c - Arbitrary code execution using existing code only -
let's want execute arbitrary mov instruction. can write following function (using gcc inline assembly):
void mov_value_to_eax() { asm volatile("movl %0, %%eax"::"m"(function_parameter):"%eax"); // move value of variable function_parameter register eax }
and can make functions 1 work on every possible register. mean -
void movl_value_to_ebx() { asm volatile("movl %0, %%ebx"::"m"(function_parameter):"%ebx"); } void movl_value_to_ecx() { asm volatile("movl %0, %%ecx"::"m"(function_parameter):"%ecx"); } ...
in similar way can write functions move memory in arbitrary addresses specific registers, , specific registers arbitrary addresses in memory. (mov eax, [memory_address]
, mov [memory_address]
,eax)
now, can perform these basic instructions whenever want, can create other instructions. example, move register register:
function_parameter = 0x028fc; mov_eax_to_memory(); // parameter pointer temporary memory address mov_memory_to_ebx(); // same parameter
so can parse assembly instruction , decide functions use based on it, this:
if (sourceregister == ecx) mov_ecx_to_memory(); if (sourceregister == eax) mov_eax_to_memory(); ... if (destregister == ebx) mov_memory_to_ebx(); if (destregister == edx) mov_memory_to_edx(); ...
if can work, allows execute arbitrary mov instructions.
another option make list of functions call , loop through list , call each function. maybe requires more tricks making equivalent instructions these.
so question this: is possible make such things (or some) of possible opcodes? requires lot of functions write, possible make parser, build code somehow based on given assembly instructions ,and execute it, or that's impossible?
edit: cannot change memory protections or write executable memory locations.
it unclear me why you're asking question. first of all, function...
void mov_value_to_eax() { asm volatile("movl %0, %%eax"::"m"(function_parameter):"%eax"); // move value of variable function_parameter register eax }
...uses gcc inline assembly, function not inline, meaning there prologue & epilogue code wrapping it, affect intended result. may instead want use gcc inline assembly functions (as opposed functions contain gcc inline assembly), may closer want, there still problems that.....
ok, supposing write gcc inline assembly function every possible x86 opcode (at least ones gcc assembler knows about). supposing want invoke functions in arbitrary order accomplish whatever might wish accomplish (taking account opcodes legal execute @ ring 3 (or in whatever ring you're coding for)). example shows using c statements encode logic determining whether call inline assembly function or not. guess what: c statements using processor registers (perhaps eax!) accomplish tasks. whatever wanted calling these arbitrary inline assembly functions being stomped on compiler-emitted assembly code logic (if (...)
, etc). , vice-versa: inline assembly function arbitrary instructions stomping on registers compiler-emitted instructions expect not stomped-on. result not run without crashing.
if want write code in assembly, suggest write in assembly & use gcc assembler assemble it. alternatively, can write whole c-callable assembly functions within asm()
statement, , call them c code, if like. c-callable assembly functions write need operate within rules of calling convention (abi) you're using: if assembly functions use callee-saved register, function need save original value in register (generally on stack), , restore before returning caller.
Comments
Post a Comment