From 7de6d2226b9746e2a2d90a00aa130282cb23605d Mon Sep 17 00:00:00 2001 From: Orfeas <38209077+0xfea5@users.noreply.github.com> Date: Tue, 16 Apr 2024 03:33:40 +0300 Subject: Memory scanning to find byte patterns --- src/main.c | 18 ++++++++++++++-- src/vm.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- src/vm.h | 12 +++++++++-- 3 files changed, 92 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/main.c b/src/main.c index e255ec5..ee33aac 100644 --- a/src/main.c +++ b/src/main.c @@ -23,9 +23,23 @@ int main(int argc, char *argv[]) waitpid(pid, NULL, __WALL); LOG("Attached to process %d\n", pid); - /* Do stuff ... */ - parse_vmmap(pid); + char *byte_seq = "secret text"; + size_t byte_seq_len = strlen(byte_seq); + MemscanResult *head = memscan(pid, (uint8_t*)byte_seq, byte_seq_len); + MemscanResult *cur = head; + printf("\n\n\nMemory scan results:\n"); + printf("%-16s|%-16s|%-10s|%-s\n", "Address", "Base", "Offset", "Name"); + puts("--------------------------------------------------"); + while (cur) { + printf("%-16p|%-16p|%#-10lx|%-s\n", + cur->mapping->begin + cur->offset, + cur->mapping->begin, + cur->offset, + cur->mapping->name); + cur = cur->next; + } + printf("\n\n"); ptrace(PTRACE_DETACH, pid, NULL, NULL); LOG("Detached from process %d\n", pid); diff --git a/src/vm.c b/src/vm.c index 8e62426..82f67fd 100644 --- a/src/vm.c +++ b/src/vm.c @@ -3,6 +3,7 @@ #include #include #include +#include #include "vm.h" #include "util.h" @@ -45,8 +46,8 @@ VMMapping* parse_vmmap (int pid) VMMapping *new_mapping = xmalloc(sizeof(VMMapping)); *new_mapping = (VMMapping) { - .begin = begin, - .end = end, + .begin = (void*)begin, + .end = (void*)end, .r = perms[0] == 'r', .w = perms[1] == 'w', .x = perms[2] == 'x', @@ -63,7 +64,7 @@ VMMapping* parse_vmmap (int pid) head = cur = new_mapping; } - LOG("%lx-%lx %c%c%c%c %s\n", + LOG("%p-%p %c%c%c%c %s\n", cur->begin, cur->end, cur->r ? 'r' : '-', @@ -75,3 +76,65 @@ VMMapping* parse_vmmap (int pid) return head; } + +static off_t memfind(const uint8_t *hay, size_t hay_size, const uint8_t *needle, size_t needle_size) +{ + for (off_t i = 0 ; i < hay_size - needle_size; ++i) { + if (memcmp(&hay[i], needle, needle_size) == 0) { + return i; + } + } + return hay_size; +} + +MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len) +{ + char fmem_path[1024] = {0}; + sprintf(fmem_path, "/proc/%d/mem", pid); + FILE *fmem = fopen(fmem_path, "rb+"); + VMMapping *vmmaps_head = parse_vmmap(pid); + VMMapping *cur_vmmap = vmmaps_head; + MemscanResult *cur = NULL, *head = NULL; + + while (cur_vmmap) { + if (!cur_vmmap->r) { + cur_vmmap = cur_vmmap->next; + continue; + } + LOG("Scanning [%p]\n", cur_vmmap->begin); + + size_t region_size = cur_vmmap->end - cur_vmmap->begin; + uint8_t region_data[region_size]; + fseek(fmem, (off_t)cur_vmmap->begin, SEEK_SET); + fread(region_data, 1, region_size, fmem); + + off_t offset = 0; + while (offset += memfind(region_data + offset, + region_size - offset, + byte_seq, + byte_seq_len), + offset < region_size) { + LOG("Matched pattern at [%p]\n", cur_vmmap->begin + (off_t)offset); + MemscanResult *new_result = xmalloc(sizeof(MemscanResult)); + *new_result = (MemscanResult) { + .mapping = cur_vmmap, + .offset = offset, + .next = NULL, + }; + + if (head) { + cur->next = new_result; + cur = new_result; + } + else { + head = cur = new_result; + } + + offset += byte_seq_len; + } + + cur_vmmap = cur_vmmap->next; + } + + return head; +} diff --git a/src/vm.h b/src/vm.h index 25849e7..4a994f9 100644 --- a/src/vm.h +++ b/src/vm.h @@ -3,8 +3,8 @@ #include typedef struct VMMapping { - uint64_t begin; - uint64_t end; + void *begin; + void *end; uint8_t r:1; uint8_t w:1; uint8_t x:1; @@ -14,6 +14,14 @@ typedef struct VMMapping { struct VMMapping *next; } VMMapping; +typedef struct MemscanResult { + VMMapping *mapping; + off_t offset; + struct MemscanResult *next; +} MemscanResult; + VMMapping* parse_vmmap (int pid); +MemscanResult* memscan(int pid, uint8_t *byte_seq, uint64_t byte_seq_len); + #endif // _VM_H_ -- cgit v1.2.3