3

I am trying to get the memory map of a process I am debugging remotely (peda pull request link), the process is ran with qemu-user, for example:

qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./ch47

the debugging is done with gdb, commands:

$ gdb-multiarch --nx -q ch47

(gdb) target remote localhost:1234

Remote debugging using localhost:1234
warning: remote target does not support file transfer, attempting to access files from local filesystem.
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.

(gdb) info inferiors 
  Num  Description       Executable        
* 1    Remote target     /home/redouane/infosec/arm_uaf/ch47 

(gdb) remote get /proc/self/maps /tmp/map
Remote I/O error: Fonction non implantée

The debugged process doesn't have a PID as I see (it's ran in the address-space of qemu-arm, not a separate process).

I am wondering, how does an extension like pwndbg retrieve the memory maps when debugging remotely, and the target does not support file transfer?

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
   0x10000    0x13000 r-xp     3000 0      /home/redouane/infosec/arm_uaf/ch47
   0x13000    0x22000 ---p     f000 2000   /home/redouane/infosec/arm_uaf/ch47
   0x22000    0x23000 r--p     1000 2000   /home/redouane/infosec/arm_uaf/ch47
   0x23000    0x24000 rw-p     1000 3000   /home/redouane/infosec/arm_uaf/ch47
0xff7c5000 0xff7dd000 r-xp    18000 0      [linker]
0xff7dd000 0xff7ed000 ---p    10000 18000  [linker]
0xff7ed000 0xff7ee000 r--p     1000 18000  [linker]
0xff7ee000 0xff7ef000 rw-p     1000 19000  [linker]
0xfffee000 0xffff0000 rw-p     2000 0      [stack]
Improve this question
1

1 Answer 1

Reset to default
1

If you were looking not for the whole memory map, but just the base adress for libc as I used to, you may use the -strace option of QEMU and then read the results.

Here is an example with qemu-mips :

$ qemu-mips -noaslr -nx -strace ./test
...
25631 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3
25631 read(3,0x7ffff4ac,512) = 512
25631 prctl(46,13,2147480748,512,1928908800,0) = -1 errno=22 (Invalid argument)
25631 _llseek(3,0,520,0x7ffff250,SEEK_SET) = 0
25631 read(3,0x7ffff280,36) = 36
25631 _llseek(3,0,828,0x7ffff228,SEEK_SET) = 0
25631 read(3,0x7ffff258,32) = 32
25631 fstat64(3,0x7ffff360) = 0
25631 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f655000
...

Here, you see that the base address for libc once it has been succesfully located and loaded is 0x7f655000.

For a more complete memory map, you may use the -mmap option, but it won't show what a memory map is for. For example, for the same map :

mmap: start=0x00000000 len=0x00190030 prot=r-x flags=MAP_PRIVATE fd=3 offset=00000000
ret=0x7f655000
start    end      size     prot
00400000-00401000 00001000 r-x
00410000-00412000 00002000 rw-
6ae9c000-6aec0000 00024000 r-x
6aec0000-6aecf000 0000f000 ---
6aecf000-6aed1000 00002000 rw-
7f655000-7f7e6000 00191000 r-x
7f7e6000-7f7fd000 00017000 r--
7f7fd000-7f7ff000 00002000 rw-
7f7ff000-7f800000 00001000 ---
7f800000-00000000 80800000 rw-

Here you see that the file descriptor provided to mmap2 () is 3, but you don't know what file it is.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.