[C++/ASM] [Resolved] Executing arbitrary assembler code

This can also be known as shellcode or bytecode or whatever you would like to call it. I am working on a file format that will have some shellcode contained in it that will help to decrypt the rest of the file.

So to be quick I was going to simply test an idea I had, but I end up getting my favorite error, an access violation, C5 or whatever it is.

The code I am currently using looks as such:

Code:

---

void callByteCode(char* bytecode) {
        __asm {
                mov eax, bytecode
                call eax
        }
}

int main() {
        char* bytecode = "\x33\xC0\xC3";
        callByteCode(bytecode);
        return 0;
}

---

The bytecode stands for

Code:

---

xor eax,eax
retn

---

Now when debugging the access violation occurs on the xor eax,eax, but if I remove it and just make it a return, it still occurs, and if I use any other code it still has a violation right where the shellcode starts. Can anyone else compile the above and it works? If not why am I getting an access violation? It's not even accessing protected memory at all. I might just be missing something simple, but I generally don't work with shellcode at all anyways.


Also had the function like this and it did the same thing:

Code:

---

void callByteCode(char* bytecode) {
        int (*bytefunc)();
        bytefunc = (int (*)())bytecode;
        (*bytefunc)();
}

---

Well, I tested your script, had to change a lot since I use GCC (which has AT&T style). But it does seem to work fine for me. Extended it slightly to see if it actually works, and it does (it prints 0):

Code:

---

#include <iostream>

int callByteCode(const char *bytecode)
{
        int output = 5;
        __asm__
        (
                "call %%eax;"
                : "=a" (output)
                : "a" (bytecode)
        );
        return output;
}

int main()
{
        std::string bytecode = "\x33\xC0\xC3";
        std::cout << callByteCode(bytecode.c_str());
        return 0;
}

---

Basically it's the same as yours...not sure why yours doesn't work. I do get a warning though:

Warning: indirect call without `*'

Thanks, I've beginning to think I must've checked an option I shouldn't have when compiling. I'll look into it some more later today when I have access to it.

Looking into it I don't see why I still get this. Are you also running on a *NIX box? I'm testing it in Vista, and I don't see why it would have a problem at all. It's kind of unnerving. I don't get any warnings at all.

Hmm, I tested it on a 32-bit WinXP with the latest GCC release (not MingW, that has not got the latest).

Anyways, as far as I can read, you either write past allocated memory, or isn't one of those bugs in VC6, but read this thread (I'm never worked with VC so can't help you much): http://www.codeguru.com/forum/showthread.php?t=304102 or http://www.gidforums.com/t-3282.html

Just google on the error and the error number (was it 0xC000005? more 0's probably).

Exactly, its the 0xC0000005 error, but the thing is I don't see how I'm accessing memory not belonging to my program, as the variable should be within my access bounds, and even if I dynamically allocate it etc, it still happens to me.

Though I believe now it is due to DEP, so I'll see what I find from there.


Okay, I found out that DEP was causing the problem, because on Vista computers it's a little more strict default than XP, especially because of new hardware DEP capable processors. I found a setting in VC++ that allows you to specify to the linker that the program is DEP incompatible, compiled that way, and it worked successfully. Thanks for the help Daevius!

Why would you execute x86 instructions within an application? This is in essence the very definition of "Data execution."

Do what the OS intended you to do: copy the binary you want to execute in a page with execute permissions and execute it that way. Your stack and the .data/.rdata sections of your PE file may or may not be mapped into pages with an execute flag. (Though it appears on this win XP 32bit machine that all sections of the executable are mapped with RWE permissions). It still, however, is not a good idea inside of your program to execute code held in an arbitrary string.

Primarily, you have NO control over the processor since you're operating in usermode. The traditional method of providing dynamic execution capabilities is to implement a scripting language either in interpreted mode, create a VM to execute a virtual machine language which YOU define (you CAN define it to be x86, and in fact you can get ia-32 VM source code if you so desire), as then you have the capability of doing run-time checks to ensure code isn't being malicious (such as having access to memory outside of the pages you specify, ala you're pretending to be the kernel or ring-0 CPU features for programs executing in your VM). Additionally, many free scripting engines produce binary code by compiling the scripts (LUA, V8, ...).

It may make sense if you're trying to write your own scripting language to compile into x86 instructions though :). If so, there are some great books/resources for you to follow if you really want to make something of quality.