Commandline arguments and Position Independent Code

1
Command-line arguments and Position Independent
Code
2
Command-line arguments
In Linux, we receive command-line arguments on
the stack as execution starts- The first
argument number of arguments (i.e. argc) -
The rest of the arguments each one is a
pointer to an argument string. (i.e. argv0,
argv1 argv2)
3
Command-line arguments
arch081gt app foo bar 42
section .text global _start _start pop eax
Get the number of arguments pop ebx Get the
program name (app") pop ebx Get the first
actual argument ("foo") pop ecx
"bar" pop edx "42" mov eax,1 mov ebx,0 int
80h Exit
4
Self-Sufficiency of PIC program
If we have one program which is PIC we can add
this program to any other program without fear
that it might not work. This is because the
simple fact that the PIC program has everything
it needs interiorly.
5
Position Independent Code

• No direct use of labels
• Only relative jumps.
• call is relative.
• No global variables (no data , rodata or bss).
• No library functions
• Only system calls.
• Code example.

6
No direct use of labels
Labels are resolved by the assembler and linker
at compile time to an absolute number . So, if
the code is moved the number won't becorrect any
more. Remember labels address doesnt change
at run-time though the code address may change.
7
No direct use of labels
1
section .data 2
00000000 48656C6C6F20776F72- hello db
'Hello world!',10 3 00000009 6C64210A
4 helloLen equ - hello
5
6

section .text 7
global _start 8
9
_start
10 00000000 B900000000 mov
ecx,hello 11 00000005 BA0D000000
mov edx,helloLen 12
13 0000000A B804000000
mov eax,4 14 0000000F BB01000000
mov ebx,1 15
16 00000014 CD80
int 80h 17
18 00000016
B801000000 mov eax,1 19
0000001B BB00000000 mov ebx,0
20 00000020 CD80 int
80h
8
Only relative jumps
We can use only relative jumps. This is because
the code we wish to jump to may change its
position . If all of the code change its
position, relative jumps are still valid because
the address difference is preserved.
9
call is relative
We can still use call instruction because it
makes a relative jump to the procedure. This
means that the new IP (after call) will be the
old IP (before call) plus a number (may be
negative) with was the address difference of the
two places calculated by the assembler.
10
No global variables
There are no global variables because we cannot
assume that DATA, RODATA or BSS sections
exists. Even if they do exists, we dont know
their address and we cant allocate memory
there. We can use constant variables (mainly
strings) as a part of our code.
11
No library functions
We dont know if and where the library functions
are . Thus, there are no printf, gets, open,
strlen, etc, etc functions.
12
Only system calls
To perform I/O operation we have to use the linux
system calls. Arent them the same as the library
functions? No. Because INT 0x80 isnt a regular
procedure, it is called via the interrupt table
which is static.
13
Finding your code address at run-time
get_my_loc call next_i next_i pop edx
ret
14
Finding your code address at run-time
Since we can use the call instruction (remember
it makes a relative jump) we can call a function
that we write in our code . The call instruction
push the current IP at run-time. Thus, if we
know where call was, we now posses an anchor
address at run-time.
15
Using strings PIC example
section .data name db "Moshe",10,0 nameLen equ
- name global _start get_my_loc call
next_i next_i pop edx
ret _start call get_my_loc sub
edx, next_i - name mov ecx,edx
mov edx,nameLen mov eax,4 mov
ebx,1 int 80h mov eax,1
int 80h
16
Using strings PIC example
1 section
.data 2 3 00000000 4D6F7368650A00
name db "Moshe",10,0 4
nameLen equ - name 5 6
global _start 7
get_my_loc 8 00000007
E801000000 call next_i 9
0000000C C3 ret
10 next_i 11
0000000D 5A pop
edx 12 _start
13 0000000F E8F3FFFFFF call
get_my_loc 14 00000014 81EA0D000000 sub
edx, next_i - name 15 0000001A 89D1
mov ecx,edx 16 0000001C BA07000000
mov edx,nameLen 17 00000021
B804000000 mov eax,4 18 00000026
BB01000000 mov ebx,1 19 0000002B
CD80 int 80h 20
0000002D B801000000 mov eax,1 21
00000032 CD80 int 80h
17
Using strings PIC example
get_my_loc function gets the address of next_i at
run-time. The address difference between next_i
and name is constant even if the code will change
its position . So when we find the address of
next_i using the listing file we can find the
address of name at run time.