python没有独立的库可以读取linux下的共享内存，下面使用ctypes调用系统的API读取共享内存的内容

使用C++创建共享内存

#include <stdio.h>
#include <iostream>
#include <unistd.h>  
#include <sys/ipc.h>
#include <sys/shm.h>
#include <stdlib.h>
#include <errno.h>

#define MY_SHM_ID 67483

void get_buf(char *buf)
{
    int i=0;
    while((buf[i]=getchar())!='\n'&&i<1024)
        i++;
}


int main(  )
{
    printf("page size=%d\n", getpagesize());
    int shmid=0, ret=0;
    shmid = shmget(MY_SHM_ID, 4096, 0666|IPC_CREAT);
    
    if (shmid > 0)
    {
        printf("Create a shared memory segment %d\n", shmid);
    }
    struct shmid_ds shmds;
    ret = shmctl( shmid, IPC_STAT, &shmds );

    if (ret == 0 )
    {
        printf( "Size of memory segment is %d \n", shmds.shm_segsz );
        printf( "Number of attaches %d \n", (int)shmds.shm_nattch );
    }
    else
    {
        printf( "shmctl () call failed \n");
    }
    
        // write data to share memary
        char *buf = NULL;
        if ((int)(buf=(char*)shmat(shmid, NULL, 0))==-1)
        {
            perror("Share memary can't get pointer\n");
                exit(1);
        }
    get_buf(buf);


    //ret = shmctl(shmid, IPC_RMID, 0);
    
    if (ret == 0)
    {
        printf("Shared memary removed \n");
    }
    else
    {
        printf("Shared memory remove failed \n");
    }
    
    return 0;
}

?

查看共享内存：

$ipcs

------ Shared Memory Segments --------
key??????? shmid????? owner????? perms????? bytes????? nattch???? status?????
0x0001079b 98305????? postmast?? 666??????? 4096?????? 0??????????????????????

------ Semaphore Arrays --------
key??????? semid????? owner????? perms????? nsems????

------ Message Queues --------
key??????? msqid????? owner????? perms????? used-bytes?? messages???
0x000004d2 131073???? abber????? 666??????? 17?????????? 3??

?

?

使用python读取共享内存 代码如下：

[postmast@xuanyuan-soft22 ~/test]$vi shm.py
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
 # This script dumps the content of a shared memory block
 # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
 # when the machine is infected.
 #
 # Some of the data is encrypted. If your server is infected and you
 # would like to help, please send the httpd_cdorked_config.bin
 # to our lab for analysis. Thanks!
 #
 # Marc-Etienne M.Léveillé <leve...@eset.com>
 #
 
 from ctypes import *
 
 SHM_SIZE = 4096
 SHM_KEY = 67483
 
 OUTFILE="httpd_cdorked_config.bin"
 
 try:
   rt = CDLL('librt.so')
 except:
   rt = CDLL('librt.so.1')
 
 shmget = rt.shmget
 shmget.argtypes = [c_int, c_size_t, c_int]
 shmget.restype = c_int
 shmat = rt.shmat
 shmat.argtypes = [c_int, POINTER(c_void_p), c_int]
 shmat.restype = c_void_p
   
 shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
 if shmid < 0:
   print ("System not infected")
 else: 
   addr = shmat(shmid, None, 0)
 
   #f = file(OUTFILE, 'wb')
   f=open(OUTFILE, 'wb')
   f.write(string_at(addr,SHM_SIZE))
   f.close()
   print(addr, type(addr))
 print ("Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE))
 
 

?python 读取的结果存放在文件httpd_cdorked_config.bin中

$cat httpd_cdorked_config.bin
hello word!this is a test.

$