From: siddharth vora <sjv@usc.edu>
To: sandeep <sandeep@codito.com>
Cc: A M <alim1993@yahoo.com>,
linux-c-programming@vger.kernel.org,
linux-assembly@vger.kernel.org
Subject: Re: Access to Program Counter in C
Date: Thu, 18 Nov 2004 23:31:25 -0800 [thread overview]
Message-ID: <90db62064205.419d30cd@usc.edu> (raw)
Try :
Call ($+5)
pop ebp
you will get the current instruction which u r executing in ebp !! This is how viruses works, they decrypt it in the memory and starts executing from the memory afterwardz..
Here CALL instruction is 4 bytes instruction so call $+5 will call the 5th byte which is the next instruction. And based upon the "call" behavior, it pushes the next instruction on the stack first and then JUMP to the instruction. So, in this case, on the stack you will have the exact instruction which you are executing !
Enjoy,
Siddharth.
----- Original Message -----
From: sandeep <sandeep@codito.com>
Date: Thursday, November 18, 2004 10:32 pm
Subject: Re: Access to Program Counter in C
>
> A M wrote:
> > Does anybody know how to access the address of the
> > current executing instruction in C while the program
> > is executing?
> doing exactly as your words say, won't be possible (as
> far as my limited experience with ix86 architecture goes),
> but something nearabout can be achieved with little inline
> assembly fragment.
> you might find it useful/helpful to have a look at some of the
> early days virus
> codes. search on internet for sources for them.
>
> > Also, is there a method to load a program image from
> > memory not a file (an exec that works with a memory
> > address)? Mainly I am looking for a method that brings
> > a program image into memory modify parts of it and
> > start the in-memory modified version.
> should be possible to have your version of exec (modified exec).
> file-image is
> also a sequence of bytes like any sequence of bytes in memory.
> normal exec would
> expect a particular layout/structural-organisation of the content
> in this
> sequence. what kind of layout/content you plan to have in your
> memory image
> would also decide how much different your version of exec would be.
>
> > Can anybody think of a method to replace a thread
> > image without replacing the whole process image?
> will something on the lines of MS-DOS overlays work for you?
>
> --
> regards
> sandeep
> --------------------------------------------------------------------
> ------
> It is said that the lonely eagle flies to the mountain peaks while the
> lowly ant crawls the ground, but cannot the soul of the ant soar as
> high as the eagle?
> --------------------------------------------------------------------
> ------
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-c-
> programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next reply other threads:[~2004-11-19 7:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-19 7:31 siddharth vora [this message]
2004-11-19 8:03 ` Access to Program Counter in C Justinas
2004-11-19 8:04 ` sandeep
-- strict thread matches above, loose matches on Subject: below --
2004-11-19 7:58 siddharth vora
2004-11-16 16:38 A M
2004-11-19 6:32 ` sandeep
2004-11-19 16:03 ` Glynn Clements
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90db62064205.419d30cd@usc.edu \
--to=sjv@usc.edu \
--cc=alim1993@yahoo.com \
--cc=linux-assembly@vger.kernel.org \
--cc=linux-c-programming@vger.kernel.org \
--cc=sandeep@codito.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).