func (p *Program) Seal() (err error) {
if p.Text != nil {
err = syscall.Mprotect(p.Text, syscall.PROT_EXEC)
if err != nil {
return
}
}
if p.ROData != nil {
err = syscall.Mprotect(p.ROData, syscall.PROT_READ)
if err != nil {
return
}
}
return
}
func callPayload(payload []byte) {
payload = prepPayload(payload)
// dissable NX
err := syscall.Mprotect(payload, 0x04) // PROT_EXEC
if err != nil {
log.Fatal(err)
}
// call
caller((uintptr)(unsafe.Pointer(&payload[0])))
}
func TestOutOfBoundsRead(t *testing.T) {
const pageSize = 4 << 10
data, err := syscall.Mmap(0, 0, 2*pageSize, syscall.PROT_READ|syscall.PROT_WRITE, syscall.MAP_ANON|syscall.MAP_PRIVATE)
if err != nil {
panic(err)
}
if err := syscall.Mprotect(data[pageSize:], syscall.PROT_NONE); err != nil {
panic(err)
}
for i := 0; i < pageSize; i++ {
sha1.Sum(data[pageSize-i : pageSize])
}
}
func TestEqualNearPageBoundary(t *testing.T) {
pagesize := syscall.Getpagesize()
b := make([]byte, 4*pagesize)
i := pagesize
for ; uintptr(unsafe.Pointer(&b[i]))%uintptr(pagesize) != 0; i++ {
}
syscall.Mprotect(b[i-pagesize:i], 0)
syscall.Mprotect(b[i+pagesize:i+2*pagesize], 0)
defer syscall.Mprotect(b[i-pagesize:i], syscall.PROT_READ|syscall.PROT_WRITE)
defer syscall.Mprotect(b[i+pagesize:i+2*pagesize], syscall.PROT_READ|syscall.PROT_WRITE)
// both of these should fault
//pagesize += int(b[i-1])
//pagesize += int(b[i+pagesize])
for j := 0; j < pagesize; j++ {
b[i+j] = 'A'
}
for j := 0; j <= pagesize; j++ {
Equal(b[i:i+j], b[i+pagesize-j:i+pagesize])
Equal(b[i+pagesize-j:i+pagesize], b[i:i+j])
}
}
func TestCmd_StartSecondMprotectError(t *testing.T) {
// Replace the syscallMprotect pointer with a function that always errors.
count := 0
defer func() { syscallMprotect = syscall.Mprotect }()
syscallMprotect = func(data []byte, i int) error {
count++
if count == 2 {
return fmt.Errorf("expected error")
} else {
return syscall.Mprotect(data, i)
}
}
cmd := Command(trueBin)
if err := cmd.Start(); err == nil {
t.Fatalf("Expected error not returned.")
} else if err.Error() != "expected error" {
t.Fatalf("Wrong error returned: %s", err)
}
}
func main() {
// Allocate 2 pages of memory.
b, err := syscall.Mmap(-1, 0, 2*p, syscall.PROT_READ|syscall.PROT_WRITE, syscall.MAP_ANON|syscall.MAP_PRIVATE)
if err != nil {
panic(err)
}
// Mark the second page as faulting.
err = syscall.Mprotect(b[p:], syscall.PROT_NONE)
if err != nil {
panic(err)
}
// Get a slice pointing to the last byte of the good page.
x := b[p-one : p]
test16(x)
test16i(x, 0)
test32(x)
test32i(x, 0)
test64(x)
test64i(x, 0)
}
// Change the protect mode of the mmap.
func (m Mmap) Protect(prot int) error {
return syscall.Mprotect(m, prot)
}