网站页面模板页面布局,网站搭建服务合同,个人主页介绍,分销系统软件这里不再解释vDSO的概念#xff0c;而直接谈其意义#xff1a;vDSO类似一个信息公告板#xff0c;用户可以直取所需#xff0c;而无需为此办理任何手续。vDSO相当于内核直接暴露出来的一个C库#xff0c;作为GLIBC的补充。…类似gettimeofday之类的调用#xff0c;每次都…这里不再解释vDSO的概念而直接谈其意义vDSO类似一个信息公告板用户可以直取所需而无需为此办理任何手续。vDSO相当于内核直接暴露出来的一个C库作为GLIBC的补充。…类似gettimeofday之类的调用每次都陷入内核去拿一个时间戳显得有点昂贵了不如内核把时间戳放在一个公共的可以暴露给任何用户的地方用户自己去看就行了这是vDSO的典型用例。为了简单化描述我们关闭ASLR[rootlocalhost ~]# sysctl -w kernel.randomize_va_space0随便打开一个ping程序获取其/proc/pid/smap中vdso的map区间7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]Size: 8 kB...我们将其dd出来[rootlocalhost ~]# dd if/proc/3688/mem of./vsdo.dd obs1 bs1 skip140737354113024 count8192随后我们看看它是什么[rootlocalhost ~]# file ./vdso.dd./vdso.dd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]09be88363f7ca8b05e2cb54a82d16bec2e840186, stripped那么接下来可以objdump了就像对待普通的动态链接库一样[rootlocalhost ]# objdump -T vdso.ddvdso.dd 文件格式 elf64-x86-64DYNAMIC SYMBOL TABLE:ffffffffff700354 l d .eh_frame_hdr0000000000000000 .eh_frame_hdrffffffffff700700 w DF .text000000000000059d LINUX_2.6 clock_gettime0000000000000000 g DO *ABS*0000000000000000 LINUX_2.6 LINUX_2.6ffffffffff700ca0 g DF .text00000000000002d5 LINUX_2.6 __vdso_gettimeofdayffffffffff700fa0 g DF .text000000000000003d LINUX_2.6 __vdso_getcpuffffffffff700ca0 w DF .text00000000000002d5 LINUX_2.6 gettimeofdayffffffffff700f80 w DF .text0000000000000016 LINUX_2.6 timeffffffffff700fa0 w DF .text000000000000003d LINUX_2.6 getcpuffffffffff700700 g DF .text000000000000059d LINUX_2.6 __vdso_clock_gettimeffffffffff700f80 g DF .text0000000000000016 LINUX_2.6 __vdso_time看看看看里面竟都是些什么东西竟是一些时间公告函数啊这意味着如果你想获取时间调这里的函数就好了我们看看最简单的time系统调用是如何来获取时间的下面是对待vdso.dd文件的objdump -D的结果ffffffffff700f80 __vdso_time:ffffffffff700f80: 55 push %rbpffffffffff700f81: 48 85 ff test %rdi,%rdiffffffffff700f84: 48 8b 04 25 a8 f0 5f mov 0xffffffffff5ff0a8,%raxffffffffff700f8b: ffffffffffff700f8c: 48 89 e5 mov %rsp,%rbpffffffffff700f8f: 74 03 je ffffffffff700f94 __vdso_timeffffffffff700f91: 48 89 07 mov %rax,(%rdi)ffffffffff700f94: 5d pop %rbpffffffffff700f95: c3 retq很显然并没有调用任何系统调用而是直接从地址0xffffffffff5ff0a8处拿到了时间那么地址0xffffffffff5ff0a8一定就是内核映射到用户态的时间公告板的位置了。记住地址0xffffffffff5ff0a8用户态的分析到此告一段落我们进入内核去看一看。首先从/proc/kallsyms中查到vdso的位置ffffffff81941000 D vdso_startffffffff819424b0 D vdso_end其次我们找到内核时间公告板vsyscall_gtod_data的位置ffffffff81a75080 D vsyscall_gtod_data我们看一下该公告板的值crash struct vsyscall_gtod_data.wall_time_sec ffffffff81a75080wall_time_sec 1600912854crash struct vsyscall_gtod_data.wall_time_sec ffffffff81a75080wall_time_sec 1600912856crash struct vsyscall_gtod_data.wall_time_sec ffffffff81a75080wall_time_sec 1600912857显然公告板的wall_time_sec字段就是返回给time的值了。下面我们找到它的地址crash struct vsyscall_gtod_data ffffffff81a75080 -ostruct vsyscall_gtod_data {[ffffffff81a75080] seqcount_t seq;struct {int vclock_mode;cycle_t cycle_last;cycle_t mask;u32 mult;u32 shift;[ffffffff81a75088] } clock;[ffffffff81a750a8] time_t wall_time_sec;[ffffffff81a750b0] u64 wall_time_snsec;[ffffffff81a750b8] u64 monotonic_time_snsec;[ffffffff81a750c0] time_t monotonic_time_sec;[ffffffff81a750c8] struct timezone sys_tz;[ffffffff81a750d0] struct timespec wall_time_coarse;[ffffffff81a750e0] struct timespec monotonic_time_coarse;}嗯就是0xffffffff81a750a8了。它就是映射到0xffffffffff5ff0a8暴露给用户态的那个地址了。我们接下来证实这一点修改掉映射地址返回给time调用以0.我们再看公告板crash struct vsyscall_gtod_data ffffffff81a75080...sys_tz {tz_minuteswest 0,tz_dsttime 0},我们把sys_tz映射出去怎样这个值是一直为0的我们期望的就是time返回0.为此我们首先拿到sys_tz和wall_time_sec之间的偏移crash eval ffffffff81a750c8-ffffffff81a750a8hexadecimal: 20decimal: 32octal: 40因此我们只要把vdso的time函数代码改掉即可ffffffffff700f84: 48 8b 04 25 a8 f0 5f mov 0xffffffffff5ff0a8,%rax改为ffffffffff700f84: 48 8b 04 25 c8 f0 5f mov 0xffffffffff5ff0c8,%rax即将time函数的第8个字节0xa8改成0xc8即可通过模式匹配可以拿到time函数在vdso页面的偏移f80: 55 push rbpf81: 48 85 ff test rdi,rdif84: 48 8b 04 25 a8 f0 5f mov rax,QWORD PTR ds:0xffffffffff5ff0a8f8b: fff8c: 48 89 e5 mov rbp,rspf8f: 74 03 je 0xf94f91: 48 89 07 mov QWORD PTR [rdi],raxf94: 5d pop rbpf95: c3 ret即0xf80.那么0xffffffff81941f80便是time函数其地址了unsigned char *addr (unsigned char *)0xffffffff81941f80;addr[8] 0xc8;在修改之前我们先编程验证#include #include typedef time_t (*time_func)(time_t *);int main(int argc, char *argv[]){time_t tloc;// 直接从地址拿值unsigned long *p (unsigned long *)0xffffffffff5ff0a8;// 通过函数拿值time_func func (time_func)0x7ffff7ffaf80;func(tloc);printf(%ld, tloc);printf(%lu, *p);}预期的结果应该是两种方式获取的是同一个值[rootlocalhost ~]# ./a.out16009239221600923922[rootlocalhost ~]# ./a.out16009239231600923923[rootlocalhost ~]#下面将内核页面对应的指令修改之[rootlocalhost ~]# cat modtime.stp#!/usr/local/bin/stap -gfunction modtime(val:long)%{unsigned char *addr (unsigned char *)0xffffffff81941f80;unsigned char c (unsigned char)STAP_ARG_val;addr[8] c;%}probe begin{modtime($1)exit()}执行之[rootlocalhost ~]# ./modtime.stp 0xc8[rootlocalhost ~]# ./a.out01600924228[rootlocalhost ~]# ./a.out01600924229[rootlocalhost ~]# ./modtime.stp 0xa8[rootlocalhost ~]# ./a.out16009242381600924238[rootlocalhost ~]#当修改了vdso页面的指令后所有调用time的进程都将异常这是很显然的top - 08:00:00 up 42 min, 3 users, load average: 0.00, 0.00, 0.00Tasks: 114 total, 1 running, 113 sleeping, 0 stopped, 0 zombie%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 stKiB Mem : 0 total, 0 free, 0 used, 0 buff/cacheKiB Swap: 0 total, 0 free, 0 used. 0 avail MemPID USER PR NI VIRT RES SHR S %CPU %MEM TIME COMMAND1 root 20 0 51696 3808 2492 S 0.0 inf 0:01.29 systemd2 root 20 0 0 0 0 S 0.0 -nan 0:00.00 kthreadd3 root 20 0 0 0 0 S 0.0 -nan 0:00.00 ksoftirqd/07 root rt 0 0 0 0 S 0.0 -nan 0:00.01 migration/08 root 20 0 0 0 0 S 0.0 -nan 0:00.00 rcu_bh9 root 20 0 0 0 0 S 0.0 -nan 0:00.00 rcuob/010 root 20 0 0 0 0 S 0.0 -nan 0:00.00 rcuob/1值得一提的是在vdso之前vsyscall机制也是类似只是说它仅仅提供了一种map而没有抽象出动态链接的含义因此也就无法享受ASLR带来的安全保护了。浙江温州皮鞋湿下雨进水不会胖。