Site updated: 2023-09-21 18:29:28

ErodedElk · Sep 21, 2023 · bf79398 · bf79398
1 parent e27af22
commit bf79398
Show file tree

Hide file tree

Showing 121 changed files with 322 additions and 141 deletions.
diff --git a/2022/09/20/零基础要如何破除-IO-FILE-利用原理的迷雾/index.html b/2022/09/20/零基础要如何破除-IO-FILE-利用原理的迷雾/index.html
@@ -15,7 +15,7 @@
 }</style><style>:root {
   --dark-background: url('/img/bg.jpg');
   --light-background: url('/img/91110244_p0.jpg');
-}</style><meta name="generator" content="Hexo 6.3.0"></head><body><div class="loading" style="opacity: 0;"><div class="loadingBar left"></div><div class="loadingBar right"></div></div><main><header class="closed"><div class="navBtn"><i class="navBtnIcon"><span class="navBtnIconBar"></span><span class="navBtnIconBar"></span><span class="navBtnIconBar"></span></i></div><nav><div class="navItem" id="search-header"><span class="navItemTitle"><input autocomplete="off" autocorrect="off" autocapitalize="none" placeholder="Search" spellcheck="false" maxlength="50" type="text" id="search-input"></span></div><div class="navItem" id="search-holder"></div><div class="search-popup"><div id="search-result"></div></div><ol class="navContent"><li class="navItem"><a class="navBlock" href="/"><span class="navItemTitle">Home</span></a></li><li class="navItem" matchdata="categories,tags"><a class="navBlock" href="/archives/"><span class="navItemTitle">Archives</span></a></li><li class="navItem"><a class="navBlock" href="/about/"><span class="navItemTitle">About</span></a></li><li class="navItem"><a class="navBlock" href="/links/"><span class="navItemTitle">Links</span></a></li></ol></nav></header><article><div id="post-bg"><div id="post-title"><h1>零基础要如何破除 IO_FILE 利用原理的迷雾</h1><div id="post-info"><span>First Post: <div class="control"><time datetime="2022-09-20T14:41:16.000Z" id="date"> 2022-09-20</time></div></span><br><span>Last Update: <div class="control"><time datetime="2023-08-28T15:04:01.664Z" id="updated"> 2023-08-28</time></div></span></div></div><hr><div id="post-content"><h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>好久以前，在我完成 Glibc2.23 的基本堆利用学习以后，IO_FILE 的利用就被提上日程了，但苦于各种各样的麻烦因素，时至今日，我才终于动笔开始学习这种利用技巧，实属惭愧。</p>
+}</style><meta name="generator" content="Hexo 6.3.0"></head><body><div class="loading" style="opacity: 0;"><div class="loadingBar left"></div><div class="loadingBar right"></div></div><main><header class="closed"><div class="navBtn"><i class="navBtnIcon"><span class="navBtnIconBar"></span><span class="navBtnIconBar"></span><span class="navBtnIconBar"></span></i></div><nav><div class="navItem" id="search-header"><span class="navItemTitle"><input autocomplete="off" autocorrect="off" autocapitalize="none" placeholder="Search" spellcheck="false" maxlength="50" type="text" id="search-input"></span></div><div class="navItem" id="search-holder"></div><div class="search-popup"><div id="search-result"></div></div><ol class="navContent"><li class="navItem"><a class="navBlock" href="/"><span class="navItemTitle">Home</span></a></li><li class="navItem" matchdata="categories,tags"><a class="navBlock" href="/archives/"><span class="navItemTitle">Archives</span></a></li><li class="navItem"><a class="navBlock" href="/about/"><span class="navItemTitle">About</span></a></li><li class="navItem"><a class="navBlock" href="/links/"><span class="navItemTitle">Links</span></a></li></ol></nav></header><article><div id="post-bg"><div id="post-title"><h1>零基础要如何破除 IO_FILE 利用原理的迷雾</h1><div id="post-info"><span>First Post: <div class="control"><time datetime="2022-09-20T14:41:16.000Z" id="date"> 2022-09-20</time></div></span><br><span>Last Update: <div class="control"><time datetime="2023-09-21T10:22:54.292Z" id="updated"> 2023-09-21</time></div></span></div></div><hr><div id="post-content"><h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>好久以前，在我完成 Glibc2.23 的基本堆利用学习以后，IO_FILE 的利用就被提上日程了，但苦于各种各样的麻烦因素，时至今日，我才终于动笔开始学习这种利用技巧，实属惭愧。</p>
 <p>近几年，由于堆利用的条件越来越苛刻，加之几个常用的劫持 hook 被删除，IO 的地位逐渐有超过堆利用的趋势，因此为了跟上这几年的新潮，赶紧回来学习一下 IO 流的利用技巧。</p>
 <p>如果本文存在任何错误，请务必与我联系。</p>
 <p>最开始是打算跟着内核去看 IO_FILE 的，但是最近内核的学习暂时搁置了，于是迫不得已现在就开始学 IO 了，不过也还好，这部分内容跟着其他师傅的文章去学，似乎也不会太成问题，有问题就是我的问题。而且主要涉及到的内容其实和内核无关，都是些 GLIBC 的源代码，这部分其实还在用户层，不过大多数利用都在通过 largebin attack 进行，因此可能还是需要一部分的堆利用基础的。</p>

diff --git a/2023/08/28/Frida-Core-源代码分析解读/index.html b/2023/08/28/Frida-Core-源代码分析解读/index.html
@@ -202,7 +202,7 @@ <h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</
 <p>如果仅凭上文的分析，主机端通过 IPC 通信去调用设备上对应的函数从而启动了应用，但是原生启动是不通过 IPC 的，这种情况下，frida-gadget 要如何工作呢？它还会正常去启动应用吗？</p>
 <p>问了一些师傅，他们表示 Android 平台下，即便注入的 frida-gadget 也是可以正常点击打开的，但是笔者在 iOS16 上测试发现这将导致闪退，但是诡异的是，我能够用 <code>frida -U -f bundleid</code> 正常打开应用。<br>而在 iOS14 上，笔者发现应用将会停在启动页面无法继续执行，并且 frida 也没办法附加，以及 <code>frida -U -f bundleid</code> 也无法正常启动了，唯独 Xcode 启动时，一切正常，这十分的诡异。</p>
 <p>以上问题目前笔者还不清楚原因，欢迎师傅们讨论。</p>
-<div id="paginator"></div></div><div id="post-footer"><div id="pages" style="justify-content: flex-end"><div class="footer-link" style="width: 50%;right:1px;border-left:1px #fe2 solid"><a href="/2023/08/28/Frida-gum-%E6%BA%90%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90%E8%A7%A3%E8%AF%BB/">Frida-gum 源代码分析解读 Prev →</a></div></div></div></div><div class="bottom-btn"><div><a class="i-top" id="to-top" onClick="scrolls.scrolltop();" title="To Top" style="opacity: 0; display: none;">∧ </a><a class="i-index" id="to-index" href="#toc-div" title="To Catalog">≡</a><a class="i-color" id="color-mode" onClick="colorMode.change()" title="Change Theme"></a></div></div></article><aside><div id="about"><a href="/" id="logo"><img src="/img/faction/6.png" alt="Logo"></a><h1 id="Dr"><a href="TokameinE">TokameinE</a></h1><div id="description"><p></p></div><div id="social-links"><a class="social" target="_blank" rel="noopener" href="https://github.com/ErodedElk"><i class="fab fa-github" alt="GitHub"></i></a><a class="social" target="_blank" rel="noopener" href="https://space.bilibili.com/1782544616"><i class="fa-brands fa-bilibili" alt="BiliBili"></i></a></div></div><div id="aside-block"><div id="toc-div"><h1>Catalog</h1><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E5%89%8D%E8%A8%80"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%9C%AC%E6%96%87%E5%86%85%E5%AE%B9%E7%9B%AE%E5%BD%95"><span class="toc-number">2.</span> <span class="toc-text">本文内容目录</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Frida-Core"><span class="toc-number">3.</span> <span class="toc-text">Frida-Core</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%BF%9B%E7%A8%8B%E6%B3%A8%E5%85%A5"><span class="toc-number">3.1.</span> <span class="toc-text">进程注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-server"><span class="toc-number">3.2.</span> <span class="toc-text">frida-server</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-agant"><span class="toc-number">3.3.</span> <span class="toc-text">frida-agant</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-helper"><span class="toc-number">3.4.</span> <span class="toc-text">frida-helper</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#frida-gadget"><span class="toc-number">4.</span> <span class="toc-text">frida-gadget</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#launchd"><span class="toc-number">5.</span> <span class="toc-text">launchd</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%80%BB%E7%BB%93"><span class="toc-number">6.</span> <span class="toc-text">总结</span></a></li></ol></div></div><footer><nobr>Published with <a target="_blank" rel="noopener" href="http://hexo.io">Hexo</a></nobr><wbr><nobr> Theme <a target="_blank" rel="noopener" href="https://github.com/Yue-plus/hexo-theme-arknights">Arknights</a></nobr><wbr><nobr> by <a target="_blank" rel="noopener" href="https://github.com/Yue-plus">Yue_plus</a></nobr></footer></aside></main><canvas id="canvas-dust"></canvas><script src="/js/search.js"></script><script src="/js/arknights.js"></script><script src="//unpkg.com/[email protected]/lightgallery.min.js"></script><script src="//unpkg.com/[email protected]/plugins/zoom/lg-zoom.min.js"></script><script src="//unpkg.com/[email protected]/plugins/thumbnail/lg-thumbnail.min.js"></script><script src="/js/pjax.js"></script><script class="pjax-js">reset= () => {document.querySelector('.lg-container')?.remove()
+<div id="paginator"></div></div><div id="post-footer"><div id="pages"><div class="footer-link" style="width: 50%;text-align:right;border-right:1px #fe2 solid"><a href="/2023/09/21/%E6%88%91%E4%BB%AC%E5%AF%B9%20PWN%20%E9%83%BD%E6%9C%89%E5%93%AA%E4%BA%9B%E8%AF%AF%E4%BC%9A/">← Next 我们对 PWN 都有哪些误会</a></div><div class="footer-link" style="width: 50%;right:1px;border-left:1px #fe2 solid"><a href="/2023/08/28/Frida-gum-%E6%BA%90%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90%E8%A7%A3%E8%AF%BB/">Frida-gum 源代码分析解读 Prev →</a></div></div></div></div><div class="bottom-btn"><div><a class="i-top" id="to-top" onClick="scrolls.scrolltop();" title="To Top" style="opacity: 0; display: none;">∧ </a><a class="i-index" id="to-index" href="#toc-div" title="To Catalog">≡</a><a class="i-color" id="color-mode" onClick="colorMode.change()" title="Change Theme"></a></div></div></article><aside><div id="about"><a href="/" id="logo"><img src="/img/faction/6.png" alt="Logo"></a><h1 id="Dr"><a href="TokameinE">TokameinE</a></h1><div id="description"><p></p></div><div id="social-links"><a class="social" target="_blank" rel="noopener" href="https://github.com/ErodedElk"><i class="fab fa-github" alt="GitHub"></i></a><a class="social" target="_blank" rel="noopener" href="https://space.bilibili.com/1782544616"><i class="fa-brands fa-bilibili" alt="BiliBili"></i></a></div></div><div id="aside-block"><div id="toc-div"><h1>Catalog</h1><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E5%89%8D%E8%A8%80"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%9C%AC%E6%96%87%E5%86%85%E5%AE%B9%E7%9B%AE%E5%BD%95"><span class="toc-number">2.</span> <span class="toc-text">本文内容目录</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Frida-Core"><span class="toc-number">3.</span> <span class="toc-text">Frida-Core</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%BF%9B%E7%A8%8B%E6%B3%A8%E5%85%A5"><span class="toc-number">3.1.</span> <span class="toc-text">进程注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-server"><span class="toc-number">3.2.</span> <span class="toc-text">frida-server</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-agant"><span class="toc-number">3.3.</span> <span class="toc-text">frida-agant</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#frida-helper"><span class="toc-number">3.4.</span> <span class="toc-text">frida-helper</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#frida-gadget"><span class="toc-number">4.</span> <span class="toc-text">frida-gadget</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#launchd"><span class="toc-number">5.</span> <span class="toc-text">launchd</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E6%80%BB%E7%BB%93"><span class="toc-number">6.</span> <span class="toc-text">总结</span></a></li></ol></div></div><footer><nobr>Published with <a target="_blank" rel="noopener" href="http://hexo.io">Hexo</a></nobr><wbr><nobr> Theme <a target="_blank" rel="noopener" href="https://github.com/Yue-plus/hexo-theme-arknights">Arknights</a></nobr><wbr><nobr> by <a target="_blank" rel="noopener" href="https://github.com/Yue-plus">Yue_plus</a></nobr></footer></aside></main><canvas id="canvas-dust"></canvas><script src="/js/search.js"></script><script src="/js/arknights.js"></script><script src="//unpkg.com/[email protected]/lightgallery.min.js"></script><script src="//unpkg.com/[email protected]/plugins/zoom/lg-zoom.min.js"></script><script src="//unpkg.com/[email protected]/plugins/thumbnail/lg-thumbnail.min.js"></script><script src="/js/pjax.js"></script><script class="pjax-js">reset= () => {document.querySelector('.lg-container')?.remove()
 lightGallery(document.getElementById('post-bg'), {
   plugins: [lgZoom,lgThumbnail],
   selector: '.item-img'})}</script><script>window.addEventListener("load",() => {pjax = new Pjax({