Is this possible?
I want to place intel assembly code into a char buffer, and then execute that code from within a C program
If I placed the assembly code into a buffer, could I cast it into a function pointer and call that?
I am using GCC and linux
+1
A:
Yes you could. Infact that is how a buffer overflow attack could work. For more information google buffer overflow attacks. Breaking execution into direct assembly will always work (so long as the assembly is correct).
Robert Massaioli
2009-10-20 03:02:28
Well, not Assembly code. Machine code.
Tordek
2009-10-20 03:10:23
Well yeah sorry. I should have been more precise. In my mind assembly and machine code are very close together.
Robert Massaioli
2009-10-20 04:01:25
Sorry, the official consensus (http://meta.stackoverflow.com/questions/8724/how-to-deal-with-google-questions) is that answers with a simple Google link aren't considered acceptable.
Chris Lutz
2009-10-20 03:06:55
+8
A:
Do you want to execute Intel assembly code or machine code? If you want to execute machine code, then yes, you can, provided that the memory page the character buffer is on is not marked NX (no execute).
If you're talking about assembly code, then no, you would first need to run the code through an assembler (on Un*x systems the standard one is typically called as; on Linux, this should be the same as gas) and then run the resulting machine code.
Michael E
2009-10-20 03:09:54
A:
Maybe -- the syntax is:
char buff[/* enough space */];
/* fill in buff with the right opcodes that conform to the Linux ABI */
((void (*)()) buff) ();
The problem is the modern x64's have a mode called "W^X" or "NX bit" which prevents the above code from executing from data pointers. There are APIs for dealing with this, but I am not familiar with the Linux one; a little googling seems to indicate that you actually mark your .o files at link time wanting to disable the NX bit. That seems like a bad idea to me (it seems instead that you should be able to, at run time, promote a data region to be executable, or allocate a writable region from a runnable region of memory; but hey, that's just my opinion -- maybe its really hard to do that.)
Assuming you don't have a NX bit or W^X issue, then just do that cast above and have a ball.
Paul Hsieh
2009-10-20 03:35:11
In Linux, you can use mprotect to promote a memory region to be executable.
Keith Randall
2009-10-20 06:15:06
A:
This actually works about the way you'd expect, as long as you get the function pointer syntax right. Other than security exploits, you can use this technique for performance optimization.
I should know better than to type code in with my phone, but...
unsigned char buffer[]={blah, blah, blah ...};
void (*p)() = (void (*))buffer;
p();
Mark Bessey
2009-10-20 03:53:00
A:
If you want to execute something like "pop %[register] push %[register]" as you write in your comment, yes, this is possible, but it isn't easy.
You need to either write an assembler or embed an open source assembler in your application. You feed your assembler with your char array, create the machine code (preferably PIC code, so you can omit the linking and relocating) in an other buffer and execute code in this buffer via a function pointer.
If you can guarantee there is an "as" or "gas" on the platform you run the code, you might get away with a quick and dirty hack to call "as" with your code piped in and the object code piped out.
drhirsch
2009-10-20 14:46:18