All geek questions in one place

Is it possible to overwrite a code segment with a regular C ++ program under Windows XP?

I am currently studying a Windows crash dump, and the Visual Studio debugger shows me an “illegal instruction 0xC000001D” when opening a dump file. The code position displaying this error shows a disassembly in the following example:

 void g(int x) {
 00401E80  push        ebp  
 00401E81  mov         ebp,esp 
    if(x > 20) {
 00401E83  cmp         dword ptr [x],14h 
 00401E87  jle         g+14h (401E94h) 
        x *= 4;
>00401E89  db          0fh  // illegal instruction here
 00401E8A  db          0fh  
 00401E8B  xadd        eax,esp 
 00401E8E  add         cl,byte ptr [ecx+9EB0845h] 
        x += 42;
 00401E94  mov         ecx,dword ptr [x]
 ...

I manually created the above example in the debugger, overwriting the function code with some invalid values ​​in the debugger memory window, but the crash dump that I checked shows the same record db 0fh, apparently indicating an invalid instruction. The code is also similar to what my dump file shows, since the instructions before the invalid instruction seem valid and correspond to the source code.

++- - (Visual ++ 2005 Windows XP), ?

, , .

{
    void* fnAddr = &g; // non-portable but OK in VC++
    unsigned int x = 0xDEADBEEF;
    // Simulate memory corruption: Try to write something to the code segment:
    memcpy((char*)fnAddr+4, &x, sizeof(x)); // generated 0xC0000005 Access Violation
    g(42); // call messed up function - never get here
}

- , - ?

, , , - .., , , , , , - , , .

+3
4

, , , . . . RAM. , .

+3

, (, ) . , , . , .

+1

, , , , Java JIT, - Java " " .

0

.text RX. Howerer, VirtualProtect, . , .

, :

code:00401000 55                                push    ebp
code:00401001 89 E5                             mov     ebp, esp
code:00401003 81 7D 08 14 00 00+                cmp     dword ptr [ebp+8], 14h
code:0040100A 7E 0B                             jle     short loc_401017
code:0040100A                   ; ---------------------------------------------------------------------------
code:0040100C 0F                                db  0Fh // here should be x += 10.5; ??
code:0040100D 0F                                db  0Fh 
code:0040100E 0F                                db  0Fh 
code:0040100F                   ; ---------------------------------------------------------------------------
code:0040100F C1 E0 02                          shl     eax, 2 ; //x *= 4
code:00401012
code:00401012                   loc_401012:
code:00401012 89 45 08                          mov     [ebp+8], eax // save x
code:00401015 EB 09                             jmp     short near ptr unk_401020
code:00401017                   ; ---------------------------------------------------------------------------
code:00401017
code:00401017                   loc_401017:                             ; CODE XREF: code:0040100Aj
code:00401017 8B 4D 08                          mov     ecx, [ebp+8]

, 10.5 eax, - .

if (x > 20){
      x *= 4; 
      x += 40;
};

g(int) asm? ( , , ).

0

Source: https://habr.com/ru/post/1776272/

More articles:


All Articles