In this image: https://i.imgur.com/LIImg.jpg
Under the code section it lists the first instruction as subtracting 0x28 from the stack pointer. Why would it need to subtract from a stack pointer that should be 0, right? Or does it start at the top and work down? Where in the PE headers do you specify the stack size?
The stack pointer doesn't have to be 0. In fact, and as Windows uses a flat memory model, it will have some non-zero value, big enough to allow growing downwards as stack is needed.
The action of substracting a value to the stack pointer is commonly found in the standard prologue of C functions. It allows a function to reserve stack space for local variables. Sometimes the compiler adds its own local variables to aid in some optimizations, or to help some stack checking functions linked to the program if you chose to check for stack buffer overflows at runtime.
You can see the commited and reserved stack space in a PE executable by using the DUMPBIN utility on that executable with the /HEADERS option. You can change both the reserved and commited stack size using Linker options (in Visual Studio)
Related
In Linux, with ASLR enabled, is there a range of addresses where user stack address lies? What about heap, instruction addresses(text section)?
In general, is it possible to look at an address and tell if it is for data or for code?
Edit:
I am trying to write a Pintool that looks at the EIP after a return and checks if the EIP points to a data area. Let's assume that NX is not enabled on this system.
For some reason, this was downvoted. Fortunately, the answer can be found here:
https://security.stackexchange.com/questions/185315/stack-location-range-on-linux-for-user-process/185330#185330
cat /proc/self/maps will show the initial location of the main thread's stack. This can be inaccurate for (at least) the following reasons:
you're not in the main thread
any part of the program was built with the -fsplit-stack option, or you call a library that does something similar
you're within a signal handler that requests the sigaltstack stack instead
you do weird alloca tricks like CHICKEN Scheme does to use the stack as a heap
...
Also note that the general areas are not fully random. See the AddressSanitizer project for something that takes advantage of this.
An example where NO-OP slide is a must for the exploit to work would be really helpful.
An example of when it is a must is when you want an exploit to be portable when targeting a non-ASLR enabled executable/system. Consider a local privilege escalation exploit where you return to shellcode on the stack. Because the stack holds the environment, the shellcode on the stack will be at slightly different offsets from the top of the stack when executing from within different users' shells, or on different systems. By prefixing the shellcode with, for example, 64k nop instructions, you provide a large margin of error for the stack address since your code will execute the same whether you land on the first nop or the last one.
Using nops is generally not as useful when targeting ASLR enabled systems since data sections will be mapped in entirely different areas of memory
On windows, VC compiler will generate debug version code with _chkesp implicit functions at the end of function calls, and allocate some 0xCCCCCCCC buffer on the stack to check and prevent stack corruption.
Does gcc/clang has same ability to provide extra stack check/prevention by some command line options? Either additional stack space or stack checkings?
GCC supports the -fstack-protector and -fstack-protector-all options. Note that both are geared toward security hardening rather than debugging. Instead, consider using
the GCC/CLANG address sanitizer (ASAN) options (minimal example) or Valgrind (minimal example).
I am writing a program to print out a 32-bit number, and I was thinking of storing each digit on the stack, to make use of its last-in-first-off functionality. This arose the question, could I store 32 digits on the stack?
My question is, how many digits of information could I store on the stack? What is the limit of the number of things I can push onto the stack? Could I store 64 digits? 128? A number of arbitrary length?
Thanks in advance,
Rileyh
It's not actually nasm dictating this, more the linker that you use. All nasm does is create object files which can be linked together.
If you are using the ld linker from Linux, you'll most likely find that your default stack is 2M.
So, no, 32 bytes is not really going to have a massive impact on that and, even if you run out of stack, you can use something like ld --stack 4194304 to bump it up.
Depends a tiny bit on the OS and a bit more on the linker you use, but you should be fine. It's common to allocate a stack of a megabyte or more by default, so 128 bytes is nothing. Just make sure you reset the stack pointer before you return, and everything should be fine.
You can typically tell the linker to allocate a stack of a certain size as well, if you find you need more than you get by default.
I have built a test for a driver in Windows CE 6.0 and some tests fail because memory passed in is not properly aligned.
How can I control the alignment of auto variables on the stack (not inside structures)?
Keep in mind that I cannot change this test in any way except how I build it.
Automatic variables are automatically aligned according to their natural alignment, unless you explicitly tell the compiler not to do so. So, if you need an address with 4 byte alignment, declare a 4 byte variable, like a DWORD.
There is no error message, the problem is when an unsigned byte is declared on the stack, the address is not 4-byte aligned, and I need it to be.
The exe that is built is a conformance test and I cannot change the code. When I build for windows the stack vars are 4-byte aligned, but when I build for CE they are not aligned