戳堆栈 [英] Poking the stack
问题描述
我想了解究竟栈的作品,所以我会在这里重新创建具有一些问题的一个小例子。
pretend,我有一个小code在ASM,做以下的事情:
(这一切都是X86,Intel语法和Linux)
推EBP
MOV EBP,ESP
子尤,16MOV EAX,0xdeadbeef< - 我们称之为局部变量
MOV [EBP - 16],EAXMOV EAX,0xabcdabcd< - 我们称之为局部变量b'
MOV [EBP - 12],EAXMOV EAX,0xcacafafa< - 我们称之为局部变量c'
MOV [EBP - 8],EAXMOV EAX,0xdada1111< - 我们称之为局部变量D'
MOV [EBP - 4],EAX调用0x10101010&下; ------- pretend即function_B的实际地址MOV ESP,EBP
流行EBP
RET
现在pretend,我有所谓的C函数 function_B
其中获得的从ASM code调用,它看起来像这样:
asmlinkage无效function_B(无效){ //一些code这里...}
我将如何访问 A
, B
, C
和 D
从 function_B
内联ASM code?
将这项工作?我应该做不同的吗?
uint32_t的val_a;
__asm__ __volatile __(
.intel_syntax没有preFIX;
MOV%0,双字[EBP + 4 + 4 + 0];
.att_syntax;
:= R(val_a)
);uint32_t的val_b;
__asm__ __volatile __(
.intel_syntax没有preFIX;
MOV%0,双字[EBP + 4 + 4 + 4];
.att_syntax;
:= R(val_b)
);
另外,我怎么会访问 A
, B
, C
和 D
如果我的功能是这样的:
asmlinkage无效function_B(unsigned int类型VAL){ //一些code这里...}
这个是什么:
无效function_B(uint32_t的假){
uint32_t的*捅=安培;假的;
uint32_t的一个=戳[0];
uint32_t的B =戳[1];
uint32_t的C =捅[2];
uint32_t的D =戳[3];
}
什么会给你当前的ASM code(不按任何参数function_B)A,B,C和D的值。如果你也想通过实际参数function_B您仍然可以添加的最后一个真正的参数后,假的:
无效function_B(unsigned int类型VAL,uint32_t的假冒)
这其实是一个比较安全一点做这样的(然后用内联汇编),因为它有一个更好的生存机会的优化(如堆栈帧遗漏)。但它仍然是当然的黑客,并没有什么我会依靠太多了。
I'm trying to understand how exactly the stack works, so I'll recreate here a small example with some questions.
Pretend that I have a small code in ASM that does the following thing:
(all this is x86, intel syntax, Linux)
push ebp
mov ebp, esp
sub esp, 16
mov eax, 0xdeadbeef <-- let's call this 'local variable a'
mov [ebp - 16], eax
mov eax, 0xabcdabcd <-- let's call this 'local variable b'
mov [ebp - 12], eax
mov eax, 0xcacafafa <-- let's call this 'local variable c'
mov [ebp - 8], eax
mov eax, 0xdada1111 <-- let's call this 'local variable d'
mov [ebp - 4], eax
call 0x10101010 <------- pretend that is the real address of function_B
mov esp, ebp
pop ebp
ret
Now pretend that I have a C function called function_B
which get's called from the asm code and it looks like this:
asmlinkage void function_B(void){
//some code here...
}
How would I access a
, b
, c
and d
from function_B
with inline ASM code?
Would this work? Should I be doing it differently?
uint32_t val_a;
__asm__ __volatile__(
".intel_syntax noprefix;"
"mov %0, dword [ebp + 4 + 4 + 0];"
".att_syntax;"
: "=r" (val_a)
);
uint32_t val_b;
__asm__ __volatile__(
".intel_syntax noprefix;"
"mov %0, dword [ebp + 4 + 4 + 4];"
".att_syntax;"
: "=r" (val_b)
);
Also, how would I access a
, b
, c
and d
if my function looked like this:
asmlinkage void function_B(unsigned int val){
//some code here...
}
What about this:
void function_B(uint32_t fake){
uint32_t* poke = &fake;
uint32_t a = poke[0];
uint32_t b = poke[1];
uint32_t c = poke[2];
uint32_t d = poke[3];
}
What will give you the values of a, b, c and d with your current asm code (which is not pushing any arguments to function_B). If you also want to pass real arguments to function_B you can still add the fake one after the last real argument:
void function_B(unsigned int val,uint32_t fake)
It is actually a little safer to do it like this (then with inline asm) since it has a better chance to survive optimizations (like stack frame omission). But it's still a hack of course, and nothing I would rely too much upon.
这篇关于戳堆栈的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!