Function call stack learning notes (two examples of using function call stack implementation)

Using the function call stack Balancing Principle to realize overflow call (a bit similar to stack overflow, but it is directly modified here, and can also be implemented through overflow) ========================================================== ========================================================== ==============## include <stdio. h> # include <string. h> unsigned int oldebpaddress = 0; unsigned int oldretaddress = 0; typedef void (* PF) (); // It can only be fixed here until the main execution is returned, however, when the main function ends, the stack is destroyed, and an exception void fun2 () {// record the old EBP address _ ASM mov [oldebpaddress], EBP // find the function return address through the old EBP, and set the original function return address * (unsigned int *) (oldebpaddress + 4) = oldretaddress; printf ("fun2 \ n");} // write fun2 in the naked mode to implement stack restoration perfectly, can be compared with the above to see the effect char * STR = "fun2 \ n"; void _ declspec (naked) fun2 () {__ ASM {// push oldretaddress returned by the push function // call the printf function push offset strcall dword ptr printf // note the DWORD ptradd ESP, 4 // maintain the stack Balance yourself RET // function return} void fun () {// record the old EBP address _ ASM mov [oldebpaddress], EBP // record the return address of the function through the old EBP, and use oldretaddress = * (unsigned int *) (oldebpaddress + 4) in fun2 )); // modify the return address of the function through the old EBP to the first address of the function * (unsigned int *) (oldebpaddress + 4) = (unsigned INT) (PF) fun2; printf ("fun \ n") ;}// Note: The function fun2, however, since we made a series of changes to the returned address in the fun function, fun2 also got the execution opportunity, // At the same time, the stack is also implemented in fun2 with a simple processing function that can return the main function and continue to execute int main () {printf ("Main \ n"); fun (); printf ("main next \ n"); getchar ();} ========================================================== ================ use the function call stack Balancing Principle to implement stack backtracking ========================== ======================================================#include <stdio. h> # include <windows. h> int fun3 () {unsigned int ebpaddress; unsigned int ebppreviousaddress; printf ("---------------- fun3 ------------------ \ n") ;__ ASM mov [ebpaddress], EBP // obtain the current function ebpebppreviousaddress = * (unsigned int *) ebpaddress ); // The value saved in the EBP address is the EBP value from the called function printf ("0x % 08x \ n", ebppreviousaddress); // execute the preceding step while (1) cyclically) {__ try {ebpaddress = ebppreviousaddress; ebppreviousaddress = * (unsigned int *) ebpaddress); printf ("0x % 08x \ n", ebppreviousaddress); }__ hour T (prediction_execute_handler) {// This is always traced back to the time when tracing is not available. An exception is generated to exit the Backtracking break;} return 0;} int fun2 () {printf ("---------------- fun2 ---------------- \ n "); fun3 (); Return 0;} int fun1 () {printf ("---------------- fun1 ------------------ \ n"); fun2 (); Return 0;} int _ tmain (INT argc, _ tchar * argv []) {fun1 (); getchar (); Return 0 ;}