-
-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement "got-audit" command. #112
Conversation
This PR has been tested against gef with hugsy/gef#1097 I've tested it with interactive use and running the got_audit.py unit test. |
Before this is merged: I notice that the symbols in the GOT correspond to those in the That is, if I examine the GOT of a running Are there additional offset tables that need to be examined? I can follow up on this later and improve the command when I figure it out, but if you happen to know that I've missed something, I'd appreciate any pointers. |
Checking in: Is this PR waiting on any action on my part? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hi @gordonmessmer , I got pretty busy lately with little time to review this PR
I got pretty busy lately with little time to spare on gef/gef-extras. Sorry for the delay, tests are running now. If they pass, I'll merge it |
Tests won't pass until after hugsy/gef#1097 is merged. :) |
Actually tests are failing for another reason (type hints) |
I see two test failures: The first fails because gdb reports "cs" is an unknown command: https://github.com/hugsy/gef-extras/actions/runs/8869653413/job/24609506965?pr=112#step:9:129 ...and the second fails because "nm" isn't found in gef.session.constants: https://github.com/hugsy/gef-extras/actions/runs/8869653413/job/24609506965?pr=112#step:9:273 Unless I'm misreading the test output... which is always possible. I think if you run the tests again, the second test failure will go away. I don't think the first is related to the changes in this PR, so that one will probably fail again. I'll look at the type hints again... I could swear those were all in place. 😕 |
Type hints look like they're consistent with other modules. If I'm overlooking something, I'd be grateful for any pointers. |
The "cs" failure looks like the same thing that #110 is intended to fix. |
Thanks for running the tests. I see that the got-audit test fails in the container because the library name is different than on the platform where I ran unit tests. :( I'll update the tests later today and push a change to address that. |
Correct, still a WIP so I don't mind it for your PR
Sounds good to me, I'll wait for it and merge your PR after that. Thanks for your work! Cheers |
Description
The "got-audit" command examines the symbols in the GOT, and prints a list of symbols and the path of the file that provides the mapped memory that the value points to. Additionally, it will print errors if a symbol is provided by multiple shared libraries, or if a symbol in the GOT points to a library that doesn't provide it.
To prevent future attacks similar to the liblzma attack, I'd like to implement a tool to audit the GOT of a running process which can be used in Fedora (and elsewhere) test infrastructure to look for signs of tampering.
How Has This Been Tested ?
"Tested" indicates that the PR works and the unit test (i.e.
make test
) run passes without issue.Checklist
adequate tests have been added.
CONTRIBUTING document.