Inline Asm

ModShop (1149)
Correct me if I'm wrong, but I believe its possible to load executable data from a file and execute it through a jmp instruction using inline asm. Assuming that is correct, what would the correct syntax be? I'm using MinGW with CodeBlocks (AT&T syntax asm).

I tried the following code, but it crashes from a segfault.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
#include <fstream>
using namespace std;

int main()
{
    ifstream file("hw.exe", ios::binary);
    string data;
    char tmp;
    uint8_t* buf;

    while (file.good())
    {
        file.read(&tmp, 1);
        data.push_back(tmp);
    }
    file.close();

    buf = new uint8_t[data.size()];
    for (int i = 0; i<data.size(); i++)
    {
        buf[i] = data[i];
    }

    asm volatile ("jmp *%0"
        : /*no output operands*/
        :"r"(buf)
        : /*no clobbered registers*/
    );

    return 0;
}
hamsterman (4538)
* EXE file is not all machine code. If you want to run a program, just use CreateProcess. There is some hard work needed otherwise. If you are willing though, I suggest starting with COM files as they are much simpler.

* The OS might not be crazy about executing random memory. Although I think I've don similar things on windows..

* I don't get that ASM. Possibly due to at&t syntax.. Why would you jump to 0?
roberts (314)
I believe the jmp %0 is the offset from the start of the exe.
closed account (zwA4jE8b)
here is a nice article on stack exploits, it is similar to what you are doing in that it overflows a char buffer to run some shell code. it is for linux though, it uses the AT&T/GAS syntax for assembly

http://destroy.net/machines/security/P49-14-Aleph-One
roberts (314)

A stack is an abstract data type frequently used in computer science.


Well, this part of that doc is incorrect. The stack at the machine level is not a data type, it's a section of memory.

Only the STL stack class is a data type.

He goes on to change what he calls a stack:


A stack is a contiguous block of memory containing data.


I'm not saying the doc should be disregarded, but it needs to be taken with a grain of salt.
Last edited on
ModShop (1149)
roberts wrote:
I believe the jmp %0 is the offset from the start of the exe.

Yes, it is the offset.

@CreativeMFS: Nice article, thanks.

@hamsterman: Ok, I guess I won't reinvent the wheel this time.

Thanks for the help everyone.
hamsterman (4538)
@roberts, Your definition of ADT is uselessly strict. Both SS and std::stack have their memory locations and operations push, pop. This is all that should matter. The only differences are that std::stack performs reallocations and SS is implemented in the instruction set.
Last edited on
Topic archived. No new replies allowed.