C:将x86指令放入数组并执行 [英] C: put x86 instructions into array and execute them

问题描述

有什么方法可以将处理器指令放入数组，使其内存段可执行并以简单功能运行它:

Is there any way to put processor instructions into array, make its memory segment executable and run it as a simple function:

int main()
{
    char myarr[13] = {0x90, 0xc3};
    (void (*)()) myfunc = (void (*)()) myarr;
    myfunc();
    return 0;
}

推荐答案

在Unix上(如今，这意味着除了Windows以及您可能从未听说过的嵌入式和大型机以外的所有东西")，您可以通过分配一个 mmap 的页面总数，将代码写入其中，然后使用 mprotect 可执行.

On Unix (these days, that means "everything except Windows and some embedded and mainframe stuff you've probably never heard of") you do this by allocating a whole number of pages with mmap, writing the code into them, and then making them executable with mprotect.

void execute_generated_machine_code(const uint8_t *code, size_t codelen)
{
    // in order to manipulate memory protection, we must work with
    // whole pages allocated directly from the operating system.
    static size_t pagesize;
    if (!pagesize) {
        pagesize = sysconf(_SC_PAGESIZE);
        if (pagesize == (size_t)-1) fatal_perror("getpagesize");
    }

    // allocate at least enough space for the code + 1 byte
    // (so that there will be at least one INT3 - see below),
    // rounded up to a multiple of the system page size.
    size_t rounded_codesize = ((codelen + 1 + pagesize - 1)
                               / pagesize) * pagesize;

    void *executable_area = mmap(0, rounded_codesize,
                                 PROT_READ|PROT_WRITE,
                                 MAP_PRIVATE|MAP_ANONYMOUS,
                                 -1, 0);
    if (!executable_area) fatal_perror("mmap");

    // at this point, executable_area points to memory that is writable but
    // *not* executable.  load the code into it.
    memcpy(executable_area, code, codelen);

    // fill the space at the end with INT3 instructions, to guarantee
    // a prompt crash if the generated code runs off the end.
    // must change this if generating code for non-x86.
    memset(executable_area + codelen, 0xCC, rounded_codesize - codelen);

    // make executable_area actually executable (and unwritable)
    if (mprotect(executable_area, rounded_codesize, PROT_READ|PROT_EXEC))
        fatal_perror("mprotect");

    // now we can call it. passing arguments / receiving return values
    // is left as an exercise (consult libffi source code for clues).
    ((void (*)(void)) executable_area)();

    munmap(executable_area, rounded_codesize);
}

您可能会发现该代码与 cherrydt的答案中显示的Windows代码几乎相同.只有系统调用的名称和参数不同.

You can probably see that this code is very nearly the same as the Windows code shown in cherrydt's answer. Only the names and arguments of the system calls are different.

在使用这样的代码时，重要的是要知道许多现代操作系统不允许您拥有同时可写和可执行的RAM页面.如果我在对mmap或mprotect的调用中写了PROT_READ|PROT_WRITE|PROT_EXEC，它将失败.这称为 W ^ X政策；首字母缩写词代表Write XOR eXecute.它源于OpenBSD ，其目的是使其更难缓冲区溢出漏洞利用，可将代码写入RAM，然后执行. (仍然是 possible ，该漏洞仅需找到一个首先对mprotect 进行适当调用的方法.)

When working with code like this, it is important to know that many modern operating systems will not allow you to have a page of RAM that is simultaneously writable and executable. If I'd written PROT_READ|PROT_WRITE|PROT_EXEC in the call to mmap or mprotect, it would fail. This is called the W^X policy; the acronym stands for Write XOR eXecute. It originates with OpenBSD, and the idea is to make it harder for a buffer-overflow exploit to write code into RAM and then execute it. (It's still possible, the exploit just has to find a way to make an appropriate call to mprotect first.)

这篇关于C:将x86指令放入数组并执行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！