3asm / libc-Trip-in-Memoryland

Scripts to dump all unique libc instances (physical memory address)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

libc Trip in Memoryland

Description

This script is a fun experimentation playing with Virtual Memory, Physical Mapping and proof of the Copy On Write behavior of fork().

The script lists all pids, retrieves the virtual address of the libc, translates the virtual address for each pid to a physical address and dumps the unique instances to /tmp folder.

This could be a useful PoC playing with /proc memory files like mem, pagemap and maps.

Dependencies

The script works on Python 2.x. No other dependencies are required.

Usage

The script accesses privileged files and needs to be run with root privileges:

> $ sudo python libc_analyzor.py
[*] listing PID ...
[*] retrieving libc addresses ...
[+] PID     : Physical            Virtual          (Name)
[+] 1       : 0x0000000045f0b1 -> 0x007f1c6f985000 (init)
[+] 1537    : 0x0000000045f0b1 -> 0x007f66423f2000 (libvirtd)
[+] 2059    : 0x0000000045f0b1 -> 0x007ff3eb870000 (master)
[+] 1040    : 0x0000000045f0b1 -> 0x007f63b6b9f000 (rpc.statd)
...
[+] 4094    : 0x0000000045f0b1 -> 0x007fea9860c000 (fsnotifier64)
[*] dump 2 libc files ...
[*] dumping libc at physical address 0x0000000045f0b1 ...
[+] md5sum: 9089dd6bd629aeae4ae17d5566b4aeb3
[*] dumping libc at physical address 0x00000000430d59 ...
[+] md5sum: 786d2647168718d9e4c82e5102209504

About

Scripts to dump all unique libc instances (physical memory address)

License:GNU General Public License v3.0


Languages

Language:Python 100.0%