为什么此内存地址%fs:0x28(fs [0x28])具有随机值? [英] Why does this memory address %fs:0x28 ( fs[0x28] ) have a random value?
问题描述
我已经编写了一段C代码,并对其进行了反汇编,还阅读了寄存器以了解程序在汇编中的工作方式。
I've written a piece of C code and I've disassembled it as well as read the registers to understand how the program works in assembly.
int test(char *this){
char sum_buf[6];
strncpy(sum_buf,this,32);
return 0;
}
我正在检查的代码片段是测试函数。当我反汇编我的测试函数的输出时,我得到...
The piece of my code that I've been examining is the test function. When I disassemble the output my test function I get ...
0x00000000004005c0 <+12>: mov %fs:0x28,%rax
=> 0x00000000004005c9 <+21>: mov %rax,-0x8(%rbp)
... stuff ..
0x00000000004005f0 <+60>: xor %fs:0x28,%rdx
0x00000000004005f9 <+69>: je 0x400600 <test+76>
0x00000000004005fb <+71>: callq 0x4004a0 <__stack_chk_fail@plt>
0x0000000000400600 <+76>: leaveq
0x0000000000400601 <+77>: retq
我想知道的是 mov%fs:0x28,%rax
到底在做什么?
What I would like to know is what mov %fs:0x28,%rax
is really doing?
推荐答案
在x86_64上,不再使用分段寻址,而 FS
和 GS
寄存器可用作基本指针地址,以访问特殊的操作系统数据结构。因此,您看到的是一个与 FS
寄存器中保存的值偏移的值,而不是对内容的位操作。 FS
寄存器。
On x86_64, segmented addressing is no longer used, but the both the FS
and GS
registers can be used as base-pointer addresses in order to access special operating system data-structures. So what you're seeing is a value loaded at an offset from the value held in the FS
register, and not bit manipulation of the contents of the FS
register.
具体发生的是Linux上的 FS:0x28
正在存储特殊的前哨堆栈保护值,并且代码正在执行堆栈保护检查。例如,如果您进一步看代码,您会发现 FS:0x28
的值存储在堆栈中,然后调用堆栈中的内容然后执行 XOR
,其原始值为 FS:0x28
。如果两个值相等,这意味着因为 XOR
对两个相同值进行运算而得到零值,所以设置了零位,那么我们跳转到 test
例程,否则我们跳转到一个特殊的函数,该函数指示堆栈以某种方式损坏,并且存储在堆栈上的哨兵值已更改。
Specifically what's taking place, is that FS:0x28
on Linux is storing a special sentinel stack-guard value, and the code is performing a stack-guard check. For instance, if you look further in your code, you'll see that the value at FS:0x28
is stored on the stack, and then the contents of the stack are recalled and an XOR
is performed with the original value at FS:0x28
. If the two values are equal, which means that the zero-bit has been set because XOR
'ing two of the same values results in a zero-value, then we jump to the test
routine, otherwise we jump to a special function that indicates that the stack was somehow corrupted, and the sentinel value stored on the stack was changed.
如果使用GCC,则可以使用
-fno-stack-protector
这篇关于为什么此内存地址%fs:0x28(fs [0x28])具有随机值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!