如何做syscall brk的二进制检测? (x86-64 Linux)(也许是valgrind?) [英] How to do Binary instrumentation of syscall brk ? (x86-64 Linux) (maybe valgrind?)

问题描述

我想检测 (以及其他一些调用，但是这对我来说是最重要的)，以给定的二进制文件(最好在实际的syscall/sysenter级别(x86-64和x86)上)制作 sys_brk 调用).

I'd like to instrument syscall brk (and other calls but this in first order, it's most important to me) in given binary (preferably on actual syscall/sysenter level (x86-64 and x86) of making sys_brk call).

主要目标:

• 沙盒的一部分，可将固定数量的内存提供给入狱的进程
• 因此，我想摆脱

• A part of sandbox which gives fixed amount of memory to jailed process
• So, I'd like to get rid of brk system calls (and most preferably others in next order) and simulate memory allocations under fixed limit. Fixed limit is memory space, available to program. (You can think about it like making a kind of sandbox with fixed amount of available memory)

如何实施(一种)示例解决方案(或您的解决方案):

How to implement (one of) some example possible solutions (or yours solution):

• 只需将说明更改为 NOP
• 由于brk成功返回0，请使用设置内存(注册)状态的设置操作模拟其成功，如

• just changing instructions to NOP
• As brk returns 0 on success, simulate it's successes with setting operations that sets memory (register) state , as brk would be called with success.
• More complex... instrument with code (or function call) which simulates success memory allocations under fixed limit.
• Most flexible (maybe overkill in my case) to change this syscall into function call and add provided function to binary.

给出二进制文件是可以两种(其中最好是两种:))形式之一恶意的代码:

Given binary is code that can be malicious in one of two (most preferably both :) ) forms:

• 共享库-在这里我可以在函数调用之前设置环境(例如，以受控方式进行brk调用)
• 程序二进制文件-在这种情况下，我们需要给程序提供固定数量的内存(由调用者提供，或者在程序一个系统调用"开始时)，因为它无法分配.答案中应包含调用此类程序的示例.

• shared library - here I can setup environment before function call (for example do brk call in controlled way)
• program binary - in this case we need to give program fixed amount of memory (by caller, or on begining of program "one syscall"), cause it can not allocate. Example of calling such program should be included in answer.

由于问题与许多其他方面都息息相关，因此我尽力将其分开作为问题，但是如果我应该指定更多或更少的内容，请给我建议.

As problem is highly connected with many other aspects, I tried do my best in separating it as question, but please give me advice if I should specify something more or less.

欢迎提供实施答案，资源链接(书籍，教程).

Answers with implementation, links to resources (books, tutorials) are welcome.

(我对 Linux 以及可靠的解决方案最感兴趣，这样，即使在汇编程序中，准备二进制文件的人也不必担心执行其二进制代码的麻烦.代码)

(I am most interested in Linux, and solution that is reliable, so that people preparing binaries, even in assembler, would not have to worry about execution of their code)

推荐答案

LD_PRELOAD将捕获对brk()的C调用，但不会捕获实际的系统调用(int/syscall指令).没有可捕获的陷阱，但是在Linux上， ptrace 可以做到.内存也可以通过mmap()分配给程序，因此您也需要拦截该调用.

LD_PRELOAD will trap C calls to brk(), but it won't trap the actual system call (int/syscall instruction). There's no portable way to trap those, but on Linux, ptrace will do it. Memory can also be allocated to a program by mmap(), so you'll need to intercept that call too.

当然，您似乎真正要寻找的是 rlimit ()

Of course, what it seems you're really looking for is rlimit().

这篇关于如何做syscall brk的二进制检测? (x86-64 Linux)(也许是valgrind?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！