malloc调用brk或mmap系统调用来获得内存
操作系统提供brk()函数,c运行时库提供了sbrk()函数;对mmap映射区域操作,操作系统提供了mmap()和munmap()函数,sbrk(),brk()或者mmap()都可以用来向我们的进程添加额外的虚拟内存。
#include<unistd.h>
int brk(void * addr);
void *sbrk(intptr_t increment);
当sbrk()参数为0时,sbrk()返回的是进程的当前brk值,increment正整数时扩展brk的值,当increment为负值时收缩brk的值
#include<sys/mman.h>
void * mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
int munmap(void *addr, size_t length);
下面是我的测试环境
ASLR处于关闭状态
在我的测试环境下,系统默认开辟了132字节大小的堆和栈空间
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main()
{
void *curr_brk, *tmp_brk = NULL;
printf("Welcome to sbrk example:%d\n", getpid());
tmp_brk = curr_brk = sbrk(0);
printf("Programe Break Location1:%p\n", curr_brk);
getchar();
brk(curr_brk + 4096);
curr_brk = sbrk(0);
printf("Programe Break Location2:%p\n", curr_brk);
getchar();
brk(tmp_brk);
curr_brk = sbrk(0);
printf("Programe Break Location3:%p\n", curr_brk);
getchar();
return 0;
}
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
void static inline errExit(const char* msg)
{
printf("%s failed. Exiting the process\n", msg);
exit(-1);
}
int main()
{
int ret = -1;
printf("Welcome to private anonymous mapping example::PID:%d\n", getpid());
printf("Before mmap\n");
getchar();
char * addr = NULL;
addr = mmap(NULL, (size_t)132 * 1024, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (addr == MAP_FAILED)
{
errExit("mmap");
}
printf("After mmap\n");
getchar();
ret = munmap(addr, (size_t)132 * 1024);
if (ret == -1)
{
errExit("munmap");
}
printf("After munmap\n");
getchar();
return 0;
}
文章参考https://sploitfun.wordpress.com/2015/02/11/syscalls-used-by-malloc/
这篇文章,但是笔者在自己的环境发现了有很多不一样的地方,这就是技术的更新迭代吧!
多学习!