{"id":13538761,"url":"https://github.com/hardenedlinux/linux-exploit-development-tutorial","last_synced_at":"2025-04-02T05:31:55.259Z","repository":{"id":59747250,"uuid":"70380539","full_name":"hardenedlinux/linux-exploit-development-tutorial","owner":"hardenedlinux","description":"a series tutorial for linux exploit development to newbie.","archived":false,"fork":false,"pushed_at":"2024-04-12T02:00:37.000Z","size":66888,"stargazers_count":553,"open_issues_count":3,"forks_count":171,"subscribers_count":58,"default_branch":"master","last_synced_at":"2024-11-03T03:32:03.836Z","etag":null,"topics":["kernel-exploit","linux","tutorials"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hardenedlinux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-09T06:00:36.000Z","updated_at":"2024-10-14T05:11:12.000Z","dependencies_parsed_at":"2024-11-03T03:32:10.048Z","dependency_job_id":"cc7087e4-cb2b-4c22-baeb-603ad7372126","html_url":"https://github.com/hardenedlinux/linux-exploit-development-tutorial","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardenedlinux%2Flinux-exploit-development-tutorial","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardenedlinux%2Flinux-exploit-development-tutorial/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardenedlinux%2Flinux-exploit-development-tutorial/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hardenedlinux%2Flinux-exploit-development-tutorial/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hardenedlinux","download_url":"https://codeload.github.com/hardenedlinux/linux-exploit-development-tutorial/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246763805,"owners_count":20829795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel-exploit","linux","tutorials"],"created_at":"2024-08-01T09:01:15.679Z","updated_at":"2025-04-02T05:31:50.248Z","avatar_url":"https://github.com/hardenedlinux.png","language":"C","readme":"# Linux exploit 开发入门\n\n## 这是什么?\n\n这是面向新手的 Linux exploit 开发指南。\n\n发现 Linux 下二进制学习曲线陡峭,而套路零散,于是整理编著这篇文章,来帮助感兴趣的人学习,还想结识更多对 Linux 二进制感兴趣的人。\n\n万事开头难,首先要感谢本文原来的的作者 sploitfun,他开始做了这件事并写出了思路,我在他的基础上进行了补充和翻译。\n\n还要要感谢 phrack,乌云知识库,各种 wiki 上面文章的作者,这些作者和安全研究人员讲解了很多关于 exploit 相关技术,是大家的无私分享使很多东西变的可能,我也想学习这样的分享精神。\n\n为了防止文档过于臃肿,我们讲分享讨论的话题尽量限制在 Linux, x86, ipv4 范围内,我们假设读者能正常使用 Linux,熟悉 C 语言,了解汇编语言,认识计算机专业词汇,基本体系结构知识(栈,堆,内存之类的)。如果不能因为知识储备不够,推荐 0day 安全以补充背景知识。\n\n测试机器是 Ubuntu 14.04 的默认安装。\n\n## 目录\n\n### 第一章节: [基础知识](./chapter1)\n\n基础部分知识比如: 栈与堆分别是什么? C 语言如何转换成汇编? 内存布局是什么样的? ...\n\n基础的安全知识如: 什么是堆栈溢出? 堆分配器是如何工作的? ...\n\n这个阶段还要介绍基本的漏洞类型和安全机制,然后关闭全部的安全保护机制,学习如何在 Linux 下面编写最基本的 exploit。\n\n### 第二章节: [栈的安全](./chapter2)\n\n主要关注在现代 Linux 上栈的安全防护机制及其绕过的常规套路.\n\n分为两大类:编译相关(ELF 加固),部分编译选项控制着生成更安全的代码(损失部分性能或者空间),还有就说运行时的安全(ASLR),都是为增加了漏洞利用的难度,不能从本质上去除软件的漏洞。\n\n### 第三章节: [堆的安全](./chapter3)\n\n主要关注在现代 Linux 上 glibc 下堆的安全防护机制及其绕过的常规套路。\n\n### 第四章节: [内核的安全](./chapter4)\n\n这个阶段学习现代 Linux (2.6.32)及其以后版本 Kernel 安全相关的文档(安全保护,利用)。\n\n在早期 Kernel 可以随意访问用户态代码, ret2usr 技术可以让内核执行用户态的代码,不过随着 Linux 的发展 SMAP(禁止 Kernel 随意访问用户态,RFLAGE.AC 标志位置位可以),SMEP 禁止 Kernel 态直接执行用户态代码,KASLR 也提升了漏洞利用的难度。\n\n### 第五章节: [漏洞发现](./chapter5)\n\n漏洞挖掘的重要性不言而喻,打个比喻上面写的如何吃肉,漏洞挖掘就是肉在哪里。\n\n这个章节对我来说目前也是一个新领域,在这个章节里面主要关注 fuzz 与代码审计。\n\n## 如何修改和更新?\n\n```shell\ngit clone git@github.com:hardenedlinux/linux_exploit_development_tutorial.git\ncd linux_exploit_development_tutorial\nmake # preview\n```\n\n## 如何实践文档代码?\n\n(WIP)\n\n源代码会陆续放到`lab-code`目录中,其实更倾向于提供一个虚拟机镜像供下载。\n...\n\n## 版权\n\n这个项目是以 \u003ca href=\"http://creativecommons.org/licenses/by-sa/3.0/\" target=\"_blank\"\u003e知识共享署名-相同方式共享 3.0\u003c/a\u003e 许可协议授权。\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","C","C (286)","\u003ca id=\"9f9fed5b730bc5bfceaaf77da3aa719e\"\u003e\u003c/a\u003e笔记\u0026\u0026文章\u0026\u0026教程"],"sub_categories":["\u003ca id=\"750f4c05b5ab059ce4405f450b56d720\"\u003e\u003c/a\u003e资源收集"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhardenedlinux%2Flinux-exploit-development-tutorial","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhardenedlinux%2Flinux-exploit-development-tutorial","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhardenedlinux%2Flinux-exploit-development-tutorial/lists"}