|
|
@@ -706,47 +706,47 @@ func writeDataBytes(pid int, addr uintptr, data []byte) error {
|
|
|
}
|
|
|
|
|
|
func modifyIoFdTargetAddr(pid int, insertAddr, distAddr, getTTLFunctionAddr uintptr) error {
|
|
|
- // newOffset := distAddr - (insertAddr + 7)
|
|
|
- // targetAddr := insertAddr + 3
|
|
|
- // // 获取目标地址处的数据
|
|
|
- // originalData, err := readData(pid, targetAddr)
|
|
|
- // if err != nil {
|
|
|
- // return err
|
|
|
- // }
|
|
|
-
|
|
|
- // // 更新数据中的目标偏移
|
|
|
- // updatedData := (originalData & 0xFFFFFFFF00000000) | uint64(newOffset&0xFFFFFFFF)
|
|
|
- // err = writeData(pid, targetAddr, updatedData)
|
|
|
- // if err != nil {
|
|
|
- // return err
|
|
|
- // }
|
|
|
-
|
|
|
- getTTLOffset := getTTLFunctionAddr - insertAddr - 5
|
|
|
-
|
|
|
-
|
|
|
- // 读取原始数据
|
|
|
- alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1)
|
|
|
- originalData, err := readDataBytes(pid, alignedAddr, 8)
|
|
|
+ newOffset := distAddr - (insertAddr + 7)
|
|
|
+ targetAddr := insertAddr + 3
|
|
|
+ // 获取目标地址处的数据
|
|
|
+ originalData, err := readData(pid, targetAddr)
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
|
|
|
- offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0)))
|
|
|
-
|
|
|
- // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax
|
|
|
- var getTTLOffset32 uint32 = uint32(getTTLOffset)
|
|
|
- originalData[offset] = 0xE8 // call
|
|
|
- originalData[offset+1] = byte(getTTLOffset32)
|
|
|
- originalData[offset+2] = byte(getTTLOffset32 >> 8)
|
|
|
- originalData[offset+3] = byte(getTTLOffset32 >> 16)
|
|
|
- originalData[offset+4] = byte(getTTLOffset32 >> 24)
|
|
|
- originalData[offset+5] = 0x90
|
|
|
- originalData[offset+6] = 0x90
|
|
|
-
|
|
|
- err = writeDataBytes(pid, alignedAddr, originalData)
|
|
|
+ // 更新数据中的目标偏移
|
|
|
+ updatedData := (originalData & 0xFFFFFFFF00000000) | uint64(newOffset&0xFFFFFFFF)
|
|
|
+ err = writeData(pid, targetAddr, updatedData)
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
+
|
|
|
+ // getTTLOffset := getTTLFunctionAddr - insertAddr - 5
|
|
|
+
|
|
|
+
|
|
|
+ // // 读取原始数据
|
|
|
+ // alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1)
|
|
|
+ // originalData, err := readDataBytes(pid, alignedAddr, 8)
|
|
|
+ // if err != nil {
|
|
|
+ // return err
|
|
|
+ // }
|
|
|
+
|
|
|
+ // offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0)))
|
|
|
+
|
|
|
+ // // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax
|
|
|
+ // var getTTLOffset32 uint32 = uint32(getTTLOffset)
|
|
|
+ // originalData[offset] = 0xE8 // call
|
|
|
+ // originalData[offset+1] = byte(getTTLOffset32)
|
|
|
+ // originalData[offset+2] = byte(getTTLOffset32 >> 8)
|
|
|
+ // originalData[offset+3] = byte(getTTLOffset32 >> 16)
|
|
|
+ // originalData[offset+4] = byte(getTTLOffset32 >> 24)
|
|
|
+ // originalData[offset+5] = 0x90
|
|
|
+ // originalData[offset+6] = 0x90
|
|
|
+
|
|
|
+ // err = writeDataBytes(pid, alignedAddr, originalData)
|
|
|
+ // if err != nil {
|
|
|
+ // return err
|
|
|
+ // }
|
|
|
return nil
|
|
|
}
|
|
|
|
rock.wu