1. Call and return of C functionsTo understand the implementation of the C + + exception mechanism, first understand the call and return mechanism of a function, which involves the ESP and EBP registers. Let's take a look at the function call and the return process.The following is the call convention __stdcall calling function test (intP1,intp2) Assembly code assumes that the function is executed before the stack pointer
represents the current EIP execution position) 1. At the beginning, the EIP points to 19 lines, EBP ESP is in 0 position (01234 on the right is set for convenient analysis) 2.PUSHL%ebp, the EBP value stack 3.movl%esp,%ebp, Assign ESP value to EBP 4.subl $4,%esp, move esp
shelling methods:Method 1: single-step trackingMethod 2: shelling the ESP LawMethod 3: Memory trackingMethod 4: Tracing exit MethodMethod 5: last exception MethodMethod 6: loose shell Removal
The specific operations of the above methods will be given at the bottom of the article at the end. If you want to know more about it, you can check it out. You can save time.========================================================== ============================
There has always been a vague concept, so we use an example to strengthen memory.
Linux x86 gcc3.2.3 att format Compilation
The Code is as follows:
Void
Fun ()
{
Int A = 'a ';
}
Void
Main ()
{
Int B;
Fun ();
Return;
}
Start debugging
[Sanool @ sanool ex2] $ gdb a. Out
Gnu gdb Red Hat Linux (6.0post-0.20031117.6rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
Welcome to change it and/or distribute copies of it un
Monensin "Linux kernel Analysis" first week experimentZou LeOriginal works reproduced please indicate the source.Course Information:"Linux kernel Analysis" MOOC course http://mooc.study.163.com/course/USTC-1000029000---------------------------the body of the experiment---------------------------This experiment is carried out under the 64-bit liinux virtual machine in the experimental building.The C code is as follows:int increment5 (int x) { return5;} int Solve (int x) { return2;} int Main (
/M00/7B/9E/wKiom1bNxYazixrUAACP9mxIzIM229.png "/>650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7B/9C/wKioL1bNxfXDorDvAAEqN4WeZ-Y932.png "/>The following is an analysis of the stack register using GDB stepping:First we start with the main function. (The first two statements do not set breakpoints when GDB executes, but the statements that execute the function have these 2, which are put in other functions to illustrate):First set a breakpoint on the main function and run:650) this.wi
/M00/7C/6F/wKiom1bQNKixugoAAACP9mxIzIM364.png "/>650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7C/6E/wKioL1bQNRqCMfu6AAEqN4WeZ-Y226.png "/>The following is an analysis of the stack register using GDB stepping:First we start with the main function. (The first two statements do not set breakpoints when GDB executes, but the statements that execute the function have these 2, which are put in other functions to illustrate):First set a breakpoint on the main function and run:650) this.wi
generate an assembly file using objdump, through the corresponding address, you can find out which function has a problem. As for the guessed code, you need to build a unit test based on the analysis situation or re-launch the code for testing.
Specific process examples are as follows:Objectdump-d ##. so >##. oVim ##. o6 libTaps2.so + 0xa452d
./Minidump_stackwalk 7ee5c76f-afe2-f9bd-564dedb7-57d73e0c.dmp
Thread 7 (crashed)0 linux-gate.so + 0x430Eip = 0xb78b4430
" command to break a breakpoint under the accept function and analyze the code to find the cause of the vulnerability as follows.. Text: 0041AA20 mov eax, [esp + arg_0]. Text: 0041AA24 mov eax, [eax + 18 h]. Text: 0041AA27 mov dword_4B0F7C, eax. Text: 0041AA2C cmp word ptr [eax + 98 h], 0. Text: 0041AA34 jz short loc_41AA56 // The condition is true.. Text: 0041AA56 mov edx, [eax + 4Ch] // "A" constructed data. Text: 0041AA59 push offset s_If-modified-
*): decompile the code section of A. obj.Open the ursoft w32dasm tool (I use version 8.93)Select all files when opening the file, because the software mainly targets file formats such as PE, le, and NE. SoThe offset must be specified to decompile the OBJ file. Above attention! (Note: another way to obtain this information is to use dumpbin/section:. text ). That is, the file offset of the Code section.Therefore, in the prompt dialog box that opens the OBJ file, enter 00000355Start disassembly f
Call Stack
The concept of stack is explained in detail in the data structure.
List some key points:
1. First in first out.
2. Data can always be stored or retrieved from the top of the stack.
In the x86 processor, push the stack command. Pushing an item to the top of the stack will reduce the top pointer of the stack by four bytes. The stack top pointer is stored in register esp. Correspondingly, the register name is the abbreviation of s
. Even the punctuation on the keyboard can be added to the Testcode, which can be arranged in the order of the ASCII code table, so that more space is verified at once.look for an appropriate address to overwrite the original return addressWhat we need to do now is to determine what address the last four "X" in "jiangyejiangxxxx" should be. Here we cannot create an address out of thin air, but should be based on a legitimate address. Of course, we can find a lot of suitable address through the o
as bytes, words, double words, and Booleans, is 4 bytes in the stack, and data that is larger than 4 bytes occupies a 4-byte integer multiple in the stack.3) The two registers associated with the operation of the stack are the EBP register and the ESP register, and in this article you only need to interpret EBP and ESP as 2 pointers. The ESP register always poin
"Peace of Blessing + Original works reproduced please specify the source +" Linux kernel analysis "MOOC course http://mooc.study.163.com/course/USTC-1000029000 "first, the process of initializationThe operating system kernel boot entry function is void __init my_start_kernel (void);Here is a simple definition of the two CPU states of a process:struct Thread {unsigned long IP; Indicates an EIP directiveunsigned long sp;//represents ESP, stack top poin
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.