From 7e8bd04389875d8569463f42923792557edc2908 Mon Sep 17 00:00:00 2001 From: Orfeas <38209077+0xfea5@users.noreply.github.com> Date: Tue, 16 Apr 2024 22:14:29 +0300 Subject: Write other process' memory --- src/main.c | 27 ++++++++++++++++++++++++++- src/vm.c | 27 ++++++++++++++++----------- src/vm.h | 2 ++ 3 files changed, 44 insertions(+), 12 deletions(-) diff --git a/src/main.c b/src/main.c index ee33aac..667ca4c 100644 --- a/src/main.c +++ b/src/main.c @@ -8,6 +8,20 @@ #include "util.h" #include "vm.h" +void hex2bytes(char *hex) +{ + size_t len = strlen(hex); + char bytes[len + 1]; + + for (size_t i = 0; i < len; ++i) { + char hdig[3] = { hex[i*2], hex[i*2+1], '\0' }; + sscanf(hdig, "%hhx", &bytes[i]); + } + + memcpy(hex, bytes, len); + hex[len] = '\0'; +} + int main(int argc, char *argv[]) { if (argc < 2) { @@ -23,7 +37,7 @@ int main(int argc, char *argv[]) waitpid(pid, NULL, __WALL); LOG("Attached to process %d\n", pid); - char *byte_seq = "secret text"; + char *byte_seq = "DEADBEEF"; size_t byte_seq_len = strlen(byte_seq); MemscanResult *head = memscan(pid, (uint8_t*)byte_seq, byte_seq_len); MemscanResult *cur = head; @@ -39,7 +53,18 @@ int main(int argc, char *argv[]) cur->mapping->name); cur = cur->next; } + printf("\n\n"); + + char *buf = "CAFEBABE"; + size_t len = strlen(buf); + cur = head; + while (cur) { + void *address = cur->mapping->begin + cur->offset; + memwrite(pid, address, (uint8_t*)buf, len); + cur = cur->next; + } + ptrace(PTRACE_DETACH, pid, NULL, NULL); LOG("Detached from process %d\n", pid); diff --git a/src/vm.c b/src/vm.c index 82f67fd..b33a7bf 100644 --- a/src/vm.c +++ b/src/vm.c @@ -1,3 +1,4 @@ +#include #include #include #include @@ -63,15 +64,6 @@ VMMapping* parse_vmmap (int pid) } else { head = cur = new_mapping; } - - LOG("%p-%p %c%c%c%c %s\n", - cur->begin, - cur->end, - cur->r ? 'r' : '-', - cur->w ? 'w' : '-', - cur->x ? 'x' : '-', - cur->s ? 's' : 'p', - cur->name); } return head; @@ -91,7 +83,7 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len) { char fmem_path[1024] = {0}; sprintf(fmem_path, "/proc/%d/mem", pid); - FILE *fmem = fopen(fmem_path, "rb+"); + FILE *fmem = fopen(fmem_path, "rb"); VMMapping *vmmaps_head = parse_vmmap(pid); VMMapping *cur_vmmap = vmmaps_head; MemscanResult *cur = NULL, *head = NULL; @@ -101,7 +93,6 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len) cur_vmmap = cur_vmmap->next; continue; } - LOG("Scanning [%p]\n", cur_vmmap->begin); size_t region_size = cur_vmmap->end - cur_vmmap->begin; uint8_t region_data[region_size]; @@ -135,6 +126,20 @@ MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len) cur_vmmap = cur_vmmap->next; } + fclose(fmem); return head; } + +void memwrite(int pid, void *address, uint8_t *data, size_t data_len) +{ + char fmem_path[1024] = {0}; + sprintf(fmem_path, "/proc/%d/mem", pid); + FILE *fmem = fopen(fmem_path, "rb+"); + + fseek(fmem, (off_t)address, SEEK_SET); + fwrite(data, 1, data_len, fmem); + fclose(fmem); + + LOG("Data written successfully at address %p\n", address); +} diff --git a/src/vm.h b/src/vm.h index 4a994f9..3f3cc09 100644 --- a/src/vm.h +++ b/src/vm.h @@ -1,6 +1,7 @@ #ifndef _VM_H_ #define _VM_H_ #include +#include typedef struct VMMapping { void *begin; @@ -24,4 +25,5 @@ VMMapping* parse_vmmap (int pid); MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len); +void memwrite(int pid, void *address, uint8_t *data, size_t data_len); #endif // _VM_H_ -- cgit v1.2.3