记录学习到的patch方法.主要针对CTFpwn. 供自己以后忘记的时候查阅…
主要来源p4nda
IDA下patch主要是原有的patch功能和添加的插件例如keypatch
安装(for mac):
https://github.com/fjh658/keystone-engine
https://github.com/keystone-engine/keypatch
git clone https://github.com/fjh658/keystone-engine.git
cd keystone-engine
git submodule update --init --recursive
sudo python setup.py install --verbose
cp -rf /usr/local/lib/python2.7/site-packages/keystone /Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/python/
brew install cmake
control+option+k可以直接打汇编指令也可以用符号.(长度不足补齐nop)search 汇编指令
这个还不知道keypatch咋整…如果使用patchpyte过程如下
例如替换printf为puts
即call printf ======>call puts
改变比较有限,不能call 没有plt的函数.不能hook
mac上没装成功ubuntu好像直接pip install lief就可以了
说明文档太长还没去看…
https://lief.quarkslab.com/doc/latest/api/python/elf.html#segment
直接改strtab 例如fmtstr漏洞修复:printf==>puts
(注意这里比较暴力注意其他地方有没有用printf的,是否受影响…)
脚本如下
# @n132
import lief
import os
name="./main"
binary=lief.parse(name)
for x in binary.imported_symbols:
if x.name=="printf":
x.name="puts"
print "[+]:printf fixed"
binary.write("patched_file")
os.system("chmod +x patched_file")
主要是增加一个段可以增加编译的hook函数 例如
void diy(char *a){
asm(
"mov %rdi,0x68732f6e69622f\n"
"push %rdi\n"
"mov %rdi,%rsp\n"
"xor %rsi,%rsi\n"
"xor %rdx,%rdx\n"
"mov %ral,0x3b\n"
"syscall\n"
);
}
//gcc -Os -nostdlib -nodefaultlibs -fPIC -Wl,-shared hook.c -o hook
编译之后增加到binary里
import lief
binary=lief.parse("./main")
lib=lief.parse("./hook")
segment_add = binary.add(lib.segments[0])
binary.write("new")
之后确定位置后hook
import lief
from pwn import *
def patch_call(file,where,aim,arch = "amd64"):
aim = p32((end - (where + 5 )) & 0xffffffff)
order = '\xe8'+aim#call aim
file.patch_address(where,[ord(i) for i in order])
binary.write("new")
raw_address=
aim_address=
patch_call(binary,raw_address,aim_address)
为了防止增加了seg导致binary变化太大.可以直接把较小的hook函数写进.eh_frame
感觉一般来说0x100字节左右的空间很够用了…感觉很好的方法…
import lief
from pwn import *
def patch_call(file,where,aim,arch = "amd64"):
aim = p32((aim - (where + 5 )) & 0xffffffff)
order = '\xe8'+aim#call aim
file.patch_address(where,[ord(i) for i in order])
binary.write("new")
binary=lief.parse("../main")
context.arch='amd64'
hook='''
xor rax,rax
xor rsi,rsi
xor rdx,rdx
mov rdi,0x68732f6e69622f
push rdi
mov rdi,rsp
mov al,0x3b
syscall
'''
hook=asm(hook)
en_frame=0x000000000000A18
binary.patch_address(en_frame,[ord(i) for i in hook])
raw_address=0x00000000000092F
aim_address=en_frame
patch_call(binary,raw_address,aim_address)
binary.write("new")