本文整理汇总了Python中Memory.getMemory方法的典型用法代码示例。如果您正苦于以下问题:Python Memory.getMemory方法的具体用法?Python Memory.getMemory怎么用?Python Memory.getMemory使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类Memory
的用法示例。
在下文中一共展示了Memory.getMemory方法的9个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
state = ()
handle2 = handle = -1
if call == 'socketcall':
if args[0] > sockettable_num:
raise 'Trying to do invalid socketcall?'
subcall, pattern = sockettable[args[0]]
nargs = len(pattern)
if debug: print 'Doing ', subcall, ' with ', nargs, ' parameters',
params = Memory.getMemory(pid).peek(args[1], nargs*4)
params = list(params)
curfd = -1
addrlen = -1
for i in range(len(pattern)):
if pattern[i] == 'l':
if debug: print 'Getint returned ', getint(params, i*4)
addrlen = getint(params, i*4)
# Note: this is not true for unix domain sockets
# assert getint(params, i*4) == 16, '== %s' % getint(params, i*4)
for i in range(len(pattern)):
if pattern[i] == 'f':
curfd = getint(params, i*4)
if debug: print '(fd = ', curfd, ')',
if pattern[i] == 'A':
paddr = getint(params, i*4)
# print 'Call = ', subcall
address = Memory.getMemory(pid).peek(paddr, addrlen)
#address = list(address) # WHY?
if not self.checkaddress(self.fdmap[pid][curfd], address, addrlen, call):
return (None, -errno.EPERM, None, None)
if debug: print 'Address is ', address
handle2, addr2 = scratch.alloc_bytes(address, addrlen)
if debug: print 'Addr = %x' % addr2
setint(params, i*4, addr2)
if addr2 != getint(params, i*4):
raise 'addr2 not equal to getint'
handle, addr = scratch.alloc_bytes(params, nargs*4)
if subcall == 'socket':
state = ( getint(params, 0), getint(params, 4), getint(params, 8) )
if subcall == 'connect':
# assert 0
pass
if subcall == 'bind':
print 'Trying to bind'
return (None, -errno.EPERM, None, None)
if subcall == 'invalid_call':
raise 'Invalid socket call'
if debug: print state, '... copied them to ',
if debug: print '%x' % addr
return ((subcall, handle, handle2, state), None, None, (args[0], addr))
示例2: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
sign = _callaccess[call]
if not isinstance(sign, types.TupleType):
if not call == 'socketcall' or not self._net:
if not self._quiet:
print '%s denied' % call
return (None, -errno.EPERM, None, None)
return
if (call == 'open'
and args[1] & FCNTL.O_ACCMODE == FCNTL.O_RDONLY):
sign = ('r',)
getarg = Memory.getMemory(pid).get_string
for i in range(len(sign)):
if sign[i]:
s = sign[i][0]
assert s == 'r' or s == 'w'
if s == 'r':
a = self._read
op = 'read'
else:
a = self._write
op = 'write'
followlink = len(sign[i]) < 2
assert followlink or sign[i][1] == 'l'
p = getarg(args[i])
r = _access(pid, p, followlink, a)
if r == -1:
if not self._quiet:
print '%s deny (%s): %s' % (op, call, repr(p))
return (None, -errno.EACCES, None, None)
elif r != 0:
return (None, -r, None, None)
示例3: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
'''
Entry point for the trick.
@return: None
'''
m = Memory.getMemory(pid)
arg_mem_addr_path = args[0]
arg_flags = args[1]
arg_mode = args[2]
try:
filename = m.get_string( arg_mem_addr_path )
except:
pass
else:
if not self._is_library( filename ):
local_filename = self._download_file( filename )
area, area_size = m.areas()[0]
m.poke(area, local_filename + '\0')
return (None, None, None, (area, arg_flags, arg_mode) )
return None
示例4: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
if call == 'open':
getarg = Memory.getMemory(pid).get_string
if getarg(args[0]) == "/dev/tty":
assert self.ttyfd == None, "tried to open /dev/tty twice"
return (1, None, None, None)
elif call == 'close':
if self.ttyfd == args[0]:
self.ttyfd = None
elif call == 'read':
if args[0] == self.ttyfd:
buf = args[1]
count = args[2]
count = min(count, len(self.guess))
if not count:
sys.exit("ran out of guess")
m = Memory.getMemory(pid)
m.poke(buf, self.guess[:count])
self.guess = self.guess[count:]
return (None, count, None, None)
示例5: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
if call == 'mmap':
params = Memory.getMemory(pid).peek(args[0], 24)
params = list(params)
start = getint(params, 0)
len = getint(params, 4)
if self.check(start, len) != (1, None, None, None):
return (None, -errno.EPERM, None, None)
# Notice >>12 in expression below. Ouch. mmap and mmap2 have subtly different parameters!
return (1, None, 'mmap2', (start, len, getint(params, 8), getint(params, 12), getint(params, 16), getint(params, 20)>>12) )
# return (1, None, None, None)
if call == 'munmap' or call == 'mremap' or call == 'mmap2':
return self.check(args[0], args[1])
raise 'Unknown syscall?'
示例6: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
global nchildren, lastpid, lastbrk, grace
if call == 'mmap2':
assert 0, 'mmap2 -- what is that?'
if call == 'fork' or call == 'vfork' or call == 'clone':
nchildren = nchildren + 1
print 'SANDBOX NUMPROC ', nchildren
if nchildren > self.maxproc:
raise 'Too much processes'
return (1, None, None, None)
if call == '_exit':
nchildren = nchildren - 1
print 'SANDBOX NUMPROC ', nchildren
return (1, None, None, None)
# We allow real number to be one meg too low
if (call == 'brk'):
if (pid == lastpid) and ((args[0]-lastbrk)<grace):
# print 'short path'
return (0, None, None, None)
else:
lastbrk = args[0]
return (1, None, None, None)
if (call == 'munmap'):
return (0, None, None, None)
if (call == 'mmap2'):
return self.mmap(pid, args[1])
if (call == 'mmap'):
params = Memory.getMemory(pid).peek(args[0], 8)
params = list(params)
# People can actually play races on us at this point.
# But as this is only Denial of Service protection, and as race succeeds
# only very seldom, it is probably not important.
# If you want to avoid races, use another trick to convert mmap into mmap2
return self.mmap(pid, getint(params, 4))
raise 'Impossible: unknown syscall in DoStrick'
示例7: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
sign = self.callaccess[call]
tofree = [-1] * 6
if not isinstance(sign, types.TupleType):
return (tofree, None, None, None)
mem = Memory.getMemory(pid)
getarg = mem.get_string
cargs = args[:]
for i in range(len(sign)):
followlink = len(sign[i]) < 2
assert followlink or sign[i][1] == 'l'
p = getarg(args[i])
p = self.mappath(p) # This is still not quite good -- user could pass /home////johanka and bypass this
p = tricklib.canonical_path(pid, p, followlink) # Resolve to FQN
if not isinstance(p, types.StringType):
# print 'Panic: what to do when canonical path fails:', p, '(', getarg(args[i]), ')'
# FIXME: We need to kill it in order to prevent bad races. But killing it means problems for creat!
return (tofree, -p, None, None)
p = self.mappath(p)
tofree[i], cargs[i] = scratch.alloc_str(p)
# don't mess with creation of relative symlinks
if call=='symlink':
if mem.get_string(args[0])[0] != '/':
cargs[0] = args[0]
if call=='open':
# FIXME:
# if we allow user to do ln -s a b without permissions for a, and
# user tries to access /tmp/b/local/bin...
# cargs[1] = cargs[1] | os.O_NOFOLLOW
cargs[1] = cargs[1] | 0400000 # Not supported by python, yet. This is true for 386
if call=='creat':
print "Creat disabled, should be modified to open"
return (tofree, -errno.EFAULT, None, None) # Creat should be rewritten to open()
return (tofree, None, None, cargs)
示例8: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
assert call == 'access'
if Memory.getMemory(pid).get_string(args[0]) == '/dev/dsp':
#sys.stderr.write('blocking access to /dev/dsp')
return (None, -errno.EACCES, None, None)
示例9: callbefore
# 需要导入模块: import Memory [as 别名]
# 或者: from Memory import getMemory [as 别名]
def callbefore(self, pid, call, args):
"""Semantics of protection:
Protection is based (unlike unix) on absolute pathnames, and
(also unlike unix) allow read/write works applies to whole
subtree. If process may write to something, right to read from
it is granted automagically. [FIXME: either fix code so that
we can deny read but allow write, or make reads allowed
explicitly]
allow * applies to whole patch components. That means that
allow read /a does not grant rights to /amaya. [Other matching
methods could be introduced, like regular expressions, if they
seem handy].
For operations like unlink, write access is needed for object
being unlinked (unlike unix, where no access is needed to
object and write access is needed to its directory).
For hardlink operation, write access is required for source
(unlike unix, where no access is needed). This is because
attacker could link file somewhere it has write access and
because permissions apply to subtrees, he could write to it
under new name.
It does not make sense to make rules like allow write /foo,
deny write /foo/bar/baz, because attacker could mv bar haha,
and write to /foo/haha/baz. (Allow write /foo, deny write
/foobar should be safe, though). Generally, once you granted
write access to subtree, do not try to use deny (anything
inside tree).
"""
sign = self.callaccess[call]
if not isinstance(sign, types.TupleType):
if not call == 'socketcall' or not self._net:
if not self._quiet:
print '%s denied' % call
return (None, -errno.EPERM, None, None)
return
if (call == 'open'
and args[1] & FCNTL.O_ACCMODE == FCNTL.O_RDONLY):
sign = ('r',)
getarg = Memory.getMemory(pid).get_string
for i in range(len(sign)):
if sign[i]:
s = sign[i][0]
if s == 'n': continue
assert s == 'r' or s == 'w'
if s == 'r':
a = self._read
op = 'read'
else:
a = self._write
op = 'write'
followlink = len(sign[i]) < 2
assert followlink or sign[i][1] == 'l'
p = getarg(args[i])
r = self.access(pid, p, call, op, followlink, a)
res = self.onaccess(pid, call, r, op, p)
if res != 'cont':
return res;