通过cat /proc/*some PID*/maps在一台机器上对多个进程执行一些操作,我注意到它们在内存地址方面都有相同的起点,即0x8048000. 这是否意味着每个进程都有“它自己的内存空间,包括堆栈、堆等”?在运行时?
如果是这样,攻击者如何区分一个进程的内存地址与另一个进程的内存地址?
因此,如果一台机器有 2GB 的 RAM,并且有几个进程同时运行 - 我们如何知道我们的目标内存地址是什么?还是我把这一切都弄错了,攻击从查看过程本身开始,然后从那里推进?
请原谅初学者的问题,我刚刚进入 Assembly 并且正在同时阅读 5 个教程,并且有点难以将其全部掌握到一定程度的理解。
请注意这个问题是放在这里而不是在 IT 安全中,因为我确实提到了大会方面的事情。
Each process has its own "virtual memory", where it stores its own stack, heap, instructions, etc. Each process can use the entire 32/64-bit address space independently of any other process. The kernel manages the mapping between each processes virtual memory and the machine's physical RAM. Wikipedia covers this in more detail.
Most attacks target memory in one particular process. Attackers use addresses from the address space of the process they are targeting. As you observed, many executables load at standard virtual addresses, making it easier for attackers to predict the memory layout of a process.