堆喷射

Posted studyskill

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了堆喷射相关的知识,希望对你有一定的参考价值。

堆喷射主要用于绕过ASLR。下面演示堆喷射分析与效果。

1.代码

void heap_spray()
{
  char chunk[LEN] = { 0 };
  memset(chunk, 0x90, LEN - 10);
  strcat(chunk, "shellcode");
  for (int i = 0;i < 100;i++)
  {
    void *p = malloc(LEN);
    strcpy((char *)p, chunk);
    printf("spray %d\n", i);
  }
}

2.windbg分析

  •  !heap -stat:堆统计信息

_HEAP 002a0000
  Segments 00000001
  Reserved bytes 00100000
  Committed bytes 0009c000
  VirtAllocBlocks 00000000
  VirtAlloc bytes 00000000
_HEAP 00020000...

  •  !heap -stat -h 002a0000//查看segement 2a0000堆块大小统计情况

    group-by: TOTSIZE max-display: 20
    size #blocks total ( %) (percent of total busy bytes)
    1000 65 - 65000 (94.88)//大小为0x1000,共0x65个,占比94.88%,可见堆喷射效果较好
    20 6e - dc0 (0.81)
    c00 1 - c00 (0.70)
    bec 1 - bec (0.70...

  •   !heap -flt s 1000:列出所有大小为0x1000的堆块

    _HEAP @ 2a0000
    HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
    002c9e50 0201 0000 [00] 002c9e58 01000 - (busy)
    002cae58 0201 0201 [00] 002cae60 01000 - (free)
    002cbe60 0201 0201 [00] 002cbe68 01000 - (busy)
    002cce68 0201 0201 [00] 002cce70 01000 - (busy)
    002cde70 0201 0201 [00] 002cde78 01000 - (busy)
    002cee78 0201 0201 [00] 002cee80 01000 - (busy)

 

  • 0:000> dc 0032df90+0x1000-10//验证到顺序分配,并且相临。同时包含0x8的堆头。一个堆块大小为0x1000+0x8.
    0032ef80 90909090 68739090 636c6c65 0065646f ......shellcode.
    0032ef90 1a394b70 88000000 90909090 90909090 pK9.............
    0032efa0 90909090 90909090 90909090 90909090 ................

  •  !address:使用address查看内存属性

    BaseAddr EndAddr+1 RgnSize Type State Protect Usage
    -----------------------------------------------------------------------------------------------
    + 0 10000 10000 MEM_FREE PAGE_NOACCESS Free
    + 10000 20000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 00010000; Type: Segment]
    + 20000 30000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap

   Type:

MEM_IMAGE 映射的文件属于可执行映像一部分的内存。
MEM_MAPPED 映射的文件不属于可执行映像一部分的内存。这种内存包含哪些从页面文件映射的内存。
MEM_PRIVATE 私有的(即不和其他进程共享)并且未用来映射任何文件的内存。

  

 

 

   State

MEM_COMMIT 当前已提交给目标使用的所有内存。已经在物理内存或者页面文件中为这些内存分配了物理的存储空间。
MEM_RESERVE 所有为目标以后的使用保留的内存。这种内存还没有分配物理上的存储空间。
MEM_FREE 目标虚拟地址空间中所有可用内存。包括所有未提交并且未保留的内存。该Filter 值和RegionUsageFree一样。

   

 

 

           Protect:

Filter valueMemory regions displayed

PAGE_NOACCESS

Memory that cannot be accessed.

PAGE_READONLY

Memory that is readable, but not writable and not executable.

PAGE_READWRITE

Memory that is readable and writable, but not executable.

PAGE_WRITECOPY

Memory that has copy-on-write behavior.

PAGE_EXECUTE

Memory that is executable, but not readable and not writeable.

PAGE_EXECUTE_READ

Memory that is executable and readable, but not writable.

PAGE_EXECUTE_READWRITE

Memory that is executable, readable, and writable.

PAGE_EXECUTE_WRITECOPY

Memory that is executable and has copy-on-write behavior.

PAGE_GUARD

Memroy that acts as a guard page.

PAGE_NOCACHE

Memory that is not cached.

PAGE_WRITECOMBINE

Memory that has write-combine access enabled.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • !address 0032df90

    Usage: Heap
    Base Address: 002a0000
    End Address: 0033c000
    Region Size: 0009c000 ( 624.000 kB)
    State: 00001000 MEM_COMMIT//已经在物理内存中分配
    Protect: 00000004 PAGE_READWRITE//可读写,但不可执行
    Type: 00020000 MEM_PRIVATE
    Allocation Base: 002a0000
    Allocation Protect: 00000004 PAGE_READWRITE

  • 修改寄存器命令 
    r @eax=1  //将eax置为1

    修改内存命令
    ed 80505648 00001234

以上是关于堆喷射的主要内容,如果未能解决你的问题,请参考以下文章

这个 milw0rm 堆喷射漏洞是如何工作的?

什么是喷射器?

text APEX_JAVASCRIPT需要喷射

角度平移喷射器:modulerr 错误

酷炫喷射粒子进度条

酷炫喷射粒子进度条