In order to understand function stack, we create the demo code.
#include <stdio.h>
#include <stdlib.h>
int function3(int i3){
char *local_var1_f3 = "Function3";
return 3;
}
int function2(int i2){
char *local_var1_f2 = "Function2";
function3(0x33333333);
return 2;
}
int function1(int i1){
char *local_var1_f1 = "Function1";
function2(0x22222222);
return 1;
}
int main(int argc, char *argv[]){
char *local_var1 = "Main Function";
function1(0x11111111);
return 0;
}
Functions executation flow as follow:
Main Function -> F1 -> F2 -> F3
Starts Immunity Debugger, and debug the executable file. CPU code is here:
00401290 /$ 55 PUSH EBP
00401291 |. 89E5 MOV EBP,ESP
00401293 |. 83EC 04 SUB ESP,4
00401296 |. C745 FC 00304>MOV DWORD PTR SS:[EBP-4],StackDem.00403000 ; ASCII "Function3"
0040129D |. B8 03000000 MOV EAX,3
004012A2 |. C9 LEAVE
004012A3 \. C3 RETN
004012A4 /$ 55 PUSH EBP
004012A5 |. 89E5 MOV EBP,ESP
004012A7 |. 83EC 08 SUB ESP,8
004012AA |. C745 FC 0A304>MOV DWORD PTR SS:[EBP-4],StackDem.0040300A ; ASCII "Function2"
004012B1 |. C70424 333333>MOV DWORD PTR SS:[ESP],33333333
004012B8 |. E8 D3FFFFFF CALL StackDem.00401290
004012BD |. B8 02000000 MOV EAX,2
004012C2 |. C9 LEAVE
004012C3 \. C3 RETN
004012C4 /$ 55 PUSH EBP
004012C5 |. 89E5 MOV EBP,ESP
004012C7 |. 83EC 08 SUB ESP,8
004012CA |. C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014 ; ASCII "Function1"
004012D1 |. C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8 |. E8 C7FFFFFF CALL StackDem.004012A4
004012DD |. B8 01000000 MOV EAX,1
004012E2 |. C9 LEAVE
004012E3 \. C3 RETN
004012E4 /$ 55 PUSH EBP
004012E5 |. 89E5 MOV EBP,ESP
004012E7 |. 83EC 18 SUB ESP,18
004012EA |. 83E4 F0 AND ESP,FFFFFFF0
004012ED |. B8 00000000 MOV EAX,0
004012F2 |. 83C0 0F ADD EAX,0F
004012F5 |. 83C0 0F ADD EAX,0F
004012F8 |. C1E8 04 SHR EAX,4
004012FB |. C1E0 04 SHL EAX,4
004012FE |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00401301 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00401304 |. E8 67040000 CALL StackDem.00401770
00401309 |. E8 02010000 CALL StackDem.00401410
0040130E |. C745 FC 1E304>MOV DWORD PTR SS:[EBP-4],StackDem.0040301E ; ASCII "Main Function"
00401315 |. C70424 111111>MOV DWORD PTR SS:[ESP],11111111
0040131C |. E8 A3FFFFFF CALL StackDem.004012C4
00401321 |. B8 00000000 MOV EAX,0
00401326 |. C9 LEAVE
00401327 \. C3 RETN
Debug prog with single step, and stop at 0x0040131C (Call Function1)
00401315 |. C70424 111111>MOV DWORD PTR SS:[ESP],11111111
0040131C |. E8 A3FFFFFF CALL StackDem.004012C4
stack information as follow:
0022FF50 11111111 ---- Argument of Function1
0022FF54 003E3EF8
Step into function1 with keyboard F7, and stop at 004012D8 (Call Function2)
004012C4 /$ 55 PUSH EBP
004012C5 |. 89E5 MOV EBP,ESP
004012C7 |. 83EC 08 SUB ESP,8
004012CA |. C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014 ; ASCII "Function1"
004012D1 |. C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8 |. E8 C7FFFFFF CALL StackDem.004012A4
004012DD |. B8 01000000 MOV EAX,1
004012E2 |. C9 LEAVE
004012E3 \. C3 RETN
Stack information as follow:
0022FF40 22222222 """"
0022FF44 00403014 0@. ASCII "Function1"
0022FF48 /0022FF78 xÿ".
0022FF4C |00401321 !@. RETURN to StackDem.00401321 from StackDem.004012C4
0022FF50 |11111111
Finish similar steps. Step into function2 and function3, and stop at 0x004012A2
00401290 /$ 55 PUSH EBP
00401291 |. 89E5 MOV EBP,ESP
00401293 |. 83EC 04 SUB ESP,4
00401296 |. C745 FC 00304>MOV DWORD PTR SS:[EBP-4],StackDem.00403000 ; ASCII "Function3"
0040129D |. B8 03000000 MOV EAX,3
004012A2 |. C9 LEAVE
004012A3 \. C3 RETN
004012A4 /$ 55 PUSH EBP
004012A5 |. 89E5 MOV EBP,ESP
004012A7 |. 83EC 08 SUB ESP,8
004012AA |. C745 FC 0A304>MOV DWORD PTR SS:[EBP-4],StackDem.0040300A ; ASCII "Function2"
004012B1 |. C70424 333333>MOV DWORD PTR SS:[ESP],33333333
004012B8 |. E8 D3FFFFFF CALL StackDem.00401290
004012BD |. B8 02000000 MOV EAX,2
004012C2 |. C9 LEAVE
004012C3 \. C3 RETN
004012C4 /$ 55 PUSH EBP
004012C5 |. 89E5 MOV EBP,ESP
004012C7 |. 83EC 08 SUB ESP,8
004012CA |. C745 FC 14304>MOV DWORD PTR SS:[EBP-4],StackDem.00403014 ; ASCII "Function1"
004012D1 |. C70424 222222>MOV DWORD PTR SS:[ESP],22222222
004012D8 |. E8 C7FFFFFF CALL StackDem.004012A4
Stack Information as follow.
0022FF24 00403000 ASCII "Function3"
0022FF28 /0022FF38 Frame Pointer (EBP)
0022FF2C |004012BD RETURN Address
0022FF30 |33333333 Argument of Function3
0022FF34 |0040300A ASCII "Function2"
0022FF38 /0022FF48 Frame Pointer (EBP)
0022FF3C |004012DD RETURN Address
0022FF40 |22222222 Argument of Function2
0022FF44 |00403014 ASCII "Function1"
0022FF48 /0022FF78 Frame Pointer (EBP)
0022FF4C |00401321 RETURN Address
0022FF50 |11111111 Argument of Fnction1
OK, we find function stack structure as follow:
|_____________________| Stack Top
| ...... |
|---------------------|
| Arguments |
|---------------------|
| Return Address |
|---------------------|
| Frame Pointer (EBP) |
|---------------------|
| Local Variables |
|---------------------|
| ...... |
|---------------------| Stack Bottom
In order to exploit executable file, we must understand it.
========================= ===========================
| Platforms | | Exploitation Techniques |
========================= ===========================
| Windows XP - SP1, SP2 | | Simple Buffer Overflows |
------------------------- ---------------------------
| Windows Vista - SP... | | SEH, SafeSEH |
------------------------- ---------------------------
| Windows 7 - 8 | | NX, DEP |
------------------------- ---------------------------
| Windows 2003, 2008 | | ASLR |
------------------------- ---------------------------
| Linux | | Stack Cookies |
------------------------- ---------------------------
| Mac OSX | | ... |
------------------------- ---------------------------