023df000-7f6302404000 r-xp 00000000 08:01 4982398 /usr/lib/ld-2.26.so
|
||||
7f63025c1000-7f63025c3000 rw-p 00000000 00:00 0
|
||||
7f63025e1000-7f6302603000 rw-p 00000000 00:00 0
|
||||
7f6302603000-7f6302604000 r--p 00024000 08:01 4982398 /usr/lib/ld-2.26.so
|
||||
7f6302604000-7f6302605000 rw-p 00025000 08:01 4982398 /usr/lib/ld-2.26.so
|
||||
7f6302605000-7f6302606000 rw-p 00000000 00:00 0
|
||||
7fff2ab81000-7fff2aba2000 rw-p 00000000 00:00 0 [stack]
|
||||
7fff2abef000-7fff2abf2000 r--p 00000000 00:00 0 [vvar]
|
||||
7fff2abf2000-7fff2abf4000 r-xp 00000000 00:00 0 [vdso]
|
||||
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
|
||||
```
|
||||
|
||||
#### /proc/[pid]/stack
|
||||
这个文件表示当前进程的内核调用栈信息:
|
||||
```
|
||||
$ sudo cat /proc/2865/stack
|
||||
[<ffffffffa008d05e>] do_signal_stop+0xae/0x1f0
|
||||
[<ffffffffa008e50c>] get_signal+0x18c/0x5a0
|
||||
[<ffffffffa002ac26>] do_signal+0x36/0x610
|
||||
[<ffffffffa0003019>] exit_to_usermode_loop+0x69/0xa0
|
||||
[<ffffffffa00038eb>] syscall_return_slowpath+0x9b/0xb0
|
||||
[<ffffffffa06926e4>] entry_SYSCALL_64_fastpath+0x7b/0x7d
|
||||
[<ffffffffffffffff>] 0xffffffffffffffff
|
||||
```
|
||||
|
||||
#### /proc/[pid]/auxv
|
||||
该文件包含了传递给进程的解释器信息,即 auxv(AUXiliary Vector),每一项都是由一个 unsigned long 长度的 ID 加上一个 unsigned long 长度的值构成:
|
||||
```
|
||||
$ xxd -e -g8 /proc/2865/auxv
|
||||
00000000: 0000000000000021 00007fff2abf2000 !........ .*....
|
||||
00000010: 0000000000000010 00000000bfebfbff ................
|
||||
00000020: 0000000000000006 0000000000001000 ................
|
||||
00000030: 0000000000000011 0000000000000064 ........d.......
|
||||
00000040: 0000000000000003 00005580631c6040 ........@`.c.U..
|
||||
00000050: 0000000000000004 0000000000000038 ........8.......
|
||||
00000060: 0000000000000005 0000000000000009 ................
|
||||
00000070: 0000000000000007 00007f63023df000 ..........=.c...
|
||||
00000080: 0000000000000008 0000000000000000 ................
|
||||
00000090: 0000000000000009 00005580631c8290 ...........c.U..
|
||||
000000a0: 000000000000000b 00000000000003e8 ................
|
||||
000000b0: 000000000000000c 00000000000003e8 ................
|
||||
000000c0: 000000000000000d 00000000000003e8 ................
|
||||
000000d0: 000000000000000e 00000000000003e8 ................
|
||||
000000e0: 0000000000000017 0000000000000000 ................
|
||||
000000f0: 0000000000000019 00007fff2ab9ff39 ........9..*....
|
||||
00000100: 000000000000001a 0000000000000000 ................
|
||||
00000110: 000000000000001f 00007fff2aba1feb ...........*....
|
||||
00000120: 000000000000000f 00007fff2ab9ff49 ........I..*....
|
||||
00000130: 0000000000000000 0000000000000000 ................
|
||||
```
|
||||
每个值具体是做什么的,可以用下面的办法显示出来,对比看一看,更详细的可以查看 `/usr/include/elf.h` 和 `man ld.so`:
|
||||
```
|
||||
$ LD_SHOW_AUXV=1 cat -
|
||||
AT_SYSINFO_EHDR: 0x7fff6afb3000
|
||||
AT_HWCAP: bfebfbff
|
||||
AT_PAGESZ: 4096
|
||||
AT_CLKTCK: 100
|
||||
AT_PHDR: 0x557b68217040
|
||||
AT_PHENT: 56
|
||||
AT_PHNUM: 9
|
||||
AT_BASE: 0x7f41e5689000
|
||||
AT_FLAGS: 0x0
|
||||
AT_ENTRY: 0x557b68219290
|
||||
AT_UID: 1000
|
||||
AT_EUID: 1000
|
||||
AT_GID: 1000
|
||||
AT_EGID: 1000
|
||||
AT_SECURE: 0
|
||||
AT_RANDOM: 0x7fff6aedc0a9
|
||||
AT_HWCAP2: 0x0
|
||||
AT_EXECFN: /usr/bin/cat
|
||||
AT_PLATFORM: x86_64
|
||||
```
|
||||
值得一提的是,`AT_SYSINFO_EHDR` 所对应的值是一个叫做的 VDSO(Virtual Dynamic Shared Object) 的地址。在 ret2vdso 漏洞利用方法中会用到(参考章节6.1.6)。
|
||||
|
||||
#### /proc/[pid]/environ
|
||||
该文件包含了进程的环境变量:
|
||||
```
|
||||
$ strings /proc/2865/environ
|
||||
```
|
||||
|
||||
#### /proc/[pid]/fd
|
||||
该文件包含了进程打开文件的情况:
|
||||
```
|
||||
$ ls -al /proc/2865/fd
|
||||
total 0
|
||||
dr-x------ 2 firmy firmy 0 12月 30 11:13 .
|
||||
dr-xr-xr-x 9 firmy firmy 0 12月 30 11:13 ..
|
||||
lrwx------ 1 firmy firmy 64 12月 30 12:31 0 -> /dev/pts/2
|
||||
lrwx------ 1 firmy firmy 64 12月 30 12:31 1 -> /dev/pts/2
|
||||
lrwx------ 1 firmy firmy 64 12月 30 12:31 2 -> /dev/pts/2
|
||||
```
|
||||
|
||||
#### /proc/[pid]/status
|
||||
该文件包含了进程的状态信息:
|
||||
```
|
||||
$ cat /proc/2865/status
|
||||
Name: cat
|
||||
Umask: 0022
|
||||
State: T (stopped)
|
||||
Tgid: 2865
|
||||
Ngid: 0
|
||||
Pid: 2865
|
||||
PPid: 2059
|
||||
TracerPid: 0
|
||||
Uid: 1000 1000 1000 1000
|
||||
Gid: 1000 1000 1000 1000
|
||||
FDSize: 256
|
||||
Groups: 3 7 10 56 90 91 93 95 96 98 1000
|
||||
NStgid: 2865
|
||||
NSpid: 2865
|
||||
NSpgid: 2865
|
||||
NSsid: 2059
|
||||
VmPeak: 7828 kB
|
||||
VmSize: 7828 kB
|
||||
VmLck: 0 kB
|
||||
VmPin: 0 kB
|
||||
VmHWM: 788 kB
|
||||
VmRSS: 788 kB
|
||||
RssAnon: 64 kB
|
||||
RssFile: 724 kB
|
||||
RssShmem: 0 kB
|
||||
VmData: 312 kB
|
||||
VmStk: 132 kB
|
||||
VmExe: 32 kB
|
||||
VmLib: 1876 kB
|
||||
VmPTE: 40 kB
|
||||
VmPMD: 12 kB
|
||||
VmSwap: 0 kB
|
||||
HugetlbPages: 0 kB
|
||||
Threads: 1
|
||||
SigQ: 2/47723
|
||||
SigPnd: 0000000000000000
|
||||
ShdPnd: 0000000000000000
|
||||
SigBlk: 0000000000000000
|
||||
SigIgn: 0000000000000000
|
||||
SigCgt: 0000000000000000
|
||||
CapInh: 0000000000000000
|
||||
CapPrm: 0000000000000000
|
||||
CapEff: 0000000000000000
|
||||
CapBnd: 0000003fffffffff
|
||||
CapAmb: 0000000000000000
|
||||
NoNewPrivs: 0
|
||||
Seccomp: 0
|
||||
Cpus_allowed: ff
|
||||
Cpus_allowed_list: 0-7
|
||||
Mems_allowed: 00000001
|
||||
Mems_allowed_list: 0
|
||||
voluntary_ctxt_switches: 1
|
||||
nonvoluntary_ctxt_switches: 0
|
||||
```
|
||||
|
||||
#### /proc/[pid]/syscall
|
||||
该文件包含了进程正在执行的系统调用:
|
||||
```
|
||||
$ sudo cat /proc/2865/syscall
|
||||
0 0x0 0x7f63025e2000 0x20000 0x22 0xffffffffffffffff 0x0 0x7fff2ab9f958 0x7f630210ea11
|
||||
```
|
||||
第一个值是系统调用号,后面跟着是六个参数,最后两个值分别是堆栈指针和指令计数器的值。
|
||||
|
@ -518,7 +518,7 @@ reading from file slip-bad-direction.pcap, link-type SLIP (SLIP)
|
||||
```
|
||||
|
||||
具体代码的修改如下所示,文件 `print-sl.c` 用于打印 CSLIP(Compressed Serial Line Internet Protocol),即压缩的 SLIP:
|
||||
```C
|
||||
```diff
|
||||
$ git diff 09b1185 378ac56 print-sl.c
|
||||
diff --git a/print-sl.c b/print-sl.c
|
||||
index 3fd7e898..a02077b3 100644
|
||||
|
Loading…
Reference in New Issue
Block a user