|
|
@@ -706,47 +706,47 @@ func writeDataBytes(pid int, addr uintptr, data []byte) error {
|
|
|
}
|
|
|
|
|
|
func modifyIoFdTargetAddr(pid int, insertAddr, distAddr, getTTLFunctionAddr uintptr) error {
|
|
|
- newOffset := distAddr - (insertAddr + 7)
|
|
|
- targetAddr := insertAddr + 3
|
|
|
- // 获取目标地址处的数据
|
|
|
- originalData, err := readData(pid, targetAddr)
|
|
|
- if err != nil {
|
|
|
- return err
|
|
|
- }
|
|
|
-
|
|
|
- // 更新数据中的目标偏移
|
|
|
- updatedData := (originalData & 0xFFFFFFFF00000000) | uint64(newOffset&0xFFFFFFFF)
|
|
|
- err = writeData(pid, targetAddr, updatedData)
|
|
|
- if err != nil {
|
|
|
- return err
|
|
|
- }
|
|
|
-
|
|
|
- // getTTLOffset := getTTLFunctionAddr - insertAddr - 5
|
|
|
-
|
|
|
-
|
|
|
- // // 读取原始数据
|
|
|
- // alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1)
|
|
|
- // originalData, err := readDataBytes(pid, alignedAddr, 8)
|
|
|
+ // newOffset := distAddr - (insertAddr + 7)
|
|
|
+ // targetAddr := insertAddr + 3
|
|
|
+ // // 获取目标地址处的数据
|
|
|
+ // originalData, err := readData(pid, targetAddr)
|
|
|
// if err != nil {
|
|
|
// return err
|
|
|
// }
|
|
|
|
|
|
- // offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0)))
|
|
|
-
|
|
|
- // // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax
|
|
|
- // var getTTLOffset32 uint32 = uint32(getTTLOffset)
|
|
|
- // originalData[offset] = 0xE8 // call
|
|
|
- // originalData[offset+1] = byte(getTTLOffset32)
|
|
|
- // originalData[offset+2] = byte(getTTLOffset32 >> 8)
|
|
|
- // originalData[offset+3] = byte(getTTLOffset32 >> 16)
|
|
|
- // originalData[offset+4] = byte(getTTLOffset32 >> 24)
|
|
|
- // originalData[offset+5] = 0x90
|
|
|
- // originalData[offset+6] = 0x90
|
|
|
-
|
|
|
- // err = writeDataBytes(pid, alignedAddr, originalData)
|
|
|
+ // // 更新数据中的目标偏移
|
|
|
+ // updatedData := (originalData & 0xFFFFFFFF00000000) | uint64(newOffset&0xFFFFFFFF)
|
|
|
+ // err = writeData(pid, targetAddr, updatedData)
|
|
|
// if err != nil {
|
|
|
// return err
|
|
|
// }
|
|
|
+
|
|
|
+ getTTLOffset := getTTLFunctionAddr - insertAddr - 5
|
|
|
+
|
|
|
+
|
|
|
+ // 读取原始数据
|
|
|
+ alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1)
|
|
|
+ originalData, err := readDataBytes(pid, alignedAddr, 7)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+
|
|
|
+ offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0)))
|
|
|
+
|
|
|
+ // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax
|
|
|
+ var getTTLOffset32 uint32 = uint32(getTTLOffset)
|
|
|
+ originalData[offset] = 0xE8 // call
|
|
|
+ originalData[offset+1] = byte(getTTLOffset32)
|
|
|
+ originalData[offset+2] = byte(getTTLOffset32 >> 8)
|
|
|
+ originalData[offset+3] = byte(getTTLOffset32 >> 16)
|
|
|
+ originalData[offset+4] = byte(getTTLOffset32 >> 24)
|
|
|
+ originalData[offset+5] = 0x90
|
|
|
+ originalData[offset+6] = 0x90
|
|
|
+
|
|
|
+ err = writeDataBytes(pid, alignedAddr, originalData)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
return nil
|
|
|
}
|
|
|
|
rock.wu