How to hack the Virtual Memory
We’ll take a look at how the VM can be messed with using two files from file system
In order to understand how to hack the VM, we need to understand what it is first. We won’t go in-depth, but it is basically a memory management technique that helps you solve memory problems by managing your application’s resources and avoiding memory fragmentation.
It takes the memory addresses that an executable or application on your PC needs to function and maps them to physical memory (generally RAM). The whole gist is that, if we can get a hold of said memory addresses, we can actually manipulate the data they store.
This function, for example…
allocates memory for a string of text and prints it in a loop. It should look something like this:
[0] A day at a time (0xfbd010)
[1] A day at a time (0xfbd010)
[2] A day at a time (0xfbd010)
...The thing is, this function creates a process, and this process gets a PID (process id) assigned to it. So what is this good for? It turns out that there’s something called proc filesystem, which acts as an interface to the Kernel data structures. This directory handles a lot of things, but for now we will focus on its mem and maps files.
Mem can be used to access the pages of a process. Pages here means a kind of log in which all of the addresses mappings are kept, the heap. Imagine a huge warehouse, there’s just so much stuff in it you could spend a lifetime trying to find a specific thing in it and never find it. Luckily, this warehouse has a catalogue that will help you reduce your search. It states in which shelves and cabinets you can find things. The problem is that it doesn’t say anything about aisles.
Here’s where maps comes in. With the id of your process (PID) you can know a lot of information about it, more specifically the address segment in which you can find it and the permissions it has. It looks something like this:
address perms offset dev inode pathname
010ff000-01122000 rw-p 00000000 03:0c 64593 /usr/sbin/gpmIn this case, our process is allocated from 010ff000 to 01122000, and though it’s private, hence the p under perms, we can read and write it. To go back to the warehouse analogy, your address here would be like the aisle. So, with the PID, we can know in which aisle our object is located and whether we can change it (write it) or just see it ( read it [yeah, here the analogy starts coming apart]).
And so but how can I know the PID of a process? In order to do that, we can use the ps command, which will list the active processes and their respective IDs. You may wanna check the man in order to get a smaller search result.
Imagine that, after running the ps program, we find out the PID of our process is 53148, we can then look up the maps file with it, like this:
/proc/53148/mapsThis will give us a lot of information, but we should pay special attention to the one that appears to be indicating the heap, which will appear similar to this one:
010ff000-01122000 rw-p 00000000 00:00 0 [heap]This confirms that our process is actually on the heap (exists in the warehouse) since its address is 0xfbd010, and with this information we can change what it stores, overwrite it.
I hope this article clarified a bit the role of both the maps and mem files in the proc directory. The concept of virtual memory is actually rather complex, so if you want to know more about that check this other article.
Sources:
