NASM - The Netwide Assembler

NASM Forum => Using NASM => Topic started by: BenjaminD on August 22, 2010, 04:28:08 PM

Title: [Ubuntu]Accessing another applications stack?
Post by: BenjaminD on August 22, 2010, 04:28:08 PM
Hi fellow computer nerds! :)
I would like to know if it's possible to access the stack of another application, in Assembly?
I have writtin my own little C program (look in the bottom of my post to see the source code) which has the char pointer "string" on the stack. I've also written a NASM program (see bottom for source code) to manipulate the first char of that string.
But I (of course) receive a segmentation fault, trying to manipulate it while the C program is running.

Code: [Select]
#include <stdio.h>

int main(){
    char *string = "Benjamin";
    int i;

    for(i = 0; i < 5; i++){
        printf("%s\n", string);

    return 0;

Code: [Select]
section .text
    global _start
    mov edi, 0x8048520
    mov [edi], byte 'H'

    mov eax, 1
    int 0x80

Assembly dump of main.c:
Code: [Select]
   0x08048414 <+0>: push   %ebp
   0x08048415 <+1>: mov    %esp,%ebp
=> 0x08048417 <+3>: and    $0xfffffff0,%esp
   0x0804841a <+6>: sub    $0x20,%esp
   0x0804841d <+9>: movl   $0x8048520,0x1c(%esp) # Virtual address of the "string" pointer!!
   0x08048425 <+17>: movl   $0x0,0x18(%esp)
   0x0804842d <+25>: jmp    0x8048445 <main+49>
   0x0804842f <+27>: mov    0x1c(%esp),%eax
   0x08048433 <+31>: mov    %eax,(%esp)
   0x08048436 <+34>: call   0x8048350 <puts@plt>
   0x0804843b <+39>: call   0x8048320 <getchar@plt>
   0x08048440 <+44>: addl   $0x1,0x18(%esp)
   0x08048445 <+49>: cmpl   $0x4,0x18(%esp)
   0x0804844a <+54>: jle    0x804842f <main+27>
   0x0804844c <+56>: mov    $0x0,%eax
   0x08048451 <+61>: leave 
   0x08048452 <+62>: ret

Best regards,
Benjamin  :).
Title: Re: [Ubuntu]Accessing another applications stack?
Post by: Frank Kotler on August 22, 2010, 08:18:27 PM
No, you can't access one process' address from another process. That's what your OS is "protected" against! Look into "virtual memory"...

In short, the string may exist at 0x08048520 in your C program  - that's the "virtual address". It exists at some location in actual physical memory - but that isn't the address.

Your asm program, when it's running, starts at 0x8048080 virtual address (if it were longer, it would encompass 0x8048520) - same virtual address, pretty much, as your C program. It, too, exists at some location in physical memory - but not the same place as your C program, obviously(?).

This "virtual memory" magic is accomplished by "paging"... AOD must have a tutorial on it. In short, the virtual address acts as an index into "page tables" which locate the actual physical address. This mechanism can also make memory "read only"...

As it happens, 0x8048520 is in "read only" memory. "Your" memory, as created by the paging mechanism when the program loads, starts at 0x8048000 - first there's a header, and your program starts at 0x8048080 (plus or minus, depending on the length of the header). If your little asm program had a .data (readable/writeable) section, it would start on the next page - 0x8049xxx, the xxx being the length of your code (plus any data you've put in the code section) plus some alignment padding. Here, you can write - up to 0x8049FFF (or more, in a bigger program). This is the "break", and you'll segfault if you go beyond it. You also get a stack (read-write, of course), starting at 0xC0000000 (in both your C and asm programs!) and working downward - 0xBFFFxxxx when we get it, depending on how many environment variables and command line parameters you've got (they're on the stack). The paging mechanism expands the stack (downward) as needed, so you won't run out of stack space for a long, long, time.

Your C program has apparently put your "const" string in a "section .rdonly" - on the same read-only page as your code, so you wouldn't be able to write to it even from the same process... I notice gcc has changed your "printf" to a "puts" - uppity little rascal, ain't it? :)

So that's why you're getting the segfault, and why you can't access the stack of another program. Look on the bright side - other programs can't scribble on your memory, either!


Title: Re: [Ubuntu]Accessing another applications stack?
Post by: BenjaminD on August 22, 2010, 08:30:35 PM
Thank you, Frank.
I already knew what virtual memory and paging is, and that the OS protects certain memory regions to prevent "hackers" and memory collisions between processes. I was just wondering if there was a way around it.
Anyway, thank you for the very clear reply  :).