Access to Program Counter in C

Access to Program Counter in C

[A M]

Hello, 

Does anybody know how to access the address of the
current executing instruction in C while the program
is executing? 

Also, is there a method to load a program image from
memory not a file (an exec that works with a memory
address)? Mainly I am looking for a method that brings
a program image into memory modify parts of it and
start the in-memory modified version. 

Can anybody think of a method to replace a thread
image without replacing the whole process image? 

Thanks, 

Ali


		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 

Re: Access to Program Counter in C

[sandeep]

A M wrote:
 > Does anybody know how to access the address of the
 > current executing instruction in C while the program
 > is executing?
doing exactly as your words say, won't be possible (as
far as my limited experience with ix86 architecture goes),
but something nearabout can be achieved with little inline
assembly fragment.
you might find it useful/helpful to have a look at some of the early days virus 
codes. search on internet for sources for them.

 > Also, is there a method to load a program image from
 > memory not a file (an exec that works with a memory
 > address)? Mainly I am looking for a method that brings
 > a program image into memory modify parts of it and
 > start the in-memory modified version.
should be possible to have your version of exec (modified exec). file-image is 
also a sequence of bytes like any sequence of bytes in memory. normal exec would 
expect a particular layout/structural-organisation of the content in this 
sequence. what kind of layout/content you plan to have in your memory image 
would also decide how much different your version of exec would be.

 > Can anybody think of a method to replace a thread
 > image without replacing the whole process image?
will something on the lines of MS-DOS overlays work for you?

-- 
regards
sandeep
--------------------------------------------------------------------------
It is said that the lonely eagle flies to the mountain peaks while the
lowly ant crawls the ground, but cannot the soul of the ant soar as
high as the eagle?
--------------------------------------------------------------------------

Re: Access to Program Counter in C

[Glynn Clements]

A M wrote:

> Does anybody know how to access the address of the
> current executing instruction in C while the program
> is executing? 

You can write a function which will return the saved EIP, i.e. the
address of the instruction immediately following the "call"
instruction:

	#include <stdio.h>
	
	static void *get_eip(int dummy)
	{
		return *(void **)((char *)&dummy - 4);
	}
	
	int main(void)
	{
		void *eip = get_eip(0);
		printf("%p\n", eip);
		return 0;
	}

This relies upon the fact that the saved EIP is immediately below the
first argument on the stack.

Test run:

	Value returned is $1 = (void *) 0x80483a8
	> disassemble main
	Dump of assembler code for function main:
	0x0804838c <main+0>:	push   %ebp
	0x0804838d <main+1>:	mov    %esp,%ebp
	0x0804838f <main+3>:	sub    $0x18,%esp
	0x08048392 <main+6>:	and    $0xfffffff0,%esp
	0x08048395 <main+9>:	mov    $0x0,%eax
	0x0804839a <main+14>:	sub    %eax,%esp
	0x0804839c <main+16>:	movl   $0x0,(%esp,1)
	0x080483a3 <main+23>:	call   0x8048384 <get_eip>
==>	0x080483a8 <main+28>:	mov    %eax,0xfffffffc(%ebp)
	0x080483ab <main+31>:	mov    0xfffffffc(%ebp),%eax
	0x080483ae <main+34>:	mov    %eax,0x4(%esp,1)
	0x080483b2 <main+38>:	movl   $0x80484e4,(%esp,1)
	0x080483b9 <main+45>:	call   0x80482a8
	0x080483be <main+50>:	mov    $0x0,%eax
	0x080483c3 <main+55>:	leave  
	0x080483c4 <main+56>:	ret    
	End of assembler dump.


-- 
Glynn Clements <glynn@gclements.plus.com>

Re: Access to Program Counter in C

[siddharth vora]

Try :

 Call ($+5)
  pop ebp

 you will get the current instruction which u r executing in ebp !!  This is how viruses works, they decrypt it in the memory and starts executing from the memory afterwardz..

  Here CALL instruction is 4 bytes instruction so call $+5 will call the 5th byte which is the next instruction. And based upon the "call" behavior, it pushes the next instruction on the stack first and then JUMP to the instruction. So, in this case, on the stack you will have the exact instruction which you are executing !

Enjoy,
Siddharth.

----- Original Message -----
From: sandeep <sandeep@codito.com>
Date: Thursday, November 18, 2004 10:32 pm
Subject: Re: Access to Program Counter in C

> 
> A M wrote:
> > Does anybody know how to access the address of the
> > current executing instruction in C while the program
> > is executing?
> doing exactly as your words say, won't be possible (as
> far as my limited experience with ix86 architecture goes),
> but something nearabout can be achieved with little inline
> assembly fragment.
> you might find it useful/helpful to have a look at some of the 
> early days virus 
> codes. search on internet for sources for them.
> 
> > Also, is there a method to load a program image from
> > memory not a file (an exec that works with a memory
> > address)? Mainly I am looking for a method that brings
> > a program image into memory modify parts of it and
> > start the in-memory modified version.
> should be possible to have your version of exec (modified exec). 
> file-image is 
> also a sequence of bytes like any sequence of bytes in memory. 
> normal exec would 
> expect a particular layout/structural-organisation of the content 
> in this 
> sequence. what kind of layout/content you plan to have in your 
> memory image 
> would also decide how much different your version of exec would be.
> 
> > Can anybody think of a method to replace a thread
> > image without replacing the whole process image?
> will something on the lines of MS-DOS overlays work for you?
> 
> -- 
> regards
> sandeep
> --------------------------------------------------------------------
> ------
> It is said that the lonely eagle flies to the mountain peaks while the
> lowly ant crawls the ground, but cannot the soul of the ant soar as
> high as the eagle?
> --------------------------------------------------------------------
> ------
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-c-
> programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Access to Program Counter in C

[Justinas]

On Thu, 18 Nov 2004 23:31:25 -0800
siddharth vora <sjv@usc.edu> wrote:

> 
> Try :
> 
>  Call ($+5)
>   pop ebp

yes, something like that.
In x86(DOS) when u do a call to near function(near, that means program don't change a code segment(CS) register) processot does something like this:
	mov	sp,sp-2
	mov	[sp],ip (next executable ip)

when call'e ret executed processor does:
	mov	ip,[sp]
	mov	sp,sp+2

so, you inscruction after call should be
	call <some function>
	mov  [ipdrr], sp-2
you'll get the IP if this instuction;]
I think u got the idea, look for call inctruction execution inside cpu for more details. I whote here with intension that cpu's word is 2B;]

_
Justinas Gulbinas
justinas@patikimi.lt

Re: Access to Program Counter in C

[sandeep]

siddharth vora wrote:
> Here CALL instruction is 4 bytes instruction so call $+5 will call the
> 5th byte which is the next instruction. And based upon the "call"
> behavior, it pushes the next instruction on the stack first and then
> JUMP to the instruction. So, in this case, on the stack you will have
> the exact instruction which you are executing !
am i right in taking it as, you meant to say - execution of call instruction 
pushes the return address, which is the address of instruction following call 
instruction. in the example you mentioned it would be the address of instruction 
"pop ebp". since you are jumping to this instuction (via call), at the end of 
it's execution ebp will have the address of "pop ebp" instruction.

-- 
regards
sandeep
--------------------------------------------------------------------------
It is said that the lonely eagle flies to the mountain peaks while the
lowly ant crawls the ground, but cannot the soul of the ant soar as
high as the eagle?
--------------------------------------------------------------------------

Re: Access to Program Counter in C

[siddharth vora]

Yep, 
 
 This z standard technique for the viruse encryption. 

Sid.
----- Original Message -----
From: sandeep <sandeep@codito.com>
Date: Friday, November 19, 2004 0:04 am
Subject: Re: Access to Program Counter in C

> siddharth vora wrote:
> > Here CALL instruction is 4 bytes instruction so call $+5 will 
> call the
> > 5th byte which is the next instruction. And based upon the "call"
> > behavior, it pushes the next instruction on the stack first and then
> > JUMP to the instruction. So, in this case, on the stack you will 
> have> the exact instruction which you are executing !
> am i right in taking it as, you meant to say - execution of call 
> instruction 
> pushes the return address, which is the address of instruction 
> following call 
> instruction. in the example you mentioned it would be the address 
> of instruction 
> "pop ebp". since you are jumping to this instuction (via call), at 
> the end of 
> it's execution ebp will have the address of "pop ebp" instruction.
> 
> -- 
> regards
> sandeep
> --------------------------------------------------------------------
> ------
> It is said that the lonely eagle flies to the mountain peaks while the
> lowly ant crawls the ground, but cannot the soul of the ant soar as
> high as the eagle?
> --------------------------------------------------------------------
> ------
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-c-
> programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>