How to access .text section using a function pointer in C? [closed] - c

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
I am trying to inject executable code in memory using C. The executable should be able to read it's own code and copy it to some other location referenced by a pointer. The general template code is as follows
int
main(){
int (*main_ptr)();
main_ptr=main; // make the pointer point to start of main
/*
* rest of the code.
*
*/
/*Now I am trying to print the first 10 bytes of the main function.
* just to see if it is possible to access main's code.
*/
for(int i=0;i<10;i++)
printf("%x ",*main_ptr++);
return 0;
}
but the output is the value of the pointer (i.e. address of main function), not the value to which it points (the code of the main function). I had read somewhere that C does not dereference function pointers. But I do not know why. Is there a way to get around this?
Or, is there another way for a program to access its own code section?
P.S. I understand that many may think this is a stupid question and does not contribute significantly to research and all that. But I'am trying to understand how malware is written and given the absence of material on the web, it has been frustrating, so I decided to try this myself. Any help would be great.

There are 2 issue with your code (even though as such it is UB to be strict).
But even from any implementations point of view there are the following issues
None of the implementations define the * operator for function pointer.
None of the implementations define the ++ operator on the function pointers because size of a function is not defined.
But most implementations do define casting a fptr to void* and then to other data pointers even though it is UB.
You can make use of that fact.
I tried the simple modification of your code -
for(i=0;i<10;i++)
printf("%x ",*((int*)main_ptr++));
And it produced the "expected" behavior with gcc (MinGW64), compared the output against objdump.
Finally this goes with the warning that none of the approaches are portable. Perhaps there is no portable way to achieve what you are doing.
If you just have to get the same code as main, one way could be to read the actual binary (pointed by arg[0]). Parse the headers to find main and then read the bytes from there. Since reading the file would give you a data pointer there is no UB there.

Related

Memory addressing in C [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 5 years ago.
Improve this question
I made this small code in C:
#include <stdio.h>
int alo();
int main()
{
printf ("%d",alo());
}
int alo(int i, int x)
{
return (x);
}
but it seems when I run it without giving any argument to alo it prints a completely random number.
I just want to know, since I suppose it can't be 100% random, what number is this in reality and where does it come from, and also if I can predict it. Note that this is pure curiosity.
I guess it has something to deal with memory reading, but how this particular bug exactly functions?
Your alo function accepts (i.e. requires!) two parameters, but you called it without any arguments. The behavior is undefined in this case.
You declared your function (before main) without a prototype. This means that it is your responsibility to supply the correct number of arguments of correct type in all calls to alo. The compiler will not help you to verify the correctness of such calls.
For this reason a good idea is to1 always declare your functions with prototypes
int alo(int i, int x);
so that the compiler will help you to ensure that you are calling your function properly.
In practice the implementation of alo blindly follows its parameter passing convention and reads the storage location that is supposed to contain the value of parameter x. The resultant value is retuned from alo.
What kind of storage location is used for passing x depends on the implementation details. It could be a memory area or a CPU register. Whatever residual/garbage value was residing in that storage location before the call is returned from alo.
OK, Google for:
you own hardware architecture, (CPU, registers, memory etc),
assembler,
machine code,
instruction set,
debugger,
stack,
calling convention,
parameters,
arguments
When you understand the above, you are equipped to investigate the UB on the computer that it manifests on. Next box, next architecture, next week, it may behave differently:(

Assembly and Execution of Programs - Two pass assembler [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
While going through a book on machine instructions and programs I came across a particular point which says that an assembler scans an entire source program twice. It builds a symbol table during the 1st pass/scan and associates the entire program with it during the second scan. The assembler needs to provide an address in a similar way for a function.
Now, since the assembler passes through the program twice, why is it necessary to declare a function before it can be used? Wouldn't the assembler provide an address for the function from the 1st pass and then correlate it to the program during the 2nd pass ?
I am considering C programming in this case.
The simple answer is that C programs require that functions be declared before it can be used because the C language was designed to be processed by a compiler in a single pass. It has nothing to with assemblers and addresses of functions. The compiler needs to know the type of a symbol, whether its a function, variable or something else, before it can use it.
Consider this simple example:
int foo() { return bar(); }
int (*bar)();
In order to generate the correct code the compiler needs to know that bar isn't a function, but a pointer to a function. The code only works if you put extern int (*bar)(); before the definition of foo so the compiler knows what type bar is.
While the language could have been in theory designed to require the compiler to use two passes, this would have required some significant changes in the design of the language. Requiring two passes would also increase the required complexity of the compiler, decreasing the number of platforms that could host a C compiler. This was very important consideration back in the day when C was first being developed, back when 64K (65,536) bytes of RAM was a lot of memory. Even today would have noticeable impact on the compile times of large programs.
Note that the C language does sort of allows what you want anyways, by supporting implicit function declarations. (In my example above this it what happens in foo when bar isn't declared previously.) However this feature is obsolete, limited, and considered dangerous.

Issue dereferencing type void** [closed]

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I have an array of pointers to pointers:
void ** buckets.
Each of these pointers point to some blob of memory, which contains a pointer to another blob of memory.
I am trying to get at one of the pointers which point to some blob of memory like this:
void *cell = cm->buckets[0] // for the first blob it is pointing to.
However, it is giving me a segfault and the gdb is not very useful. Why is this happening and what is the proper way of handling this case?
Check the address value stored in buckets. Most likely, it has not been initialized (using new, malloc, etc.) and the address inside buckets is some random protected mem address.
buckets[0] is equivalent to *buckets or dereferencing the value inside buckets. So the system tries to access the contents of this protected address causing a segfault.
There are two possible places that may be generating this fault in your example code: cm and buckets. In GDB, before you execute this line, first check cm to make sure it is pointing where you expect it to. If so, make sure buckets is pointing to a reasonable location.

Is printf("%d",*(++(*a))); Undefined [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
is printf("%d",*(++(*a))); Undefined? Here a is pointer to a pointer to integer.
I do not have anymore code other than this.It is an extension of This question which had created lots of confusions.Just want to know what is happening in this print.Does it depend on Architechture(32 Vs 64) or compiler versions.
Hoping answers will be descriptive and clear.
If you break it down, it does this:
Take the value of what a is pointing at: *a
Increment by one ++(*a)
Dereference that *(++(*a))
So, if the value+1 of what is stored at a is a valid pointer, this will work. Otherwise, the result is undefined and will most likely result in a runtime error.
Yes, your code is correct and even if cryptic can make some (little) sense as in:
void print_next(int **a) {
printf("%d\n",*(++(*a)));
}
int arr[] = {1,5,6,3,5,6};
int *p = arr;
while (p<arr+6)
print_next(&p);
If your question is specifically about *(++(*a)) expression, then there's nothing undefined here (assuming all pointers involved are valid). There are no attempts to perform multiple modifications of the same object. There are no independent reads of any of the modified objects. End of story.
Basically, there's nothing to explain here, since the code is perfectly fine in a rather straightforward manner. There's really no room for anything more "descriptive and clear" than that.
If this is not sufficiently clear, you have to explain what exactly looks suspicious to you in this expression.

Sorting Number Compiler Error [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I am trying to sorting a list of numbers using radixsort. But ran into a compiler
problem that I cannot solve after multiple tries.
I have two pointers one at the back of the list and the other in front.
base is the the number of buckets I am using for radixsort.
struct listnode **front,**back;
front = malloc(sizeof(*front) * base);
back = malloc(sizeof(*back) * base);
Error that I am getting is:
invalid conversion from void* to listnode**[-fpermissive]
Thanks in advance for the help.
It looks like you're using a C++ compiler to compile your C program. Either don't do that, or add a typecast to the return value of the malloc() calls.
The code works fine as a C program. Save the file with a .c extension an then compile it...
Still, if you want to compile it as a C++ program, you need to do a cast as
struct listnode **front,**back;
front = static_cast<listnode**> (malloc(sizeof(*front) * base));
back = static_cast<listnode**> (malloc(sizeof(*back) * base));
The reason is that C++ is a strongly typed language and does not allow the type of conversions between pointers like C does. You have to explicitly specify such a cast in C++. Implicit casts between pointers is a source of hard find bugs and thus not supported in C++.

Resources