Functions in dynamic memory
Recently, as an experiment I was curious about executing code in dynamic memory in a C/C++ program.
It’s doable, but you need to do a few things you may not think of; you cannot just insert the assembly into your variable, and call it like a function.
|
1 2 3 4 5 6 7 8 |
BYTE *memory = new BYTE[size+1]; memset(memory, 0, size+1); /* .. snip .. */ typedef void func(void); func *DynamicMemoryFunction = (func *)memory; DynamicMemoryFunction(); |
The problem with that code is that you’re not changing the permissions of the memory to be executable; since it’s dynamically allocated, it has read and write permissions, but not execute.
In order to achieve that, we make use of the VirtualProtectEx function. The permission constant we’re after is PAGE_EXECUTE_READWRITE. Our code now becomes:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
BYTE *memory = new BYTE[size+1]; memset(memory, 0, size+1); /* .. snip .. */ DWORD oldProtect; VirtualProtectEx(GetCurrentProcess(), memory, size, PAGE_EXECUTE_READWRITE, &oldProtect); typedef void func(void); func *DynamicMemoryFunction = (func*)memory; DynamicMemoryFunction(); VirtualProtectEx(GetCurrentProcess(), memory, size, oldProtect, &oldProtect); |
Now that you know what’s needed to execute it, what about writing the assembly into the variable? You sadly, cannot just assign it like this:
|
1 2 3 4 5 6 7 8 9 10 11 |
BYTE *memory = new BYTE[size+1]; memset(memory, 0, size+1); char tmp[] = "Hello World"; memory = __asm { pushad push &tmp call printf popad }; |
You need to work out the hex for each opcode and assign it on a per-byte basis. You also need to take into account how external functions are called in assembly:
|
1 |
call dword ptr ds:[0xDEADBEEF] |
The call is looked up in the programs thunk table, which then points to the proper address; a double pointer. So for us to do a call properly, we can either make use of the thunk table (finding it + referencing it) or we can use a variable of our own, like so:
|
1 2 3 4 5 6 7 8 9 10 11 |
DWORD printf_addr = (DWORD)&printf; DWORD printf_addr_addr = (DWORD)&printf_addr; char *tmp = new char[14]; strncpy(tmp, "Hello World\r\n", 14); BYTE *m = new BYTE[8]; m[0] = 0x68; // push memcpy((m+1), &tmp, 4); m[5] = 0xFF; m[6] = 0x15; // call dword ptr memcpy((m+7), &printf_addr_addr, 4); |
Putting together everything from this article, here is a fully working “Hello world” achieved with dynamic memory.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#include <cstdio> #define WIN32_LEAN_AND_MEAN #include <Windows.h> int main() { char *tmp = new char[14]; strncpy(tmp, "Hello world\r\n", 14); DWORD printf_addr = (DWORD)&printf; DWORD printf_addr_addr = (DWORD)&printf_addr; BYTE *ptr = new BYTE[13]; memset(ptr, 0, 13); ptr[0] = 0x68; // push memcpy((ptr+1), &tmp, 4); ptr[5] = 0xFF; ptr[6] = 0x15; // call dword ptr memcpy((ptr+7), &printf_addr_addr, 4); ptr[11] = 0x59; // pop ecx ptr[12] = 0xC3; // retn DWORD oldProtect; VirtualProtectEx(GetCurrentProcess(), ptr, 12, PAGE_EXECUTE_READWRITE, &oldProtect); typedef void func(void); func *f = (func*)ptr; f(); VirtualProtectEx(GetCurrentProcess(), ptr, 12, oldProtect, &oldProtect); memset(ptr, 0, 13); delete[] ptr; delete[] tmp; getchar(); return 0; } |
That’s probably the most complicated hello world I’ve made..
Recent Comments