pwnlib.tubes.process — Processes

class pwnlib.tubes.process.process(argv=None, shell=False, executable=None, cwd=None, env=None, stdin=-1, stdout=<pwnlib.tubes.process.PTY object>, stderr=-2, close_fds=True, preexec_fn=<function <lambda>>, raw=True, aslr=None, setuid=None, where='local', display=None, alarm=None, *args, **kwargs)[source]


Spawns a new process, and wraps it with a tube for communication.

  • argv (list) – List of arguments to pass to the spawned process.
  • shell (bool) – Set to True to interpret argv as a string to pass to the shell for interpretation instead of as argv.
  • executable (str) – Path to the binary to execute. If None, uses argv[0]. Cannot be used with shell.
  • cwd (str) – Working directory. Uses the current working directory by default.
  • env (dict) – Environment variables. By default, inherits from Python’s environment.
  • stdin (int) – File object or file descriptor number to use for stdin. By default, a pipe is used. A pty can be used instead by setting this to PTY. This will cause programs to behave in an interactive manner (e.g.., python will show a >>> prompt). If the application reads from /dev/tty directly, use a pty.
  • stdout (int) – File object or file descriptor number to use for stdout. By default, a pty is used so that any stdout buffering by libc routines is disabled. May also be PIPE to use a normal pipe.
  • stderr (int) – File object or file descriptor number to use for stderr. By default, STDOUT is used. May also be PIPE to use a separate pipe, although the wrapper will not be able to read this data.
  • close_fds (bool) – Close all open file descriptors except stdin, stdout, stderr. By default, True is used.
  • preexec_fn (callable) – Callable to invoke immediately before calling execve.
  • raw (bool) – Set the created pty to raw mode (i.e. disable echo and control characters). True by default. If no pty is created, this has no effect.
  • aslr (bool) –

    If set to False, disable ASLR via personality (setarch -R) and setrlimit (ulimit -s unlimited).

    This disables ASLR for the target process. However, the setarch changes are lost if a setuid binary is executed.

    The default value is inherited from context.aslr. See setuid below for additional options and information.

  • setuid (bool) –

    Used to control setuid status of the target binary, and the corresponding actions taken.

    By default, this value is None, so no assumptions are made.

    If True, treat the target binary as setuid. This modifies the mechanisms used to disable ASLR on the process if aslr=False. This is useful for debugging locally, when the exploit is a setuid binary.

    If False, prevent setuid bits from taking effect on the target binary. This is only supported on Linux, with kernels v3.5 or greater.

  • where (str) – Where the process is running, used for logging purposes.
  • display (list) – List of arguments to display, instead of the main executable name.
  • alarm (int) – Set a SIGALRM alarm timeout on the process.

proc (subprocess) –


>>> p = process('python2')
>>> p.sendline("print 'Hello world'")
>>> p.sendline("print 'Wow, such data'");
>>> '' == p.recv(timeout=0.01)
>>> p.shutdown('send')
>>> p.proc.stdin.closed
>>> p.connected('send')
>>> p.recvline()
'Hello world\n'
>>> p.recvuntil(',')
>>> p.recvregex('.*data')
' such data'
>>> p.recv()
>>> p.recv() 
Traceback (most recent call last):
>>> p = process('cat')
>>> d = open('/dev/urandom').read(4096)
>>> p.recv(timeout=0.1)
>>> p.write(d)
>>> p.recvrepeat(0.1) == d
>>> p.recv(timeout=0.1)
>>> p.shutdown('send')
>>> p.wait_for_close()
>>> p.poll()
>>> p = process('cat /dev/zero | head -c8', shell=True, stderr=open('/dev/null', 'w+'))
>>> p.recv()
>>> p = process(['python','-c','import os; print,1024)'],
...             preexec_fn = lambda: os.dup2(0,2))
>>> p.sendline('hello')
>>> p.recvline()
>>> stack_smashing = ['python','-c','open("/dev/tty","wb").write("stack smashing detected")']
>>> process(stack_smashing).recvall()
'stack smashing detected'
>>> process(stack_smashing, stdout=PIPE).recvall()
>>> getpass = ['python','-c','import getpass; print getpass.getpass("XXX")']
>>> p = process(getpass, stdin=PTY)
>>> p.recv()
>>> p.sendline('hunter2')
>>> p.recvall()
>>> process('echo hello 1>&2', shell=True).recvall()
>>> process('echo hello 1>&2', shell=True, stderr=PIPE).recvall()
>>> a = process(['cat', '/proc/self/maps']).recvall()
>>> b = process(['cat', '/proc/self/maps'], aslr=False).recvall()
>>> with context.local(aslr=False):
...    c = process(['cat', '/proc/self/maps']).recvall()
>>> a == b
>>> b == c
>>> process(['sh','-c','ulimit -s'], aslr=0).recvline()
>>> io = process(['sh','-c','sleep 10; exit 7'], alarm=2)
>>> io.poll(block=True) == -signal.SIGALRM
>>> binary = ELF.from_assembly('nop', arch='mips')
>>> p = process(binary.path)
communicate(stdin = None) → str[source]

Calls subprocess.Popen.communicate() method on the process.


Kills the process.

leak(address, count=1)[source]

Leaks memory within the process at the specified address.

  • address (int) – Address to leak memory at
  • count (int) – Number of bytes to leak at that address.


>>> e = ELF('/bin/sh')
>>> p = process(e.path)

In order to make sure there’s not a race condition against the process getting set up...

>>> p.sendline('echo hello')
>>> p.recvuntil('hello')

Now we can leak some data!

>>> p.leak(e.address, 4)
libs() → dict[source]

Return a dictionary mapping the path of each shared library loaded by the process to the address it is loaded at in the process’ address space.

If /proc/$PID/maps for the process cannot be accessed, the output of ldd alone is used. This may give inaccurate results if ASLR is enabled.

poll(block = False) → int[source]
Parameters:block (bool) – Wait for the process to exit

Poll the exit code of the process. Will return None, if the process has not yet finished and the exit code otherwise.

alarm = None[source]

Alarm timeout of the process

argv = None[source]

Arguments passed on argv

aslr = None[source]

Whether ASLR should be left on


Returns a corefile for the process.

If the process is alive, attempts to create a coredump with GDB.

If the process is dead, attempts to locate the coredump created by the kernel.


Directory that the process is working in.


>>> p = process('sh')
>>> p.sendline('cd /tmp; echo AAA')
>>> _ = p.recvuntil('AAA')
>>> p.cwd == '/tmp'
>>> p.sendline('cd /proc; echo BBB;')
>>> _ = p.recvuntil('BBB')
>>> p.cwd

Returns an ELF file for the executable that launched the process.

env = None[source]

Environment passed on envp

executable = None[source]

Full path to the executable


Returns an ELF for the libc for the current process. If possible, it is adjusted to the correct address automatically.

proc = None[source]

subprocess.Popen object


Alias for executable, for backward compatibility.


>>> p = process('true')
>>> p.executable == '/bin/true'
>>> p.executable == p.program
pty = None[source]

Which file descriptor is the controlling TTY

raw = None[source]

Whether the controlling TTY is set to raw mode