堆喷射主要用于绕过ASLR。下面演示堆喷射分析与效果。
1.代码
void heap_spray()
{
char chunk[LEN] = { 0 };
memset(chunk, 0x90, LEN - 10);
strcat(chunk, "shellcode");
for (int i = 0;i < 100;i++)
{
void *p = malloc(LEN);
strcpy((char *)p, chunk);
printf("spray %d\n", i);
}
}
2.windbg分析
- !heap -stat:堆统计信息
_HEAP 002a0000
Segments 00000001
Reserved bytes 00100000
Committed bytes 0009c000
VirtAllocBlocks 00000000
VirtAlloc bytes 00000000
_HEAP 00020000...
-
!heap -stat -h 002a0000//查看segement 2a0000堆块大小统计情况
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
1000 65 - 65000 (94.88)//大小为0x1000,共0x65个,占比94.88%,可见堆喷射效果较好
20 6e - dc0 (0.81)
c00 1 - c00 (0.70)
bec 1 - bec (0.70... -
!heap -flt s 1000:列出所有大小为0x1000的堆块
_HEAP @ 2a0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
002c9e50 0201 0000 [00] 002c9e58 01000 - (busy)
002cae58 0201 0201 [00] 002cae60 01000 - (free)
002cbe60 0201 0201 [00] 002cbe68 01000 - (busy)
002cce68 0201 0201 [00] 002cce70 01000 - (busy)
002cde70 0201 0201 [00] 002cde78 01000 - (busy)
002cee78 0201 0201 [00] 002cee80 01000 - (busy)
-
0:000> dc 0032df90+0x1000-10//验证到顺序分配,并且相临。同时包含0x8的堆头。一个堆块大小为0x1000+0x8.
0032ef80 90909090 68739090 636c6c65 0065646f ......shellcode.
0032ef90 1a394b70 88000000 90909090 90909090 pK9.............
0032efa0 90909090 90909090 90909090 90909090 ................ -
!address:使用address查看内存属性
BaseAddr EndAddr+1 RgnSize Type State Protect Usage
-----------------------------------------------------------------------------------------------
+ 0 10000 10000 MEM_FREE PAGE_NOACCESS Free
+ 10000 20000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 00010000; Type: Segment]
+ 20000 30000 10000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap
Type:
MEM_IMAGE | 映射的文件属于可执行映像一部分的内存。 |
MEM_MAPPED | 映射的文件不属于可执行映像一部分的内存。这种内存包含哪些从页面文件映射的内存。 |
MEM_PRIVATE | 私有的(即不和其他进程共享)并且未用来映射任何文件的内存。 |
State
MEM_COMMIT | 当前已提交给目标使用的所有内存。已经在物理内存或者页面文件中为这些内存分配了物理的存储空间。 |
MEM_RESERVE | 所有为目标以后的使用保留的内存。这种内存还没有分配物理上的存储空间。 |
MEM_FREE | 目标虚拟地址空间中所有可用内存。包括所有未提交并且未保留的内存。该Filter 值和RegionUsageFree一样。 |
Protect:
Filter value | Memory regions displayed |
---|---|
PAGE_NOACCESS |
Memory that cannot be accessed. |
PAGE_READONLY |
Memory that is readable, but not writable and not executable. |
PAGE_READWRITE |
Memory that is readable and writable, but not executable. |
PAGE_WRITECOPY |
Memory that has copy-on-write behavior. |
PAGE_EXECUTE |
Memory that is executable, but not readable and not writeable. |
PAGE_EXECUTE_READ |
Memory that is executable and readable, but not writable. |
PAGE_EXECUTE_READWRITE |
Memory that is executable, readable, and writable. |
PAGE_EXECUTE_WRITECOPY |
Memory that is executable and has copy-on-write behavior. |
PAGE_GUARD |
Memroy that acts as a guard page. |
PAGE_NOCACHE |
Memory that is not cached. |
PAGE_WRITECOMBINE |
Memory that has write-combine access enabled. |
-
!address 0032df90
Usage: Heap
Base Address: 002a0000
End Address: 0033c000
Region Size: 0009c000 ( 624.000 kB)
State: 00001000 MEM_COMMIT//已经在物理内存中分配
Protect: 00000004 PAGE_READWRITE//可读写,但不可执行
Type: 00020000 MEM_PRIVATE
Allocation Base: 002a0000
Allocation Protect: 00000004 PAGE_READWRITE - 修改寄存器命令
r @eax=1 //将eax置为1
修改内存命令
ed 80505648 00001234