Stack Usage with MS Visual Studio 2005. Without Stack Protection.

Slides:



Advertisements
Similar presentations
COMP 2003: Assembly Language and Digital Logic
Advertisements

Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Accessing parameters from the stack and calling functions.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Assembly Language Basic Concepts IA-32 Processor Architecture.
Compiler Construction Activation records Code Generation Rina Zviel-Girshin and Ohad Shacham School of Computer Science Tel-Aviv University.
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
Compiler Construction Code Generation I Ran Shaham and Ohad Shacham School of Computer Science Tel-Aviv University.
ESP int f(int x) {.... } int g(int y) { …. f(2); …. } int main() { …. g(1); …. } EIP 100: 200: 250: 300: 350:
Y86 Processor State Program Registers
1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
The x86 Architecture Lecture 15 Fri, Mar 4, 2005.
Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.
Recitation 2: Outline Assembly programming Using gdb L2 practice stuff Minglong Shao Office hours: Thursdays 5-6PM Wean Hall.
Today’s topics Procedures Procedures Passing values to/from procedures Passing values to/from procedures Saving registers Saving registers Documenting.
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
ELF binary # readelf -a foo.out ELF Header:
X86 Architecture.
Lecture 21. _getproc proc near pushf ;Secure flag register contents push di ;== Determine whether model came before or after === xor ax,ax ;Set.
Assembly Language. Symbol Table Variables.DATA var DW 0 sum DD 0 array TIMES 10 DW 0 message DB ’ Welcome ’,0 char1 DB ? Symbol Table Name Offset var.
C++ [ebp+10] Parameter 3 [ebp+0C] Parameter 2 [ebp+08] Parameter 1 [ebp+04] Return address [ebp+00] Old ebp [ebp -04]
Compiler Construction Code Generation Activation Records
1 The Stack and Procedures Chapter 5. 2 A Process in Virtual Memory  This is how a process is placed into its virtual addressable space  The code is.
COMP1070/2002/lec1/H.Melikian COMP1070 Lecture #2 Computers and Computer Languages Some terminology What is Software? Operating Systems.
Computer Organization & Assembly Language University of Sargodha, Lahore Campus Prepared by Ali Saeed.
1 Assembly Language: Function Calls Jennifer Rexford.
Recitation 3 Outline Recursive procedure Complex data structures –Arrays –Structs –Unions Function pointer Reminders Lab 2: Wed. 11:59PM Lab 3: start early.
CSC 221 Computer Organization and Assembly Language Lecture 16: Procedures.
Code Generation II. 2 Compiler IC Program ic x86 executable exe Lexical Analysis Syntax Analysis Parsing ASTSymbol Table etc. Inter. Rep. (IR) Code Generation.
Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Structured Data –struct s / union s –Arrays of structs.
IA32 Stack –Region of memory managed with stack discipline –Grows toward lower addresses –Register %esp indicates lowest stack address address of top element.
ICS51 Introductory Computer Organization Accessing parameters from the stack and calling functions.
Recitation 3: Procedures and the Stack
A job ad at a game programming company
Assembly function call convention
Debugging Survival Guide (x86-DSG) Divyanand Kutagulla
Reading Condition Codes (Cont.)
Machine-Level Programming 2 Control Flow
C function call conventions and the stack
CS-401 Computer Architecture & Assembly Language Programming
Computer Architecture and Assembly Language
Exploiting & Defense Day 2 Recap
Recitation 2 – 2/11/02 Outline Stacks & Procedures
Aaron Miller David Cohen Spring 2011
Introduction to Compilers Tim Teitelbaum
Assembly IA-32.
High-Level Language Interface
Recitation 2 – 2/4/01 Outline Machine Model
Guo Yu USTC, Suzhou See Code Run (1) Guo Yu USTC, Suzhou
asum.ys A Y86 Programming Example
Computer Architecture and Assembly Language
Y86 Processor State Program Registers
Discussion Section – 11/3/2012
Machine-Level Programming 4 Procedures
Practical Session 4.
Machine-Level Programming: Introduction
Multi-modules programming
X86 Assembly Review.
Low-Level Thread Dispatching on the x86
ICS51 Introductory Computer Organization
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Computer Architecture and System Programming Laboratory
Presentation transcript:

Stack Usage with MS Visual Studio 2005

Without Stack Protection

Before call to DoIt Registers EAX = EBX = ECX = FB EDX = 781C3C58 ESI = EDI = FC EIP = EE ESP = 0013FF40 EBP = 0013FFC0 EFL =

Stack before call to DoIt EBP 0013FFC0 ESP 0013FF40 argc argv local variables

Calling DoIt DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow); EE mov eax,dword ptr [esp+18h] F2 mov ecx,dword ptr [esp+1Ch] F6 mov edx,dword ptr [esp+24h] FA mov esi,dword ptr [esp+28h] FE push eax FF push ecx mov ecx,dword ptr [esp+28h] lea ebx,[esp+34h] call DoIt (401000h) D add esp,14h pop edi pop esi

Registers before calling DoIt EAX = EBX = 0013FF6C ECX = EDX = ESI = EDI = FC EIP = ESP = 0013FF38 EBP = 0013FFC0 EFL =

Stack after call to Doit Two variables pushed on stack Return address

DoIt Deassembled void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow){ push ebp iSize = iSize + iLength; add edx,esi xor eax,eax push edi lea edi,[eax+0Fh] lea esp,[esp]

DoIt Deassembled for(int i=0; i<15; i++){ iSize += i*iLength*iWhat++; mov ebp,eax imul ebp,ecx add edx,ebp add ecx, A add eax,esi C sub edi, F jne DoIt+10h (401010h) }

DoIt Deassembled char * myChar = szBuffer; while(*myChar){ cmp byte ptr [ebx], pop edi mov eax,ebx pop ebp je DoIt+3Bh (40103Bh) A lea ebx,[szBuffer] *(myChar++)+=0x01; add byte ptr [eax], add eax, cmp byte ptr [eax], jne DoIt+30h (401030h) }

DoIt Deassembled printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow); B mov eax,dword ptr [esp+8] F push eax mov eax,dword ptr [esp+8] push eax push ebx push ecx push edx push esi push offset string "Doit called with %i, %i, %i, %s"... (4020F4h) E call dword ptr [__imp__printf (4020A4h)] add esp,1Ch } ret

With Stack Protection

Prologue Create security cookie Push ebx and esi int _tmain(int argc, _TCHAR* argv[]) { sub esp,24h mov eax,dword ptr [___security_cookie (403000h)] xor eax,esp A mov dword ptr[esp+20h],eax E push ebx F push esi

Stack Before Calling DoIt esp ebp

Stack Before Calling DoIt esp 0013FF3C ebp 0013FFC0 Local variables on stack. Notice the sparse layout

Preparation for calling DoIt DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow); F9 mov eax,dword ptr [esp+28h] FD mov ecx,dword ptr [esp+20h] mov edx,dword ptr [esp+1Ch] mov esi,dword ptr [esp+24h] push eax A push ecx B mov ecx,dword ptr [esp+20h] F lea ebx,[esp+34h] call DoIt (401000h)

Stack after call to doit esp 0013FF30 ebp 0013FFC0 Two variables passed on stack Return Address

Register contents Register used to pass remaining variables EAX = EBX = 0013FF68 (address of string) ECX = EDX = ESI = EDI = FC EIP = ESP = 0013FF30 EBP = 0013FFC0 EFL =

Call of DoIt void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow){ push ebp iSize = iSize + iLength; add edx,esi xor eax,eax push edi lea edi,[eax+0Fh] lea esp,[esp]

Call of Doit (cont) for(int i=0; i<15; i++){ iSize += i*iLength*iWhat++; mov ebp,eax imul ebp,ecx add edx,ebp add ecx, A add eax,esi C sub edi, F jne DoIt+10h (401010h) }

Call of Doit (cont) char * myChar = szBuffer; while(*myChar){ cmp byte ptr [ebx], pop edi mov eax,ebx pop ebp je DoIt+3Bh (40103Bh) A lea ebx,[szBuffer]

Call of Doit (cont) *(myChar++)+=0x01; add byte ptr [eax], add eax, cmp byte ptr [eax], jne DoIt+30h (401030h) }

Call of Doit (cont) *(myChar++)+=0x01; add byte ptr [eax], add eax, cmp byte ptr [eax], jne DoIt+30h (401030h) }

Call of Doit (cont) printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow); B mov eax,dword ptr [esp+8] F push eax mov eax,dword ptr [esp+8] push eax push ebx push ecx push edx push esi push offset string "Doit called with %i, %i, %i, %s"... (402104h) E call dword ptr [__imp__printf (4020A4h)] add esp,1Ch } ret

tmain epilogue return 0; } mov ecx,dword ptr [esp+48h] C add esp,14h F pop edi pop esi pop ebx xor ecx,esp xor eax,eax call __security_check_cookie (40112Fh) B add esp,2Ch E ret

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.