堆栈cookie工具代码检测到基于堆栈的缓冲区溢出

时间:2020-02-14 09:54:08

标签: c++ memory virtual-machine buffer shared-memory

在我的应用程序中,我正在创建通过使用某种类型的缓冲区:

read<uint64_t>(address);

template<typename T>
inline T read(uint64_t address)
{
    T buffer{ };
    readbuffer(address, &buffer, sizeof(T));
    return buffer;
}

我正在通过套接字将此缓冲区发送到虚拟机,然后该虚拟机使用GetCurrentProcessId()查找当前进程,并将所需的数据写回到缓冲区的内存地址。

然后我返回该缓冲区,该缓冲区现在应该是内存地址。我遇到的这个问题最终是当我的代码到达执行return语句的函数时,它触发了基于堆栈的缓冲区溢出,我不知道为什么。

更多信息:

uint32_t readbuffer(uint64_t address, PVOID buffer, size_t size)
{
    if (address == 0)
        return false;
    printf("readbuffer: 0x%X  0x%X  0x%X\n", address, uintptr_t(buffer), size);
    return copy_memory(cached_connection, cached_dwPID, address, GetCurrentProcessId(), uintptr_t(buffer), size);
}


static uint32_t copy_memory(
    const SOCKET    connection,
    const uint32_t  src_process_id,
    const uintptr_t src_address,
    const uint32_t  dest_process_id,
    const uintptr_t dest_address,
    const size_t    size)
{
    Packet packet{ };

    packet.header.magic = packet_magic;
    packet.header.type = PacketType::packet_copy_memory;

    auto& data = packet.data.copy_memory;
    data.src_process_id = src_process_id;
    data.src_address = uint64_t(src_address);
    data.dest_process_id = dest_process_id;
    data.dest_address = uint64_t(dest_address);
    data.size = uint64_t(size);

    //printf("src 0x%X dst 0x%X size 0x%X\n", data.src_address, data.dest_address, data.size);

    uint64_t result = 0;
    if (send_packet(connection, packet, result))
        return uint32_t(result);

    return 0;
}

从虚拟机:

process->Read(completion_packet.data.copy_memory.src_address, &buffer, completion_packet.data.copy_memory.size);


destProcess->Write(completion_packet.data.copy_memory.dest_address, buffer);

调用read / 1并崩溃的代码

FTransform GetBoneIndex(DWORD_PTR mesh, int index)
{
    DWORD_PTR bonearray = memio->read<DWORD_PTR>(mesh + 0x410);

    return memio->read<FTransform>(bonearray + (index * 0x30));
}

读/写方法

template<typename T>
T Read(uint64_t address)
{
    T ret;
    VMemRead(&ctx->process, proc.dirBase, (uint64_t)&ret, address, sizeof(T));
    return ret;
}

template<typename T>
void Write(uint64_t address, const T& value)
{
    VMemWrite(&ctx->process, proc.dirBase, (uint64_t)&value, address, sizeof(T));
}

我现在正在使用这些:

ssize_t WinProcess::Read(uint64_t address, void* buffer, size_t sz)
{
    return VMemRead(&ctx->process, proc.dirBase, (uint64_t)buffer, address, sz);
}

ssize_t WinProcess::Write(uint64_t address, void* buffer, size_t sz)
{
    return VMemWrite(&ctx->process, proc.dirBase, (uint64_t)buffer, address, sz);
}

0 个答案:

没有答案
相关问题
最新问题