Hello,
Does anybody know how to access the address of the
current executing instruction in C while the program
is executing?
Also, is there a method to load a program image from
memory not a file (an exec that works with a memory
address)? Mainly I am looking for a method that brings
a program image into memory modify parts of it and
start the in-memory modified version.
Can anybody think of a method to replace a thread
image without replacing the whole process image?
Thanks,
Ali
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
>Hello,
>
>Does anybody know how to access the address of the
>current executing instruction in C while the program
>is executing?
With the aid of a second program, yes.
For one program: not directly. It's because the EIP changes while you are
calclating it.
You could f.e.:
int main(void) {
printf("owned\n");
mark:
printf("pwned\n");
printf("%p\n", &&mark);
}
GCC specific.
Or you could also poke around with __builtin_return_address, or even peek at
the stack yourself.
>Also, is there a method to load a program image from
>memory not a file (an exec that works with a memory
>address)? Mainly I am looking for a method that brings
>a program image into memory modify parts of it and
>start the in-memory modified version.
No, because that opens a wide door for trojans and stack smashers.
>Can anybody think of a method to replace a thread
>image without replacing the whole process image?
It would not be a thread then.
Jan Engelhardt
--
Gesellschaft für Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 Göttingen, http://www.gwdg.de
A M wrote:
> Does anybody know how to access the address of the
> current executing instruction in C while the program
> is executing?
You are offtopic. This is not a kernel question.
Chris
On Tue, 16 Nov 2004, A M wrote:
> Hello,
>
> Does anybody know how to access the address of the
> current executing instruction in C while the program
> is executing?
>
Sure. Any interrupt saves the return address. It can
be thus inspected. The debugger uses a software interrupt
to do the same thing. The offset of the current instruction
is in EIP for ix86 machines. The problem is that if you
execute code to get that EIP, you end up getting the EIP
of the code that reads the EIP (not too useful). Therefore,
you need to use an interrupt.
> Also, is there a method to load a program image from
> memory not a file (an exec that works with a memory
> address)? Mainly I am looking for a method that brings
> a program image into memory modify parts of it and
> start the in-memory modified version.
>
extern char buffer[];
Make some code to load code into that buffer.
int (*funct)(void) = buffer;
Initialize a pointer to that buffer, then call it.
Note, code needs to be relocatable. If you don't know
what that means, don't do this at home.
In principle, the code is supposed to be loaded into the
.text segment. You can make a text-segment buffer using
assembly
.section .text
buffer: .long 0
.global buffer
.type buffer,@function
.org . + 0x1000
end:
.size buffer,.-buffer
.end
> Can anybody think of a method to replace a thread
> image without replacing the whole process image?
>
> Thanks,
>
> Ali
>
Just overwrite the code...
funct()
{
}
next()
{
}
main()
{
len = (funct - next);
memcpy(funct, new_code, len);
funct();
}
Cheers,
Dick Johnson
Penguin : Linux version 2.6.9 on an i686 machine (5537.79 BogoMips).
Notice : All mail here is now cached for review by John Ashcroft.
98.36% of all statistics are fiction.
A M wrote:
> Hello,
>
> Does anybody know how to access the address of the
> current executing instruction in C while the program
> is executing?
>
> Also, is there a method to load a program image from
> memory not a file (an exec that works with a memory
> address)? Mainly I am looking for a method that brings
> a program image into memory modify parts of it and
> start the in-memory modified version.
>
> Can anybody think of a method to replace a thread
> image without replacing the whole process image?
>
> Thanks,
>
> Ali
>
The Shellcoder's Handbook is probably the best book out there on the kind of stuff
you're talking about. Just be prepared - it's written on a rather advanced level.
On Tue, 16 Nov 2004 13:20:15 PST, A M said:
> Does anybody know how to access the address of the
> current executing instruction in C while the program
> is executing?
For what processor? x86, itanium, sparc, s390 all do it differently.
Also, the answer to "this *very* instruction" is different from
"where this instruction was when we trapped/kdbg/interrupt/whatever
it so we could look at the current process/thread/worker state".
In other words, are you trying to answer "Where in memory am *I*?"
or "Where in memory is <that very recent code I want to look at>?"
(Hint - for the former, you can probably get very good approximations
by just looking at the entry point address for the function:
(void *) where = &__FUNCTION__;
> Also, is there a method to load a program image from
> memory not a file (an exec that works with a memory
> address)? Mainly I am looking for a method that brings
> a program image into memory modify parts of it and
> start the in-memory modified version.
In user space, you probably want either mmap() or dlopen(), depending what it
is you're trying to do, most likely...
In kernel space, you'll have to be more specific as to what you're
trying to do, but you're always welcome to write a replacement for
fs/binfmt_elf.c :)
> Can anybody think of a method to replace a thread
> image without replacing the whole process image?
What are you trying to achieve here? It's unclear what you're
hoping will happen....
>> Does anybody know how to access the address of the
>> current executing instruction in C while the program
>> is executing?
>
>In other words, are you trying to answer "Where in memory am *I*?"
>or "Where in memory is <that very recent code I want to look at>?"
>
>(Hint - for the former, you can probably get very good approximations
>by just looking at the entry point address for the function:
>
> (void *) where = &__FUNCTION__;
Well, that's only the function in which you are (i.e. it's an approximation to
EIP)
>> Also, is there a method to load a program image from
>> memory not a file (an exec that works with a memory
>> address)? Mainly I am looking for a method that brings
>> a program image into memory modify parts of it and
>> start the in-memory modified version.
>
>In user space, you probably want either mmap() or dlopen(), depending what it
>is you're trying to do, most likely...
Those pages will probably have NX set then, for archs which support it.
Jan Engelhardt
--
Gesellschaft für Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 Göttingen, http://www.gwdg.de
On Thu, 18 Nov 2004, Jan Engelhardt wrote:
>>> Does anybody know how to access the address of the
>>> current executing instruction in C while the program
>>> is executing?
>>
>> In other words, are you trying to answer "Where in memory am *I*?"
>> or "Where in memory is <that very recent code I want to look at>?"
>>
>> (Hint - for the former, you can probably get very good approximations
>> by just looking at the entry point address for the function:
>>
>> (void *) where = &__FUNCTION__;
>
> Well, that's only the function in which you are (i.e. it's an approximation to
> EIP)
Is this good enough ?
(gdb) disassemble __next_eip
0x08048380 <__next_eip+0>: mov (%esp),%eax
0x08048383 <__next_eip+3>: ret
(gdb) disassemble test1
0x08048390 <test1+0>: call 0x8048380 <__next_eip>
0x08048395 <test1+5>: mov %eax,0x80495ec
0x0804839a <test1+10>: ret
(gdb) c
Continuing.
eip = 0x8048395
*** src ***
void* eip;
register unsigned* __esp asm("esp");
void* __attribute__((noinline)) __next_eip() { return (void *)(*__esp); }
void test1() { eip = __next_eip(); }
Thank you for your reply, please see my answers
embedded below:
--- [email protected] wrote:
> On Tue, 16 Nov 2004 13:20:15 PST, A M said:
>
> > Does anybody know how to access the address of the
> > current executing instruction in C while the
> program
> > is executing?
>
> For what processor? x86, itanium, sparc, s390 all
> do it differently.
I am targeting an x86 machines.
>
> Also, the answer to "this *very* instruction" is
> different from
> "where this instruction was when we
> trapped/kdbg/interrupt/whatever
> it so we could look at the current
> process/thread/worker state".
>
> In other words, are you trying to answer "Where in
> memory am *I*?"
> or "Where in memory is <that very recent code I want
> to look at>?"
it is close to the second scenario ("Where in memory
is...") the basic idea is to come up with a
passive-software based data bus analyzer that can be
used to monitor/sample instructions of a process (a
section of a process) or a thread while executing.
>
> (Hint - for the former, you can probably get very
> good approximations
> by just looking at the entry point address for the
> function:
>
> (void *) where = &__FUNCTION__;
>
> > Also, is there a method to load a program image
> from
> > memory not a file (an exec that works with a
> memory
> > address)? Mainly I am looking for a method that
> brings
> > a program image into memory modify parts of it and
> > start the in-memory modified version.
>
> In user space, you probably want either mmap() or
> dlopen(), depending what it
> is you're trying to do, most likely...
>
> In kernel space, you'll have to be more specific as
> to what you're
> trying to do, but you're always welcome to write a
> replacement for
> fs/binfmt_elf.c :)
>
> > Can anybody think of a method to replace a thread
> > image without replacing the whole process image?
>
> What are you trying to achieve here? It's unclear
> what you're
> hoping will happen....
The ability to create threads and replace the
functionality of one of the threads with a previously
compiled program (a complete process).
>
> ATTACHMENT part 2 application/pgp-signature
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com