• No results found

Function Call Convention

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Function Call Convention"

Copied!
72
0
0

Loading.... (view fulltext now)

Download now ( 72 Page )

Full text

(1)
(2)

Content

Intel Architecture

Shellcode

Buffer Overflow

BoF Exploit

Debugging

Memory Layout

Remote Exploit

Exploit Mitigations

Defeat Exploit Mitigations

Function Calls

C Arrays

(3)

Function Call Convention

Function call convention:

 How functions work

 Program-metadata on the stack

Stack based buffer overflow:

(4)
(5)

How do they work?

(6)

Stack

(7)

Stack

pop

(8)
(9)
(10)
(11)
(12)
(13)
(14)

Stack on intel

Intel stack registers:

ESP: Stack Pointer

EBP: (Stack-) Base Pointer

(15)

Stack in computers

Stack is using process memory as basis

CPU instruction support (because stack is so useful) Note:

 CPU instructions like push/pop are just for ease of use

 The “stack values” can be accessed (read, write) like every other memory address

 You can point the stack (ebp, esp) to wherever in the memory you want

(16)

Functions and the Stack

(17)

x32 Call Convention

What is a function?

Self contained subroutine

Re-usable

Can be called from anywhere

(18)

x32 Call Convention

void main(void) {

int blubb = 0;

foobar

(blubb);

return;

}

void

foobar

(int arg1) {

(19)

x32 Call Convention

What does the function foobar() need?

Function Argument:

blubb

Local variables

Compass1

Compass2

And: Address of next instruction in main()

(20)

x32 Call Convention

SIP Saved IP (&__libc_start)

SFP Saved Frame Pointer

blubb Local Variables <main>

Stack Frame

<main>

&blubb Argument for <foobar>

SIP Saved IP (&return)

SFP Saved Frame Pointer

compass1 compass2

Local Variables <foobar>

pop push

Stack Frame

(21)

x32 Call Convention

&blubb SIP SFP compass1 compass2 pop push

void main(void) {

int blubb = 0;

foobar

(&blubb

);

return;

}

void foobar(int *

arg1

) {

(22)

x32 Call Convention

SIP Saved IP (&__libc_start)

SFP Saved Frame Pointer

blubb Local Variables <main>

Stack Frame

<main>

&blubb Argument for <foobar>

SIP (&return)

Saved IP (&return)

SFP Saved Frame Pointer

compass1

compass2

Local Variables <foobar>

pop push

Stack Frame

(23)

x32 Call Convention

SIP: Stored Instruction Pointer

Copy of EIP

Points to the address where control flow continues after

end of function

(return, ret)

(24)

x32 Call Convention

SBP: Stored Base Pointer

Copy of EBP

Every function has its own little stack frame

Stack frame is where local variables, function arguments

etc. are

A function should only access its own stack frame

Most of the function epilogue and prologue handle

setting up and removing the stack frame

Note: It is not 100% necessary to completely understand

it - but you will see it in the disassembly of every function

(25)

x32 Call Convention

Attention! Assembler ahead!

 AT&T vs Intel syntax

(26)
(27)

x32 Call Convention

In ASM:

call 0x11223344 <&foobar>

push EIP

jmp 0x11223344

mov ebp, esp

(28)

x32 Call Convention

In ASM:

call 0x11223344 <&foobar>

push EIP

jmp 0x11223344

mov ebp, esp

<function code>

mov esp, ebp

ret

pop eip

Prolog

(29)
(30)

x32 Call Convention

Recap:

 User data is on the stack

 Also: important stuff is on the stack (Instruction Pointer, SIP)

 Stack grows down

(31)
(32)

x32 Call Convention Details

int add(int x, int y) {

int sum;

(33)

x32 Call Convention Details

push 4

push 3

call add

push 4

push 3

push EIP

jmp add

c = add(3, 4)

(34)

x32 Call Convention Details

push ebp

mov ebp, esp,

sub esp, 0x10

mov eax, DWORD PTR [ebp + 0xc] mov edx, DWORD PTR [ebp + 0x8] add eax, edx

mov DWORD PTR [ebp – 0x04], eax mov eax, DWORD PTR [ebp – 0x04]

(35)

x32 Call Convention Details

push ebp

mov ebp, esp,

sub esp, 0x10

mov eax, DWORD PTR [ebp + 0xc] mov edx, DWORD PTR [ebp + 0x8] add eax, edx

mov DWORD PTR [ebp – 0x04], eax mov eax, DWORD PTR [ebp – 0x04]

push 4 push 3 push EIP jmp add

(36)

x32 Call Convention Details

push ebp

mov ebp, esp,

sub esp, 0x10

mov eax, DWORD PTR [ebp + 0xc] mov edx, DWORD PTR [ebp + 0x8] add eax, edx

mov DWORD PTR [ebp – 0x04], eax mov eax, DWORD PTR [ebp – 0x04]

mov esp, ebp ; leave pop ebp ; leave

pop eip ; ret

push 4 push 3 push EIP jmp add

(37)

x32 Call Convention Details

push ebp

(38)
(39)
(40)
(41)
(42)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 … push 4 push 3 call add … 3 SIP (= EIP) From:

<main>

EIP

push ebp

(43)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 … push 4 push 3 call add … 3

SIP (= old EIP)

From:

<main>

EIP

push ebp

(44)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 push ebp

(45)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 push ebp

(46)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 push ebp

(47)

x32 Call Convention - Function Prolog

SIP SFP c

EBP

ESP

4 push ebp

(48)
(49)

x32 Call Convention - Execute Function

mov eax, DWORD PTR [ebp + 0xc]

mov edx, DWORD PTR [ebp + 0x8]

add eax, edx

mov DWORD PTR [ebp – 0x04], eax

mov eax, DWORD PTR [ebp – 0x04]

(50)
(51)

x32 Call Convention - Function Epilog

SIP SFP c

EBP

ESP

4 push ebp

(52)

x32 Call Convention - Function Epilog

SIP SFP c

EBP

ESP

4 push ebp

(53)

x32 Call Convention - Function Epilog

SIP SFP c

EBP

ESP

4 push ebp

(54)

x32 Call Convention - Function Epilog

SIP SFP c

EBP

ESP

4 push ebp

(55)

x32 Call Convention - Function Epilog

SIP SFP c

EBP

ESP

4 push ebp

(56)

x32 Call Convention - Function Calling

call <addr> = push EIP

jmp <addr> leave =

mov esp, ebp pop ebp

ret =

(57)

x32 Call Convention - Function Calling

Why “leave”?

 Opposite of “enter”

“enter”:

push ebp

mov ebp, esp sub esp, imm

Why no “enter” used?

 enter:

 8 cycle latency

(58)

x32 Call Convention - Function Calling

Recap:

 When a function is called:

 EIP is pushed on the stack (=SIP)

 (“call” is doing implicit “push EIP”)

 At the end of the function:

 SIP is recovered into EIP

(59)
(60)

Accessing the stack

• Push/Pops are rarely used nowadays

• Each function makes some space in its stack frame for local variables

(61)

Accessing the stack

• Push/Pops are rarely used nowadays

• Each function makes some space in its stack frame for local variables

(62)
(63)
(64)

x32 Call Convention - Function Call in x64

Differences between x32 and x64 function calls: Arguments are in registers (not on stack)

(65)

x32 Call Convention - Function Call in x64

Differences between x32 and x64 function calls Different ASM commands doing the same thing

(66)

x32 Call Convention - Function Call in x64

Some random x64 architecture facts:

The stack should stay 8-byte aligned at all times

An n-byte item should start at an address divisible by n

 E.g. 64 bit number: 8 bytes, can be at 0x00, 0x08, 0x10, 0x18, …

%rsp points to the lowest occupied stack location

(67)

Function Call Convention Cheat Sheet

x32 Parameter Syscall nr in

x32 userspace stack

x32 syscalls ebx, ecx, edx, esi, edi, ebp eax

x64 Parameter Syscall nr in

x64 userspace rdi, rsi, rdx, rcx, r8, r9

(68)

EBP Cheat Sheet

SIP SFP c

EBP

4 (argument 2) 3 (argument 1) SIP SBP

(69)
(70)
(71)

Further questions

(72)

Answers

Pseudocode:

# EAX is the new ESP push <data>:

sub eax, 4

mov (%eax), <data> pop <register>:

References

Download now ( PDF - 72 Page - 0.94 MB )

Related documents

The effect of feeding technologies on the economics of fattening pigs

The productive performance as growth capacity, feeding intake and quantitative traits of slaughter value was examined for 144 hybrid pigs divided in two identical groups,

Aqua­chlorido­(2 {[6 (di­methyl­amino)­pyrimidin 4 yl]sulfan­yl}pyrimidine 4,6 di­amine)­copper(II) chloride hydrate

Similar to the reported structure here, the six-membered chelate ring adopts a boat confor- mation, which is characteristic for transition metal complexes with this class of

The significance of commodity exchanges for trade in agricultural products in the Czech Republic, and prospects of their future development

With regard to the fact that the problems described here are connected with the future participation of the whole Czech agricul- tural commodity market in the European agricultural

Zooplankton‐mediated carbon flux in the Southern Ocean: influence of community structure, metabolism and behaviour

[r]

WCET Optimizations and Architectural Support for Hard Real-Time Systems

Guided by ATF to evaluate the time predictability of a processor, Chapter 5 first proposes hybrid SPM-cache architectures that can leverage SPMs to achieve time predictability

A novel binary spell checker

Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise.. They may be downloaded and/or printed for private

3:

םימב תוקשומה תוקלחה ןיב םיקהבומ םילדבה ואצמנ אל םינושה םימה יגוס ןיב האוושהב םיחלוקב תוקשומה תוקלחל םיריפש. םימב דירולכה

MAY 7, 2012 VOL. 90, NO. 9 WEST REGION

Near National Super Regional Strategic Subsidiary Strategic Subsidiary Coverage Specialist Coverage Specialist States &gt; 34 Meritplan Insurance Co. Strategic Subsidiary Super