Mengamati pengalamatan memory pada proses suatu aplikasi dengan pmap
#1
Hmm reverse engineering section belum ada yang isi .. ya udah ane isi aja deh daripada mubazir dan kosong Smile

ok sekarang kita belajar sedikit mengenai PMAP ...apa itu pmap ?

pmap digunakan untuk melapokan proses memory yang digunakan aplikasi pada host.
[hide]
Code:
root@dracos:~# pmap -h
Usage: pmap [-x | -d] [-q] [-A low,high] pid...
-x  show details
-d  show offset and device number
-q  quiet; less header/footer info
-V  show the version number
-A  limit results to the given range

Penggunaan opsi -x untuk menampilkan details penggunaan secara keseluruhan, pmap akan menampilkan semua informasi dari proses berjalan berdasarkan PID. Sebagai contoh saya akan melihat informasi proses wicd


[shcode=bash]root@dracos:~# pmap -x 1114
1114: /usr/bin/python -O /usr/share/wicd/daemon/wicd-daemon.py
Address Kbytes RSS Dirty Mode Mapping
0000000000400000 0 924 0 r-x-- python2.7
0000000000870000 0 4 4 r---- python2.7
0000000000871000 0 184 128 rw--- python2.7
00000000008da000 0 60 60 rw--- [ anon ]
0000000001768000 0 2320 2320 rw--- [ anon ]
0000000001bf8000 0 320 320 rw--- [ anon ]
00007f781c000000 0 44 44 rw--- [ anon ]
00007f781c021000 0 0 0 ----- [ anon ]
00007f7820c9c000 0 0 0 ----- [ anon ]
00007f7820c9d000 0 20 20 rw--- [ anon ]
00007f782149d000 0 0 0 r-x-- _ctypes.so
00007f78214be000 0 0 0 ----- _ctypes.so
00007f78216bd000 0 0 0 r---- _ctypes.so
00007f78216be000 0 0 0 rw--- _ctypes.so
00007f78216c2000 0 0 0 rw--- [ anon ]
00007f78216c3000 0 0 0 r-x-- libresolv-2.15.so
00007f78216db000 0 0 0 ----- libresolv-2.15.so
00007f78218db000 0 0 0 r---- libresolv-2.15.so
00007f78218dc000 0 0 0 rw--- libresolv-2.15.so
00007f78218dd000 0 0 0 rw--- [ anon ]
00007f78218df000 0 0 0 r-x-- libselinux.so.1
00007f78218fc000 0 0 0 ----- libselinux.so.1
00007f7821afb000 0 0 0 r---- libselinux.so.1
00007f7821afc000 0 0 0 rw--- libselinux.so.1
00007f7821afd000 0 0 0 rw--- [ anon ]
00007f7821afe000 0 0 0 r-x-- libgmodule-2.0.so.0.3200.3
00007f7821b01000 0 0 0 ----- libgmodule-2.0.so.0.3200.3
00007f7821d00000 0 0 0 r---- libgmodule-2.0.so.0.3200.3
00007f7821d01000 0 0 0 rw--- libgmodule-2.0.so.0.3200.3
00007f7821d02000 0 0 0 r-x-- libgio-2.0.so.0.3200.3
00007f7821e4a000 0 0 0 ----- libgio-2.0.so.0.3200.3
00007f7822049000 0 0 0 r---- libgio-2.0.so.0.3200.3
00007f782204d000 0 0 0 rw--- libgio-2.0.so.0.3200.3
00007f782204f000 0 0 0 rw--- [ anon ]
00007f7822051000 0 12 0 r-x-- libdbus-glib-1.so.2.2.2
00007f7822076000 0 0 0 ----- libdbus-glib-1.so.2.2.2
00007f7822276000 0 4 4 r---- libdbus-glib-1.so.2.2.2
00007f7822277000 0 4 4 rw--- libdbus-glib-1.so.2.2.2
00007f7822278000 0 0 0 r-x-- _dbus_glib_bindings.so
00007f782227a000 0 0 0 ----- _dbus_glib_bindings.so
00007f7822479000 0 0 0 r---- _dbus_glib_bindings.so
00007f782247a000 0 0 0 rw--- _dbus_glib_bindings.so
00007f782247b000 0 0 0 r-x-- libexpat.so.1.5.2
00007f78224a2000 0 0 0 ----- libexpat.so.1.5.2
00007f78226a2000 0 0 0 r---- libexpat.so.1.5.2
00007f78226a4000 0 0 0 rw--- libexpat.so.1.5.2
00007f78226a5000 0 0 0 r-x-- pyexpat.so
00007f78226b3000 0 0 0 ----- pyexpat.so
00007f78228b2000 0 0 0 r---- pyexpat.so
00007f78228b3000 0 0 0 rw--- pyexpat.so
00007f78228b5000 0 156 0 r-x-- libdbus-1.so.3.5.8
00007f78228f7000 0 0 0 ----- libdbus-1.so.3.5.8
00007f7822af7000 0 4 4 r---- libdbus-1.so.3.5.8
00007f7822af8000 0 4 4 rw--- libdbus-1.so.3.5.8
00007f7822af9000 0 60 0 r-x-- _dbus_bindings.so
00007f7822b13000 0 0 0 ----- _dbus_bindings.so
00007f7822d12000 0 4 4 r---- _dbus_bindings.so
00007f7822d13000 0 40 40 rw--- _dbus_bindings.so
00007f7822d21000 0 0 0 r-x-- libffi.so.6.0.0
00007f7822d28000 0 0 0 ----- libffi.so.6.0.0
00007f7822f27000 0 0 0 r---- libffi.so.6.0.0
00007f7822f28000 0 0 0 rw--- libffi.so.6.0.0
00007f7822f29000 0 0 0 r-x-- libgobject-2.0.so.0.3200.3
00007f7822f76000 0 0 0 ----- libgobject-2.0.so.0.3200.3
00007f7823176000 0 0 0 r---- libgobject-2.0.so.0.3200.3
00007f7823177000 0 0 0 rw--- libgobject-2.0.so.0.3200.3
00007f7823178000 0 0 0 r-x-- _gobject.so
00007f7823199000 0 0 0 ----- _gobject.so
00007f7823398000 0 0 0 r---- _gobject.so
00007f7823399000 0 0 0 rw--- _gobject.so
00007f782339c000 0 0 0 rw--- [ anon ]
00007f782339d000 0 0 0 r-x-- libgthread-2.0.so.0.3200.3
00007f782339e000 0 0 0 ----- libgthread-2.0.so.0.3200.3
00007f782359d000 0 0 0 r---- libgthread-2.0.so.0.3200.3
00007f782359e000 0 0 0 rw--- libgthread-2.0.so.0.3200.3
00007f782359f000 0 4 0 r-x-- librt-2.15.so
00007f78235a6000 0 0 0 ----- librt-2.15.so
00007f78237a5000 0 0 0 r---- librt-2.15.so
00007f78237a6000 0 0 0 rw--- librt-2.15.so
00007f78237a7000 0 0 0 r-x-- libpcre.so.3.12.1
00007f78237e3000 0 0 0 ----- libpcre.so.3.12.1
00007f78239e2000 0 0 0 r---- libpcre.so.3.12.1
00007f78239e3000 0 0 0 rw--- libpcre.so.3.12.1
00007f78239e4000 0 4 0 r-x-- libpyglib-2.0-python2.7.so.0.0.0
00007f78239e8000 0 0 0 ----- libpyglib-2.0-python2.7.so.0.0.0
00007f7823be7000 0 0 0 r---- libpyglib-2.0-python2.7.so.0.0.0
00007f7823be8000 0 4 4 rw--- libpyglib-2.0-python2.7.so.0.0.0
00007f7823be9000 0 88 0 r-x-- libglib-2.0.so.0.3200.3
00007f7823cdb000 0 0 0 ----- libglib-2.0.so.0.3200.3
00007f7823edb000 0 4 4 r---- libglib-2.0.so.0.3200.3
00007f7823edc000 0 4 4 rw--- libglib-2.0.so.0.3200.3
00007f7823edd000 0 4 4 rw--- [ anon ]
00007f7823ede000 0 16 0 r-x-- _glib.so
00007f7823eee000 0 0 0 ----- _glib.so
00007f78240ed000 0 0 0 r---- _glib.so
00007f78240ee000 0 8 8 rw--- _glib.so
00007f78240f1000 0 0 0 r-x-- _heapq.so
00007f78240f4000 0 0 0 ----- _heapq.so
00007f78242f3000 0 0 0 r---- _heapq.so
00007f78242f4000 0 0 0 rw--- _heapq.so
00007f78242f6000 0 208 208 rw--- [ anon ]
00007f7824378000 0 72 72 rw--- [ anon ]
00007f78243fc000 0 72 72 rw--- [ anon ]
00007f78244bd000 0 0 0 r-x-- libnss_files-2.15.so
00007f78244c9000 0 0 0 ----- libnss_files-2.15.so
00007f78246c8000 0 0 0 r---- libnss_files-2.15.so
00007f78246c9000 0 0 0 rw--- libnss_files-2.15.so
00007f78246ca000 0 12 0 r-x-- libnss_nis-2.15.so
00007f78246d4000 0 0 0 ----- libnss_nis-2.15.so
00007f78248d4000 0 0 0 r---- libnss_nis-2.15.so
00007f78248d5000 0 0 0 rw--- libnss_nis-2.15.so
00007f78248d6000 0 0 0 r-x-- libnsl-2.15.so
00007f78248ed000 0 0 0 ----- libnsl-2.15.so
00007f7824aec000 0 0 0 r---- libnsl-2.15.so
00007f7824aed000 0 0 0 rw--- libnsl-2.15.so
00007f7824aee000 0 0 0 rw--- [ anon ]
00007f7824af0000 0 16 0 r-x-- libnss_compat-2.15.so
00007f7824af8000 0 0 0 ----- libnss_compat-2.15.so
00007f7824cf7000 0 0 0 r---- libnss_compat-2.15.so
00007f7824cf8000 0 0 0 rw--- libnss_compat-2.15.so
00007f7824cf9000 0 4 0 r-x-- libgcc_s.so.1
00007f7824d0e000 0 0 0 ----- libgcc_s.so.1
00007f7824f0d000 0 4 4 r---- libgcc_s.so.1
00007f7824f0e000 0 0 0 rw--- libgcc_s.so.1
00007f7824f0f000 0 504 0 r-x-- libc-2.15.so
00007f78250c2000 0 0 0 ----- libc-2.15.so
00007f78252c1000 0 16 16 r---- libc-2.15.so
00007f78252c5000 0 8 8 rw--- libc-2.15.so
00007f78252c7000 0 16 16 rw--- [ anon ]
00007f78252cc000 0 44 0 r-x-- libm-2.15.so
00007f78253c5000 0 0 0 ----- libm-2.15.so
00007f78255c4000 0 4 4 r---- libm-2.15.so
00007f78255c5000 0 0 0 rw--- libm-2.15.so
00007f78255c6000 0 4 0 r-x-- libz.so.1.2.3.4
00007f78255dc000 0 0 0 ----- libz.so.1.2.3.4
00007f78257db000 0 4 4 r---- libz.so.1.2.3.4
00007f78257dc000 0 0 0 rw--- libz.so.1.2.3.4
00007f78257dd000 0 4 0 r-x-- libcrypto.so.1.0.0
00007f782597c000 0 0 0 ----- libcrypto.so.1.0.0
00007f7825b7b000 0 4 4 r---- libcrypto.so.1.0.0
00007f7825b96000 0 0 0 rw--- libcrypto.so.1.0.0
00007f7825ba1000 0 0 0 rw--- [ anon ]
00007f7825ba5000 0 4 0 r-x-- libssl.so.1.0.0
00007f7825bf7000 0 0 0 ----- libssl.so.1.0.0
00007f7825df7000 0 4 4 r---- libssl.so.1.0.0
00007f7825dfa000 0 0 0 rw--- libssl.so.1.0.0
00007f7825e00000 0 0 0 rw--- [ anon ]
00007f7825e01000 0 4 0 r-x-- libutil-2.15.so
00007f7825e03000 0 0 0 ----- libutil-2.15.so
00007f7826002000 0 4 4 r---- libutil-2.15.so
00007f7826003000 0 0 0 rw--- libutil-2.15.so
00007f7826004000 0 4 0 r-x-- libdl-2.15.so
00007f7826006000 0 0 0 ----- libdl-2.15.so
00007f7826206000 0 4 4 r---- libdl-2.15.so
00007f7826207000 0 0 0 rw--- libdl-2.15.so
00007f7826208000 0 68 0 r-x-- libpthread-2.15.so
00007f7826220000 0 0 0 ----- libpthread-2.15.so
00007f782641f000 0 4 4 r---- libpthread-2.15.so
00007f7826420000 0 4 4 rw--- libpthread-2.15.so
00007f7826421000 0 4 4 rw--- [ anon ]
00007f7826425000 0 52 0 r-x-- ld-2.15.so
00007f78264f5000 0 316 316 rw--- [ anon ]
00007f78265a9000 0 352 352 rw--- [ anon ]
00007f7826643000 0 4 4 rw--- [ anon ]
00007f7826644000 0 0 0 rwx-- [ anon ]
00007f7826645000 0 4 4 rw--- [ anon ]
00007f7826647000 0 4 4 r---- ld-2.15.so
00007f7826648000 0 8 8 rw--- ld-2.15.so
00007fff0bcb4000 0 20 20 rw--- [ stack ]
00007fff0bdb5000 0 4 0 r-x-- [ anon ]
ffffffffff600000 0 0 0 r-x-- [ anon ]
---------------- ------ ------ ------
total kB 164228 6164 4120 [/shcode]

Perhatikan pengalamatan memory yang di gunakan ketika wicd memanggil berbagai lib .. hmm semoga berguna yah ... [/hide]

share yang telah menggunakan pmap untuk mengamati pengalamatan memory .. misalnya pada virus atau keylogger ? ... \m/
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

#2
wah keren om, ntar klo sempet ane taruh disini utk malwarenya

#3
salut deh buat om TS yg satu ini, nice om,,,
Code:
Username :   [ Hidemichi-Hiroyuki]

Password :   [     ********      ]

#4
mantap nih, ane coba yang malware ah bantuin om Ikon, haha

#5
hmmmm keknya tertarik ne ngefuulin ne tread
The Wolf

#6
Saya malah ndak sampai mikir ada aplikasi macam ini Smile

Sekadar menyimak dulu...






Users browsing this thread: 1 Guest(s)