Published on July 18th, 2018📅| 0
memrepl: Memory inspection REPL interface
The idea is that the researcher can perform database like queries to get information about the contents and layout of the memory of a program. To perform these queries, memrepl exposes several global functions listed below:
- memory_list: query current memory segments.
- memory_search: search for a given value.
- memory_read: read from a memory address.
- memory_write: write to a memory address.
- memory_search_pointer: search any pointers starting from a given address.
# Install `pip` if not installed.
$ easy_install pip
# Install `virtualenv` if not installed.
$ pip install virtualenv
# Create a virtual python environment.
$ virtualenv venv_memrepl
# Activate the environment (POSIX system).
$ source ./venv_memrepl/bin/activate
# Install `memrepl` into the virtual environment.
$ git clone https://github.com/agustingianni/memrepl.git
$ cd memrepl
$ python setup.py install
Execute memrepl with -h to get help:
Attaching to a process by pid
Getting help while on the REPL loop
Each exported function has a help message defined that can be read by using python’s help function. Each help messages contains usage examples.
Exported function signature: memory_list(protection=”—“)
Listing all segments
To list all the segments present in the target process using the memory_list function without an argument:
memory_list allows a permission argument that serves as a matched filter, allowing the researcher to filter those segments he is interested in. For instance:
Exported function signature: memory_search(value_format, value, out_format=”hex”, out_size=32)
Example search expressions
Exported function signature: memory_read(value_format, address, size=32)
Searching for pointers
Exported function signature: memory_search_pointer(address, protection)
The main usage of this function is to search for things to overwrite. Basically one can search for pointers to things that may be useful while exploiting bugs. Two cases come to mind:
- Pointers to data (to create infoleaks)
- Pointers to code (to get code execution)
Example: looking for the position of a function pointer to overwrite.
Exported function signature: memory_write(value_format, address, value)