Writing to the Code Segement of Memory
I was twiddling a static lib after it was loaded into memory using MSVC. Now, if MSVC can twiddle the code in ram, it must be possible to do this from a user app. I tried to do this progmatically, but it blows up with an exception.
Anyone know how MSVC accomplishes this?
Magmai Kai Holmlor
- The disgruntled & disillusioned
code pages are marked read-only, but there is no reason that you cannot jump to data pages. Programs when running under a debuger usually don''t actually have a proper protected code segment (that would be the debuger). Self modifing code is kewl, but my assembly is so rusty I really can''t give you many hints on how to actually do this. Is there a call EAX? In any event the usual way to do this is to copy a function to a space in your data segment/heap, load it''s entry point into a register, and call [reg]. As the subroutine is just in a data segment you can change it to anything you want.
Note that there probably are a lot of optimizations that the processor turns off when executing instructions from a non read-only segment. For example the I-cache cannot be used, nor does the D-cache do you any good, I don''t think you can fetch/decode and instruction from the D-cache.
Years ago the borland (and other) math libraries had some self modifiying instructions that would replace function calls to floating point libaries with the co-processor equivilents at load time. PPro''s had _great_ grief with these and you more or less had to recompile everything with the co-processor instructions forced.
People do this for copy protection as well, and win3.? beta''s had some self modifiying code that checked to see if you were running DR-Dos and then reported a cryptic error code, that if you asked micros~1 about it they said "oh thats TERRIBLE, ms-dos has been courrupted and become HORRABLY UNSTABLE, all of your data is probably courrupt"
this article has the details. Note that this is all real mode stuff, but it''s still an interesting little trick.
Note that there probably are a lot of optimizations that the processor turns off when executing instructions from a non read-only segment. For example the I-cache cannot be used, nor does the D-cache do you any good, I don''t think you can fetch/decode and instruction from the D-cache.
Years ago the borland (and other) math libraries had some self modifiying instructions that would replace function calls to floating point libaries with the co-processor equivilents at load time. PPro''s had _great_ grief with these and you more or less had to recompile everything with the co-processor instructions forced.
People do this for copy protection as well, and win3.? beta''s had some self modifiying code that checked to see if you were running DR-Dos and then reported a cryptic error code, that if you asked micros~1 about it they said "oh thats TERRIBLE, ms-dos has been courrupted and become HORRABLY UNSTABLE, all of your data is probably courrupt"
this article has the details. Note that this is all real mode stuff, but it''s still an interesting little trick.
Under a protected mode environment , such as Windows and under modes such as DOS4GW I think too, code pages are read-only, and you get a GP Fault trying to mess with them. But otherwise no, they're writable.
And I can give you a hint into self-modifying code in assembly. It's actually a trick to simulate more variables than you actually have. It works like so: lets say eax has the value 12345678h, and you want to save that. The problem is the following funcions and interrupts require the use of all variables! In that case you'd lose 12345678h! Well its time to write to the code segment. Heres how:
Basically, you tell it to move your value into the code segment at 4 bytes less than than @point. That would be right after the opcode, where a regular value in a mov statement would be located! And it works; insta-variable. Unless you're in protected mode, where you get a GP Fault instead
. That's what I remember from way ago. Why not just push the value? I can't remember why it said to use this way over pushing. Can't remember if it's possible or not. Hope i gave some insight though.
Edited by - Zipster on April 23, 2001 3:52:43 AM
And I can give you a hint into self-modifying code in assembly. It's actually a trick to simulate more variables than you actually have. It works like so: lets say eax has the value 12345678h, and you want to save that. The problem is the following funcions and interrupts require the use of all variables! In that case you'd lose 12345678h! Well its time to write to the code segment. Heres how:
...mov eax, 12345678hmov [byte ptr @point-4], eax.. ;Functions that use all variables. ;located here.mov eax, 11111111h@point:... Basically, you tell it to move your value into the code segment at 4 bytes less than than @point. That would be right after the opcode, where a regular value in a mov statement would be located! And it works; insta-variable. Unless you're in protected mode, where you get a GP Fault instead
. That's what I remember from way ago. Why not just push the value? I can't remember why it said to use this way over pushing. Can't remember if it's possible or not. Hope i gave some insight though.Edited by - Zipster on April 23, 2001 3:52:43 AM
self modifying code is funny.
We should hold an obfusciated ASM contest, lol.
My only actual experience''s with self modifiable code was looking at a virus once (damn that thing was ingenious. 5 billion times more complex than the stupid ass melissa type shit that VB coders make today), and trying to break the copy protection on an old dos game i lost the manual to.
Heh, for the virus, it would change itself on every execution to put itself in a different part of the file, then search for more files to store itself into.
For the dos game, i was cleaning out my 20 meg hard drive so i could finally get rid of my 286 (sigh, memories), and i noticed it had a game on it I used to love, heh. So i try loading it up, "what is word #5 on page #65 in paragraph #4 in sentance #2"
ACK!
I try to find a table of words in the exe file, so i can enter it in, no luck
so i load it up in Turbo debugger, and try to trace it through to see how it gets the words, and holy shit it is complex. The algorithm used determines the next letter by modifying its own code every time the user presses a letter, its pretty much indecipherable.
ingenious. Needless to say, i never figured it out... sigh.
Self modifiable code, lol
===============================================
Have I no control, is my soul not mine?
Am I not just man, destiny defined?
Never to be ruled, nor held to heel!
We should hold an obfusciated ASM contest, lol.
My only actual experience''s with self modifiable code was looking at a virus once (damn that thing was ingenious. 5 billion times more complex than the stupid ass melissa type shit that VB coders make today), and trying to break the copy protection on an old dos game i lost the manual to.
Heh, for the virus, it would change itself on every execution to put itself in a different part of the file, then search for more files to store itself into.
For the dos game, i was cleaning out my 20 meg hard drive so i could finally get rid of my 286 (sigh, memories), and i noticed it had a game on it I used to love, heh. So i try loading it up, "what is word #5 on page #65 in paragraph #4 in sentance #2"
ACK!
I try to find a table of words in the exe file, so i can enter it in, no luck
so i load it up in Turbo debugger, and try to trace it through to see how it gets the words, and holy shit it is complex. The algorithm used determines the next letter by modifying its own code every time the user presses a letter, its pretty much indecipherable.
ingenious. Needless to say, i never figured it out... sigh.
Self modifiable code, lol
===============================================
Have I no control, is my soul not mine?
Am I not just man, destiny defined?
Never to be ruled, nor held to heel!
In Win32 you can use VirtualProtect to fiddle with the read/write/execute permissions of a page.
If you use self-modifying code be sure to call FlushInstructionCache after your changes before trying to execute them.
-Mike
If you use self-modifying code be sure to call FlushInstructionCache after your changes before trying to execute them.
-Mike
What is self modifying code? Is it when your programs writes new code(code that wasn''t there at compile time), and some how you make it execute this piece of code? If this is the case or in any case, why would you want or need to put self modifying code into your program?
What about buffer overruns? They''re the most common method to hack a program to execute arbitrary code and so far as I know they won''t cause a GPF/core dump/whatever on any major OS. Sure it''s a very limited form of modifiable code, but it works.
I''ll look into the VirtualProtect type functions...
There''s several reasons why you''d want self-modifying code.
If you wanted to write a virus, it''d need to this, I guess this is the least noble reason.
You might want to protect you''re program from hacking; modifying the code at runtime adds a significant layer of complexity for the hacker to decipher.
Or you might be a hacker trying to modify an existing program.
You could create a JIT compiler for a scripting language.
Or you could also do some crazy things, like run genetic algorithms to seek optimizations in running code.
Magmai Kai Holmlor
- The disgruntled & disillusioned
There''s several reasons why you''d want self-modifying code.
If you wanted to write a virus, it''d need to this, I guess this is the least noble reason.
You might want to protect you''re program from hacking; modifying the code at runtime adds a significant layer of complexity for the hacker to decipher.
Or you might be a hacker trying to modify an existing program.
You could create a JIT compiler for a scripting language.
Or you could also do some crazy things, like run genetic algorithms to seek optimizations in running code.
Magmai Kai Holmlor
- The disgruntled & disillusioned
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
