execute binary machine code from C

c gcc assembly nasm opcode

13,293

Solution 1

The code must be in a page with execute permission. By default, stack and read-write static data (like non-const globals) are in pages mapped without exec permission, for security reasons.

The simplest way is to compile with gcc -z execstack, which links your program such that stack and global variables (static storage) get mapped in executable pages, and so do allocations with malloc.

Another way to do it without making everything executable is to copy this binary machine code into an executable buffer.

#include <unistd.h>
#include <sys/mman.h>
#include <string.h>

char code[] = {0x55,0x48,0x89,0xe5,0x89,0x7d,0xfc,0x48,
    0x89,0x75,0xf0,0xb8,0x2a,0x00,0x00,0x00,0xc9,0xc3,0x00};
/*
00000000004004b4 <main> 55                          push   %rbp
00000000004004b5 <main+0x1>  48 89 e5               mov    %rsp,%rbp
00000000004004b8 <main+0x4>  89 7d fc               mov    %edi,-0x4(%rbp)
00000000004004bb <main+0x7>  48 89 75 f0            mov    %rsi,-0x10(%rbp)
'return 42;'
00000000004004bf <main+0xb>  b8 2a 00 00 00         mov    $0x2a,%eax
'}'
00000000004004c4 <main+0x10> c9                     leaveq 
00000000004004c5 <main+0x11> c3                     retq 
*/

int main(int argc, char **argv) { 
    void *buf;

    /* copy code to executable buffer */    
    buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
                MAP_PRIVATE|MAP_ANON,-1,0);
    memcpy (buf, code, sizeof(code));
    __builtin___clear_cache(buf, buf+sizeof(code)-1);  // on x86 this just stops memcpy from optimizing away as a dead store

    /* run code */
    int i = ((int (*) (void))buf)();
    printf("get this done. returned: %d", i);

    return 0;
}

output:

get this done. returned: 42

RUN SUCCESSFUL (total time: 57ms)

Without __builtin___clear_cache, this could break with optimization enabled because gcc would think the memcpy was a dead store and optimize it away. When compiling for x86, __builtin___clear_cache does not actually clear any cache; there are zero extra instructions; it just marks the memory as "used" so stores to it aren't considered "dead". (See the gcc manual.)

Another option would be to mprotect the page containing the char code[] array, giving it PROT_READ|PROT_WRITE|PROT_EXEC. This works whether it's a local array (on the stack) or global in the .data.

Or if it's const char code[] in the .rodata section, you might just give it PROT_READ|PROT_EXEC.

(In versions of binutils ld from before about 2019, the .rodata got linked as part of the same segment as .text, and was already mapped executable. But recent ld gives it a separate segment so it can be mapped without exec permission so const char code[] doesn't give you an executable array anymore, but it used to so you may this old advice in other places.)

Solution 2

The point is that DEP protection is enabled! you can goto Configurations -> Linker -> Advance -> DEP turn off , it's ok now .

void main（）{
int i = 11;
//The following is the method to generate the machine code directly!
//mov eax, 1; ret;
const char *code = "\xB8\x10\x00\x00\x00\xc3";
    __asm call code;  //test successful~..vs 2017
    __asm mov i ,eax;
printf("i=%d", i);
}

13,293

4pie0

>> p = [1 0 1]; >> roots(p) ans = 0.000000000000000 + 1.000000000000000i 0.000000000000000 - 1.000000000000000i

Updated on June 11, 2022

Comments

4pie0 almost 2 years

following this instructions I have managed to produce only 528 bytes in size a.out (when gcc main.c gave me 8539 bytes big file initially).

main.c was:

int main(int argc, char** argv) {

    return 42;
}

but I have built a.out from this assembly file instead:

main.s:

; tiny.asm
  BITS 64
  GLOBAL _start
  SECTION .text
  _start:
                mov     eax, 1
                mov     ebx, 42  
                int     0x80

with:

me@comp# nasm -f elf64 tiny.s
me@comp# gcc -Wall -s -nostartfiles -nostdlib tiny.o
me@comp# ./a.out ; echo $?
42
me@comp# wc -c a.out
528 a.out

because I need machine code I do:

objdump -d a.out

a.out:     file format elf64-x86-64


Disassembly of section .text:

00000000004000e0 <.text>:
  4000e0:   b8 01 00 00 00          mov    $0x1,%eax
  4000e5:   bb 2a 00 00 00          mov    $0x2a,%ebx
  4000ea:   cd 80                   int    $0x80

># objdump -hrt a.out

a.out:     file format elf64-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
 0 .note.gnu.build-id 00000024  00000000004000b0  00000000004000b0  000000b0 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 1 .text         0000000c  00000000004000e0  00000000004000e0  000000e0 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
SYMBOL TABLE:
no symbols

file is in little endian convention:

me@comp# readelf -a a.out
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x4000e0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          272 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         2
  Size of section headers:           64 (bytes)
  Number of section headers:         4
  Section header string table index: 3

now I want to execute this like this:

#include <unistd.h>
 // which version is (more) correct?
 // this might be related to endiannes (???)
char code[] = "\x01\xb8\x00\x00\xbb\x00\x00\x2a\x00\x00\x80\xcd\x00";
char code_v1[] = "\xb8\x01\x00\x00\x00\xbb\x2a\x00\x00\x00\xcd\x80\x00";

int main(int argc, char **argv)
{
/*creating a function pointer*/
int (*func)();
func = (int (*)()) code;
(int)(*func)();

return 0;
}

however I get segmentation fault. My question is: is this section of text

  4000e0:   b8 01 00 00 00          mov    $0x1,%eax
  4000e5:   bb 2a 00 00 00          mov    $0x2a,%ebx
  4000ea:   cd 80                   int    $0x80

(this machine code) all I really need? What I do wrong (endiannes??), maybe I just need to call this in different way since SIGSEGV?

Kerrek SB over 10 years

You can't just treat a few random bytes as a function. You have to respect the compiler's calling conventions and provide suitable function prologues and epilogues.
4pie0 over 10 years

ofcourse, this opcodes are generated with same compiler, and not random, so should be OK, do you know what exactly should I do? why I can run it from terminal?
Kerrek SB over 10 years

First off, you need to make sure the code resides in executable memory. Try adding something like __attribute__((section, ".text")) or similar (see the manual). And as I said, make sure to implement the correct calling conventions.
4pie0 over 10 years

thanks, I will try to take opcodes from a.out generated by gcc normal way, but put opcodes then to asm and build a.out like before to avoid runtime libs overhead. do you consider this as a good idea? no, I will just use opcodes from a.out since I don't use any libs here
4pie0 over 10 years

I have this: * 00000000004004b4 <main> 55 push %rbp 00000000004004b5 <main+0x1> 48 89 e5 mov %rsp,%rbp 00000000004004b8 <main+0x4> 89 7d fc mov %edi,-0x4(%rbp) 00000000004004bb <main+0x7> 48 89 75 f0 mov %rsi,-0x10(%rbp) /NetBeansProjects/examples/tiny_c/tiny.c:15 return 42; 00000000004004bf <main+0xb> b8 2a 00 00 00 mov $0x2a,%eax /NetBeansProjects/examples/tiny_c/tiny.c:16 } 00000000004004c4 <main+0x10> c9 leaveq 00000000004004c5 <main+0x11> c3 retq
4pie0 over 10 years

I have extracted char code_v3[] = "\x55\x48\x89\xe5\x89\x7d\xfc\x48\x89\x75\xf0\xb8\x2a\x00\x0‌0\x00\xc9\xc3" from this, again SIGSEGV

Raymond Nijland over 10 years

Nice but with great knowledge comes great responsibility think about that before you going to misuse this....
Raymond Nijland over 10 years

you can use this code with some minor adjustments as an shellcode executer when there is an memory leak is the software but its much more difficult to get it right.. but i think you are building some kind as Virtual machine?
4pie0 over 10 years

no, I just wanted to execute from C/C++ program machine code written by myself.
Basile Starynkevitch over 10 years

Then consider using some JIT machine code generator library: LLVM, or GNU lightning or libjit. Or just use the asm instruction in C.
Basile Starynkevitch over 10 years

Alternatively (on Linux), generate C code at runtime, fork a compilation into a shared object, and dlopen that shared object...
Grady Player about 10 years

much safer is to define function types and dynamically load them... but this is cool too, as it provides a direct way to implement self modifying code and in protected memory land, you are unlikely to make the universe implode.
Peter Cordes over 5 years

Use const char code[] = ... to put the array in the .rodata section, which is linked as part of the TEXT segment on Linux. Then you can just cast code to a function pointer and call it, without even needing gcc -z execstack. (But that option makes heap and static data executable as well as the actual stack, so it's a good choice for messing around with stuff.)
Peter Cordes almost 5 years

I expanded your answer a bit to make it a better canonical answer that others can be a duplicate of, and to make the example code bulletproof even with optimization enabled.
Expolarity about 3 years

This is irrelevant, the OP used the GCC compiler on Linux (as seen by the commands used), Linux does not use DEP for userspace processes (afaik) and GCC does not feature the GUI that MSVC does