execute binary machine code from C
Solution 1
The code must be in a page with execute permission. By default, stack and read-write static data (like non-const globals) are in pages mapped without exec permission, for security reasons.
The simplest way is to compile with gcc -z execstack
, which links your program such that stack and global variables (static storage) get mapped in executable pages, and so do allocations with malloc
.
Another way to do it without making everything executable is to copy this binary machine code into an executable buffer.
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
char code[] = {0x55,0x48,0x89,0xe5,0x89,0x7d,0xfc,0x48,
0x89,0x75,0xf0,0xb8,0x2a,0x00,0x00,0x00,0xc9,0xc3,0x00};
/*
00000000004004b4 <main> 55 push %rbp
00000000004004b5 <main+0x1> 48 89 e5 mov %rsp,%rbp
00000000004004b8 <main+0x4> 89 7d fc mov %edi,-0x4(%rbp)
00000000004004bb <main+0x7> 48 89 75 f0 mov %rsi,-0x10(%rbp)
'return 42;'
00000000004004bf <main+0xb> b8 2a 00 00 00 mov $0x2a,%eax
'}'
00000000004004c4 <main+0x10> c9 leaveq
00000000004004c5 <main+0x11> c3 retq
*/
int main(int argc, char **argv) {
void *buf;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
memcpy (buf, code, sizeof(code));
__builtin___clear_cache(buf, buf+sizeof(code)-1); // on x86 this just stops memcpy from optimizing away as a dead store
/* run code */
int i = ((int (*) (void))buf)();
printf("get this done. returned: %d", i);
return 0;
}
output:
get this done. returned: 42
RUN SUCCESSFUL (total time: 57ms)
Without __builtin___clear_cache
, this could break with optimization enabled because gcc would think the memcpy
was a dead store and optimize it away. When compiling for x86, __builtin___clear_cache
does not actually clear any cache; there are zero extra instructions; it just marks the memory as "used" so stores to it aren't considered "dead". (See the gcc manual.)
Another option would be to mprotect
the page containing the char code[]
array, giving it PROT_READ|PROT_WRITE|PROT_EXEC
. This works whether it's a local array (on the stack) or global in the .data
.
Or if it's const char code[]
in the .rodata
section, you might just give it PROT_READ|PROT_EXEC
.
(In versions of binutils ld
from before about 2019, the .rodata
got linked as part of the same segment as .text
, and was already mapped executable. But recent ld
gives it a separate segment so it can be mapped without exec permission so const char code[]
doesn't give you an executable array anymore, but it used to so you may this old advice in other places.)
Solution 2
The point is that DEP protection is enabled! you can goto Configurations -> Linker -> Advance -> DEP turn off , it's ok now .
void main(){
int i = 11;
//The following is the method to generate the machine code directly!
//mov eax, 1; ret;
const char *code = "\xB8\x10\x00\x00\x00\xc3";
__asm call code; //test successful~..vs 2017
__asm mov i ,eax;
printf("i=%d", i);
}
Related videos on Youtube
4pie0
>> p = [1 0 1]; >> roots(p) ans = 0.000000000000000 + 1.000000000000000i 0.000000000000000 - 1.000000000000000i
Updated on June 11, 2022Comments
-
4pie0 almost 2 years
following this instructions I have managed to produce only 528 bytes in size a.out (when gcc main.c gave me 8539 bytes big file initially).
main.c was:
int main(int argc, char** argv) { return 42; }
but I have built a.out from this assembly file instead:
main.s:
; tiny.asm BITS 64 GLOBAL _start SECTION .text _start: mov eax, 1 mov ebx, 42 int 0x80
with:
me@comp# nasm -f elf64 tiny.s me@comp# gcc -Wall -s -nostartfiles -nostdlib tiny.o me@comp# ./a.out ; echo $? 42 me@comp# wc -c a.out 528 a.out
because I need machine code I do:
objdump -d a.out a.out: file format elf64-x86-64 Disassembly of section .text: 00000000004000e0 <.text>: 4000e0: b8 01 00 00 00 mov $0x1,%eax 4000e5: bb 2a 00 00 00 mov $0x2a,%ebx 4000ea: cd 80 int $0x80 ># objdump -hrt a.out a.out: file format elf64-x86-64 Sections: Idx Name Size VMA LMA File off Algn 0 .note.gnu.build-id 00000024 00000000004000b0 00000000004000b0 000000b0 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 0000000c 00000000004000e0 00000000004000e0 000000e0 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE SYMBOL TABLE: no symbols
file is in little endian convention:
me@comp# readelf -a a.out ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x4000e0 Start of program headers: 64 (bytes into file) Start of section headers: 272 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 2 Size of section headers: 64 (bytes) Number of section headers: 4 Section header string table index: 3
now I want to execute this like this:
#include <unistd.h> // which version is (more) correct? // this might be related to endiannes (???) char code[] = "\x01\xb8\x00\x00\xbb\x00\x00\x2a\x00\x00\x80\xcd\x00"; char code_v1[] = "\xb8\x01\x00\x00\x00\xbb\x2a\x00\x00\x00\xcd\x80\x00"; int main(int argc, char **argv) { /*creating a function pointer*/ int (*func)(); func = (int (*)()) code; (int)(*func)(); return 0; }
however I get segmentation fault. My question is: is this section of text
4000e0: b8 01 00 00 00 mov $0x1,%eax 4000e5: bb 2a 00 00 00 mov $0x2a,%ebx 4000ea: cd 80 int $0x80
(this machine code) all I really need? What I do wrong (endiannes??), maybe I just need to call this in different way since SIGSEGV?
-
Kerrek SB over 10 yearsYou can't just treat a few random bytes as a function. You have to respect the compiler's calling conventions and provide suitable function prologues and epilogues.
-
4pie0 over 10 yearsofcourse, this opcodes are generated with same compiler, and not random, so should be OK, do you know what exactly should I do? why I can run it from terminal?
-
Kerrek SB over 10 yearsFirst off, you need to make sure the code resides in executable memory. Try adding something like
__attribute__((section, ".text"))
or similar (see the manual). And as I said, make sure to implement the correct calling conventions. -
4pie0 over 10 yearsthanks, I will try to take opcodes from a.out generated by gcc normal way, but put opcodes then to asm and build a.out like before to avoid runtime libs overhead. do you consider this as a good idea? no, I will just use opcodes from a.out since I don't use any libs here
-
4pie0 over 10 yearsI have this: * 00000000004004b4 <main> 55 push %rbp 00000000004004b5 <main+0x1> 48 89 e5 mov %rsp,%rbp 00000000004004b8 <main+0x4> 89 7d fc mov %edi,-0x4(%rbp) 00000000004004bb <main+0x7> 48 89 75 f0 mov %rsi,-0x10(%rbp) /NetBeansProjects/examples/tiny_c/tiny.c:15 return 42; 00000000004004bf <main+0xb> b8 2a 00 00 00 mov $0x2a,%eax /NetBeansProjects/examples/tiny_c/tiny.c:16 } 00000000004004c4 <main+0x10> c9 leaveq 00000000004004c5 <main+0x11> c3 retq
-
4pie0 over 10 yearsI have extracted char code_v3[] = "\x55\x48\x89\xe5\x89\x7d\xfc\x48\x89\x75\xf0\xb8\x2a\x00\x00\x00\xc9\xc3" from this, again SIGSEGV
-
-
Raymond Nijland over 10 yearsNice but with great knowledge comes great responsibility think about that before you going to misuse this....
-
Raymond Nijland over 10 yearsyou can use this code with some minor adjustments as an shellcode executer when there is an memory leak is the software but its much more difficult to get it right.. but i think you are building some kind as Virtual machine?
-
4pie0 over 10 yearsno, I just wanted to execute from C/C++ program machine code written by myself.
-
Basile Starynkevitch over 10 yearsThen consider using some JIT machine code generator library: LLVM, or GNU lightning or libjit. Or just use the
asm
instruction in C. -
Basile Starynkevitch over 10 yearsAlternatively (on Linux), generate C code at runtime, fork a compilation into a shared object, and
dlopen
that shared object... -
Grady Player about 10 yearsmuch safer is to define function types and dynamically load them... but this is cool too, as it provides a direct way to implement self modifying code and in protected memory land, you are unlikely to make the universe implode.
-
Peter Cordes over 5 yearsUse
const char code[] = ...
to put the array in the.rodata
section, which is linked as part of the TEXT segment on Linux. Then you can just castcode
to a function pointer and call it, without even needinggcc -z execstack
. (But that option makes heap and static data executable as well as the actual stack, so it's a good choice for messing around with stuff.) -
Peter Cordes almost 5 yearsI expanded your answer a bit to make it a better canonical answer that others can be a duplicate of, and to make the example code bulletproof even with optimization enabled.
-
Expolarity about 3 yearsThis is irrelevant, the OP used the GCC compiler on Linux (as seen by the commands used), Linux does not use DEP for userspace processes (afaik) and GCC does not feature the GUI that MSVC does