def _parse_auxv(self, note): t = tube() t.unrecv(note.n_desc) for i in range(0, note.n_descsz, context.bytes * 2): key = t.unpack() value = t.unpack() # The AT_EXECFN entry is a pointer to the executable's filename # at the very top of the stack, followed by a word's with of # NULL bytes. For example, on a 64-bit system... # # 0x7fffffffefe8 53 3d 31 34 33 00 2f 62 69 6e 2f 62 61 73 68 00 |S=14|3./b|in/b|ash.| # 0x7fffffffeff8 00 00 00 00 00 00 00 00 |....|....| | | if key == constants.AT_EXECFN: self.at_execfn = value value = value & ~0xfff value += 0x1000 self.stack = value if key == constants.AT_ENTRY: self.at_entry = value if key == constants.AT_PHDR: self.at_phdr = value if key == constants.AT_BASE: self.at_base = value if key == constants.AT_SYSINFO_EHDR: self.at_sysinfo_ehdr = value
def _parse_nt_file(self, note): t = tube() t.unrecv(note.n_desc) count = t.unpack() page_size = t.unpack() starts = [] addresses = {} for i in range(count): start = t.unpack() end = t.unpack() offset = t.unpack() starts.append((start, offset)) for i in range(count): filename = t.recvuntil('\x00', drop=True) (start, offset) = starts[i] for mapping in self.mappings: if mapping.start == start: mapping.name = filename mapping.page_offset = offset self.mappings = sorted(self.mappings, key=lambda m: m.start) vvar = vdso = vsyscall = False for mapping in reversed(self.mappings): if mapping.name: continue if not vsyscall and mapping.start == 0xffffffffff600000: mapping.name = '[vsyscall]' vsyscall = True continue if mapping.start == self.at_sysinfo_ehdr \ or (not vdso and mapping.size in [0x1000, 0x2000] \ and mapping.flags == 5 \ and self.read(mapping.start, 4) == '\x7fELF'): mapping.name = '[vdso]' vdso = True continue if not vvar and mapping.size == 0x2000 and mapping.flags == 4: mapping.name = '[vvar]' vvar = True continue
def _parse_nt_file(self, note): t = tube() t.unrecv(note.n_desc) count = t.unpack() page_size = t.unpack() starts = [] addresses = {} for i in range(count): start = t.unpack() end = t.unpack() ofs = t.unpack() starts.append(start) for i in range(count): filename = t.recvuntil('\x00', drop=True) start = starts[i] for mapping in self.mappings: if mapping.start == start: mapping.name = filename self.mappings = sorted(self.mappings, key=lambda m: m.start) vvar = vdso = vsyscall = False for mapping in reversed(self.mappings): if mapping.name: continue if not vsyscall and mapping.start == 0xffffffffff600000: mapping.name = '[vsyscall]' vsyscall = True continue if mapping.start == self.at_sysinfo_ehdr \ or (not vdso and mapping.size in [0x1000, 0x2000] \ and mapping.flags == 5 \ and self.read(mapping.start, 4) == '\x7fELF'): mapping.name = '[vdso]' vdso = True continue if not vvar and mapping.size == 0x2000 and mapping.flags == 4: mapping.name = '[vvar]' vvar = True continue