Stack Overflow online already has a lot of examples, but rarely involved in the 64-bit and operating system Linux-related, and recently just good enough to study this, so write a series of blog posts, one to help their memories, and also for more people to explore each other.
RegisterThe X86-64 has 16 64-bit registers, respectively:%rax,%rbx,%rcx,%rdx,%esi,%edi,%rbp,%rsp,%r8,%r9,%r10,%r11,%r12,%r13,%r14,%r15. which
%rax used as a function return value
%RSP stack pointer register, pointing to the top of the stack
%rdi,%rsi,%rdx,%rcx,%r8,%r9 as a function parameter, corresponding to the 1th parameter, the 2nd parameter, and the 3rd parameter one by one match
%RBX,%RBP,%R12,%R13,%14,%15 is used as a data store, Callee-save is saved to the stack before calling the child function
%r10,%r11 is used as a data store Caller-save the original value is saved to the stack before the call
This is the 32-bit stack address layout. , the difference between 32-bit and 64-bit is mainly the difference of register, originally EBP ESP Pointer register programming RBP, RSP
| The address returned | |
| The address of the previous stack | <--rbp |
| Parameter n | |
| ... | |
| Parameter 1 | <--rsp |
3 important pointer registers RBP, RSP, RIP
Premise: Function A calls function B now
RBP: The starting position of the current function stack b
RSP: The bottom position of the current function stack b
RIP: The address location of the current execution to the function
Entry and return of functions3 Assembly Instructions
1. Call AddressThis is a simple command, which is called the address of the function
Push%rip saves the RIP address in the stack, which is actually the address currently running to
JMP address to rip the next call to the function
| The starting address of the previous stack | <--rbp |
| Parameter n of the previous stack | |
| ... | |
| Parameter 1 of the previous stack | |
| The value of the RIP on the previous stack | |
| <--rsp |
The value of saving RBP is implemented by push%RSP after entering the function.
instruction is equivalent to
Move%RBP%RSP to point the RSP pointer to RBP
Pop%RBP The value of the stack to RBP, while the RSP points to the previous address, which is where the RSP now points to the returned address in the stack structure diagram
| The address to which the previous stack was run | |
| The starting address of the previous stack | <--rbp |
| Parameter n of the previous stack | |
| ... | |
| Previous Stack parameter 1 | |
| The address to which the previous stack was run | <--rsp |
| Start address of previous stack | |
| Parameter n | |
| ... | |
| Parameter 1 |
instruction is equivalent to
Pop%rip gives the returned address to rip, and RSP points to the previous address
| The address to which the previous stack was run | |
| The starting address of the previous stack | <--rbp |
| Parameter n of the previous stack | |
| ... | |
| Previous Stack parameter 1 | <--rsp |
| The address to which the previous stack was run | |
| Start address of previous stack | |
| Parameter n | |
| ... | |
| Parameter 1 |
After 3, you can see that the whole function exits, and the stack pointer goes back to the stack of the calling function. This completes the complete function call, and also completes the stack-in process.
Stack Overflow Attack series: Shellcode in Linux x86 64-bit attack gain root privileges (a) how the function executes
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
