C ++如何读取函数的前几个字节? (32位计算机) [英] C++ How To Read First Couple Bytes Of Function? (32 bit Machine)

问题描述

假设我有一个像这样的函数(完全随机，我只是在30秒内就写出了一个例子)

Let's say I have a function like this (completely random, I just wrote it up in like 30 seconds for an example)

bool exampleAuthetnication(char *a, char *b)
{
    bool didAuthenticate = false;
    if(strcmp(a, b) == 0)
    {
        didAuthenticate = true;
    }

    if(didAuthenticate)
    {
        return true;
    }
    else
    {
        stopExecutable();
        return false;
    }
}

我将如何读取此函数的前几个字节?

How would I go about reading the first few bytes of this function?

我想出了这个

int functionByteArray[10];
for (int i = 0; i < 10; i++)
{
    functionByteArray[i] = *(int*)(((int)&exampleAuthetnication) + (0x04 * i));
}

其背后的逻辑是，我们获取函数的内存地址(在本例中为exampleAuthetnication())，然后我们将其转换为int指针，然后进行解引用以获取我们尝试读取然后存储的当前字节行的值在functionByteArray中，但似乎无法正常工作.我究竟做错了什么?我要完成的事情有可能吗?

The logic behind it being that we get the memory address of our function (in this case exampleAuthetnication()) then we cast to int pointer then dereferance to get the value of the current line of bytes we are trying to read then store in functionByteArray, but it does not seem to work properly. What am I doing wrong? Is what I'm trying to accomplish possible?

推荐答案

理论上(根据C ++ 11标准)，您甚至无法将函数指针转换为数据指针(在代码段(有关 NX位).

In theory (according to the C++11 standard) you cannot even cast a function pointer into a data pointer (on Harvard architectures code and data sit in different memories and different address spaces). Some operating systems or processors might also forbid reading of executable code segments (read about NX bit).

实际上，在运行某些操作系统(例如Linux或Windows)的x86-64(或32位x86)上，功能代码是 bytes 的序列，可以不对齐，并且位于(通用的)虚拟地址空间.因此，您至少应该拥有char functionByteArray[40];，并且可以使用 std :: memcpy 从<string>并执行一些操作

In practice, on x86-64 (or 32 bits x86) running some operating system like Linux or Windows, a function code is a sequence of bytes and can be unaligned, and sits in the (common) virtual address space of its process. So you should at least have char functionByteArray[40]; and you might use std::memcpy from <string> and do some

std::memcpy(functionByteArray, (char*)&exampleAuthetnication,
            sizeof(functionByteArray));

最后，您的代码是错误的，因为-on x86-64上的显着性-int与指针的大小不同(因此，(int)&exampleAuthetnication丢失了地址的高字节).您至少应使用intptr_t.并且int具有比代码更强的对齐约束.

At last your code is wrong because -on x86-64 notably- int have not the same size as pointers (so (int)&exampleAuthetnication is losing the upper bytes of the address). You should at least use intptr_t. And int has stronger alignment constraints than the code.

顺便说一句，您可能还要求编译器显示生成的汇编代码.使用 GCC 用g++ -O -fverbose-asm -S编译exampleAhtetnication C ++代码，并查看生成的.s文件.

BTW, you might also ask your compiler to show the generated assembler code. With GCC compile your exampleAhtetnication C++ code with g++ -O -fverbose-asm -S and look into the generated .s file.

请注意，C ++编译器可能会进行优化，以至于从中删除"某些功能代码段(例如，因为该函数已内联到处)，或将函数代码分成几段，或将其 exampleAhtetnication将代码嵌入"另一个功能...

Notice that the C++ compiler might optimize to the point of "removing" some function from the code segment (e.g. because that function has been inlined everywhere), or split the function code in several pieces, or put that exampleAhtetnication code "inside" another function...

这篇关于C ++如何读取函数的前几个字节? (32位计算机)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！