ROP绕过片段简单科普一下,可以理解为可以关闭系统自身内存保护的机器指令。这段代码需要自己构造,涉及到对端内存中查找。对于这样的指令,LyScript插件增强了指令片段的查找功能,但是我们需要在LyScript插件的基础上封装一些方法,实现起来并不难。插件地址:https://github.com/lyshark/Ly...封装机器码获取功能:首先封装一个方法,当用户传入指定的汇编命令时,会自动转换成对应的机器码,这为搜索ROP片段铺平了道路。代码非常简单。首先dbg.create_alloc(1024)在进程内存中开辟一块堆空间来存放我们的机器码,然后调用dbg.assemble_write_memory(alloc_address,"subesp,10")将一条汇编指令转换成机器码写入到peer内存,然后op=dbg.read_memory_byte(alloc_address+index)依次读出。fromLyScript32importMyDebug#传入汇编指令,获取指令的机器码defget_assembly_machine_code(dbg,asm):passif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))machine_code_list=[]#开辟堆空间alloc_address=dbg.create_alloc(1024)print("Allocateheap:{}".format(hex(alloc_address)))#获取组装机codemachine_code=dbg.assemble_write_memory(alloc_address,"subesp,10")ifmachine_code==False:dbg.delete_alloc(alloc_address)#获取汇编指令长度machine_code_size=dbg.assemble_code_size("subesp,10")ifmachine_code==False:dbg.delete_alloc(alloc_address)#Readmachinecodeforindexinrange(0,machine_code_size):op=dbg.read_memory_byte(alloc_address+index)machine_code_list.append(op)#释放堆空间dbg.delete_alloc(alloc_address)#输出机器码print(machine_code_list)dbg.close()我们继续封装th将上面的方法封装成get_a即可直接使用assembly_machine_code函数fromLyScript32importMyDebug#传入汇编指令,获取指令的机器码defget_assembly_machine_code(dbg,asm):machine_code_list=[]#开辟堆空间alloc_address=dbg.create_alloc(1024)print("Allocateheap:{}".format(hex(alloc_address)))#获取汇编机器码machine_code=dbg.assemble_write_memory(alloc_address,asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#获取汇编指令长度machine_code_size=dbg.assemble_code_size(asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#读取范围内索引的机器码(0,machine_code_size):op=dbg.read_memory_byte(alloc_address+index)machine_code_list.append(op)#释放堆空间dbg.delete_alloc(alloc_address)returnmachine_code_listif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))#转换第一对opcode=get_assembly_machine_code(dbg"moveax,1")对于in操作码中的dex:print("0x{:02X}".format(index),end="")print()#转换第二对opcode=get_assembly_machine_code(dbg,"subesp,10")forindexinopcode:print("0x{:02X}".format(index),end="")print()dbg.close()执行后可以得到结果:扫描满足条件的内存:通过使用封装的get_assembly_machine_code()以上并配合scan_memory_one(scan_string)函数查找对端内存中是否有符合条件的指令fromLyScript32importMyDebug#传入汇编指令,获取指令的机器码defget_assembly_machine_code(dbg,asm):machine_code_list=[]#开辟堆空间alloc_address=dbg.create_alloc(1024)print("Allocateheap:{}".format(hex(alloc_address)))#获取汇编机器码machine_code=dbg.assemble_write_memory(alloc_address,asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#获取汇编指令长度machine_code_size=dbg.assemble_code_size(asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#读取范围内索引的机器码(0,machine_code_size):op=dbg.read_memory_byte(alloc_address+index)machine_code_list.append(op)#释放堆空间dbg.delete_alloc(alloc_address)returnmachine_code_listif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("Connectionstatus:{}".format(connect_flag))#转换为列表opcode=get_assembly_machine_code(dbg,"pusheax")print("获取m机器码表:",opcode)#将列表转换为字符串scan_string="".join([str(_)for_inopcode])print("Searchmachinecodestring:",scan_string)address=dbg.scan_memory_one(scan_string)print("第一个符合条件的内存块:{}".format(hex(address)))dbg.close()扫描结果如下:将我们需要查找的ROP指令集片段放入数组中,直接查找即可返回ROP内存地址fromLyScript32importMyDebug#传入汇编指令,获取指令的机器码defget_assembly_machine_code(dbg,asm):machine_code_list=[]#开辟堆空间alloc_address=dbg.create_alloc(1024)print("Allocateheap:{}".format(hex(alloc_address)))#获取汇编机器码machine_code=dbg.assemble_write_memory(alloc_address,asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#获取汇编指令长度machine_code_size=dbg.assemble_code_size(asm)ifmachine_code==False:dbg.delete_alloc(alloc_address)#读取范围内索引的机器码(0,machine_code_size):op=dbg.read_memory_byte(alloc_address+index)machine_code_list.append(op)#释放堆空间dbg.delete_alloc(alloc_address)returnmachine_code_listif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("连接状态:{}".format(connect_flag))foritemin["pusheax","moveax,1","jmpeax","popeax"]:#转换为列表opcode=get_assembly_machine_code(dbg,item)#print("Getmachinecodelist:",opcode)#将列表转换为字符串scan_string="".join([str(_)for_inopcode])#print("查找机器码字符串:",scan_string)address=dbg.scan_memory_one(scan_string)print("第一个符合条件的内存块:{}".format(hex(address)))dbg.close()检索效果如下:
