《Hacking:The Art of Exploitation》笔记

Posted on | In | | Visitors: | View
Words count in article: 1,402 | Reading time ≈ 7

程序基础知识

X86汇编

AX(Accumulator)

BX(Base register)

CX(Counter)

DX(Data)

SP(Stack Pointer)

BP(Base Pointer)

SI(Source Index)

DI(Destination Index)

IP(Instruction Pointer)

EFLAGS register

  • Little-Endian就是低位字节排放在内存的低地址端,高位字节排放在内存的高地址端。
  • Big-Endian就是高位字节排放在内存的低地址端,低位字节排放在内存的高地址端。

一般操作系统都是小端,而通讯协议是大端的。

gdb命令

  1. o Display in octal.
  2. x Display in hexadecimal.
  3. u Display in unsigned, standard base-10 decimal.
  4. t Display in binary.
  5. i Display in instruction

eg:

1
2
3
4
5
6
7
8
9
10
11
12
13
(gdb) i r eip
eip 0x8048384 0x8048384 <main+16>
(gdb) x/o 0x8048384
0x8048384 <main+16>: 077042707
(gdb) x/x $eip
0x8048384 <main+16>: 0x00fc45c7
(gdb) x/u $eip
0x8048384 <main+16>: 16532935
(gdb) x/t $eip
0x8048384 <main+16>: 00000000111111000100010111000111
(gdb) x/i $eip
0x8048384 <main+16>: mov DWORD PTR [ebp-4],0x0
(gdb)
  • 添加数字显示相应个数值

eg:

1
2
3
4
5
6
7
(gdb) x/2x $eip
0x8048384 <main+16>: 0x00fc45c7 0x83000000
(gdb) x/12x $eip
0x8048384 <main+16>: 0x00fc45c7 0x83000000 0x7e09fc7d 0xc713eb02
0x8048394 <main+32>: 0x84842404 0x01e80804 0x8dffffff 0x00fffc45
0x80483a4 <main+48>: 0xc3c9e5eb 0x90909090 0x90909090 0x5de58955
(gdb)
  1. b 1 byte
  2. h A halfword, 2 bytes in size
  3. w A word, 4 bytes in size
  4. g A giant, 8 bytes in size

eg:

1
2
3
4
5
6
7
8
(gdb) x/8xb $eip
0x8048384 <main+16>: 0xc7 0x45 0xfc 0x00 0x00 0x00 0x00 0x83
(gdb) x/8xh $eip
0x8048384 <main+16>: 0x45c7 0x00fc 0x0000 0x8300 0xfc7d 0x7e09 0xeb02 0xc713
(gdb) x/8xw $eip
0x8048384 <main+16>: 0x00fc45c7 0x83000000 0x7e09fc7d 0xc713eb02
0x8048394 <main+32>: 0x84842404 0x01e80804 0x8dffffff 0x00fffc45
(gdb)

C语言

命令行参数

1
int main (int argc ,char *argv[]) //argc为参数个数,argv[]为参数又叫argument vector,以字符数组形式存储

eg:

1
2
3
4
5
6
7
#include <stdio.h>
int main(int arg_count, char *arg_list[]) {
int i;
printf("There were %d arguments provided:\n", arg_count);
for(i=0; i < arg_count; i++)
printf("argument #%d\t-\t%s\n", i, arg_list[i]);
}

输出参数:

1
2
3
4
5
6
7
8
9
10
11
12
reader@hacking:~/booksrc $ gcc -o commandline commandline.c
reader@hacking:~/booksrc $ ./commandline
There were 1 arguments provided:
argument #0 - ./commandline
reader@hacking:~/booksrc $ ./commandline this is a test
There were 5 arguments provided:
argument #0 - ./commandline
argument #1 - this
argument #2 - is
argument #3 - a
argument #4 - test
reader@hacking:~/booksrc $

可能存在越界访问参数问题

全局变量和局部变量

静态变量

内存分段(Memory Segmentation)

Five segments: text, data, bss,heap, and stack

  1. text segment/code segment:用于存放程序代码的区域, 编译时确定, 只读。更进一步讲是存放处理器的机器指令,当各个源文件单独编译之后生成目标文件,经连接器链接各个目标文件并解决各个源文件之间函数的引用,与此同时,还得将所有目标文件中的.text段合在一起,但不是简单的将它们“堆”在一起就完事,还需要处理各个段之间的函数引用问题。
    • text段为只读,防止修改程序,而且能够同时多次运行同一程序
  1. data 段:用于存放在编译阶段(而非运行时)就能确定的数据,可读可写。也是通常所说的静态存储区,赋了初值的全局变量、常量和静态变量都存放在这个域。
    • data段则需要占用可执行文件空间,其内容由程序初始化,

  2. bss段(Block Started by Symbol segment)通常是指用来存放程序中未初始化的全局变量的一块内存区域,一般在初始化时bss 段部分将会清零(bss段属于静态内存分配,即程序一开始就将其清零了)。

    • bss不占用可执行文件空间,其内容由操作系统初始化(清零),裸机程序需要自行手动清零。

  3. heap段:堆段,malloc和free控制着堆区的分配与释放,新的堆区的分配不一定使用释放后的低地址位置,与释放的低地址内存块大小有关。

  4. stack段:栈端

参见:Memory Layout of C Programs

文件系统

高级函数 filestreams

低级函数 file descripors: open() , close() , read() , write()

错误均返回-1

access mode:

O_RDONLY Open file for read-only access.
O_WRONLY Open file for write-only access.
O_RDWR Open file for both read and write access.

O_APPEND Write data at the end of the file.
O_TRUNC If the file already exists, truncate the file to 0 length.
O_CREAT Create the file if it doesn’t exist.

file permission:

S_IRUSR Give the file read permission for the user (owner).
S_IWUSR Give the file write permission for the user (owner).
S_IXUSR Give the file execute permission for the user (owner).
S_IRGRP Give the file read permission for the group.
S_IWGRP Give the file write permission for the group.
S_IXGRP Give the file execute permission for the group.
S_IROTH Give the file read permission for other (anyone).
S_IWOTH Give the file write permission for other (anyone).
S_IXOTH Give the file execute permission for other (anyone).

chown命令更改文件属主

chmod命令更改文件权限

  • 文件权限更改chmod 9bit位法、ugo+或- rwx法

getuid获取用户id,root用户uid为0

geteuid获取执行时的id

#include< >编译器在标准头文件路径中查找头文件

#include( ) 编译器在当前目录中查找头文件

结构体

结构体可以写进头文件中

三种访问结构体中元素:

1
2
3
4
// Three different ways to access struct elements:
hour = current_time.tm_hour; // 1. Direct access
minute = time_ptr->tm_min; // 2. Access via pointer
second = *((int *) time_ptr); // 3. Hacky pointer access

第三种方法通过指针(地址)访问结构体成员。

伪随机数

srand()设置种子,相同的种子产生相同的随机数序列,一般采用epoch即time().

rand()产生随机数

eg:

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdio.h>
#include <stdlib.h>
int main() {
int i;
printf("RAND_MAX is %u\n", RAND_MAX);
srand(time(0));
printf("random values from 0 to RAND_MAX\n");
for(i=0; i < 8; i++)
printf("%d\n", rand());
printf("random values from 1 to 20\n");
for(i=0; i < 8; i++)
printf("%d\n", (rand()%20)+1); //产生1-20随机数
}
Donate comment here