发表新帖
发表新帖

Execute Instructions From The Heap

后端 未结
关注
4 1258
失恋的感觉
失恋的感觉 2020-12-11 09:53

Can I allocate a block on the heap, set its bytes to values that correspond to a function call and its parameters, then use the function call and dereference operators to ex

相关标签:
4条回答
  • 你的背包
    2020-12-11 10:12

    Yes, but you must ensure that the memory is marked executable. How you do that depends on the architecture.

    0 讨论(0)
  • 死守一世寂寞
    2020-12-11 10:20

    In windows, for example, this is now very hard to do when it was once very easy. I used to be able to take an array of bytes in C and then cast it to a function pointer type to execute it... but not any more.

    Now, you can do this if you can call Global or VirtualAlloc functions and specifically ask for executable memory. On most platforms its either completely open or massively locked down. Doing this sort of thing on iOS, for example, is a massive headache and it will cause a submission fail on the app store if discovered.

    here is some fantastically out of date and crusty code where i did the original thing you described:

    https://code.google.com/p/fridgescript/source/browse/trunk/src/w32/Code/Platform_FSCompiledCode.cpp

    using bytes from https://code.google.com/p/fsassembler

    you may notice in there that i need to provide platform (windows) specific allocation functions to get some executable memory:

    https://code.google.com/p/fridgescript/source/browse/trunk/src/w32/Core/Platform_FSExecutableAlloc.cpp

    0 讨论(0)
  • 星月不相逢
    2020-12-11 10:21

    So if I read you right you want to dynamically create CPU assembly instructions on the heap and execute them. A bit like self-modifying code. In theory that's possible, but in practice maybe not.

    The problem is that the heap is in a data segment, and CPU's/operating systems nowadays have measures to prevent exactly this kind of behavior (it's called the NX bit, or No-eXecute bit for x86 CPUs). If a segement is marked as NX, you can't execute code from it. This was invented to stop computer virusses from using buffer overflows to place exectuable code in data/heap/stack memory and then try the calling program to execute such code.

    Note that DLL's and libraries are loaded in the code segment, which of course allows code execution.

    0 讨论(0)
  • 天涯浪人
    2020-12-11 10:34

    Yes. How else could Dynamic loading and Linking work? Remembering that some (most?) Operating Systems, and some (most?) Linkers are also written in C/C++. For example,

    #include <dlfcn.h>
void* initializer = dlsym(sdl_library,"SDL_Init");
if (initializer == NULL) {
    // report error ...
} else {
    // cast initializer to its proper type and use
}

    Also, I believe that a JIT (e.g. GNU lightning and others) in general performs those operations.

    0 讨论(0)
 看不清?
提交回复
热议问题