Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/assembly/6.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/visual-studio-2012/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Assembly 为什么push DWORD指令在8字节上均衡?_Assembly_X86 64_Shellcode_Instructions - Fatal编程技术网
Fatal编程技术网
  • assembly/
  • Assembly 为什么push DWORD指令在8字节上均衡?

Assembly 为什么push DWORD指令在8字节上均衡?

assembly

Assembly 为什么push DWORD指令在8字节上均衡?,assembly,x86-64,shellcode,instructions,Assembly,X86 64,Shellcode,Instructions,编写外壳代码: BITS 64 xor rax, rax push rax push dword "n/sh" push dword "//bi" mov rdi, rsp push rax mov rdx, rsp push rdi mov rsi, rsp mov al, 59 syscall 当代码执行到达推送指令时,奇怪的事情就会发生。字符串/bin/sh必须按顺序写入堆栈,但在第一条指令之后(以及在第二条指令之后),值通过8字节边界进行均衡,这

编写外壳代码:

BITS 64
xor rax, rax
push rax
push dword "n/sh"
push dword "//bi"
mov rdi, rsp
push rax
mov rdx, rsp
push rdi
mov rsi, rsp
mov al, 59
syscall
当代码执行到达推送指令时,奇怪的事情就会发生。字符串
/bin/sh
必须按顺序写入堆栈,但在第一条指令之后(以及在第二条指令之后),值通过8字节边界进行均衡,这防止了字符串的形成,我指定了
DWORD

gdb:

如何解决此问题?

push
始终推送
qword
。此处的
dword
关键字指定一个
dword
大小的立即数。这是为了将其与字节大小为立即数的推送字节区分开来。在这两种情况下,立即数都是零扩展到一个qword中。您可以执行
mov-rax,/bin//sh'
push-rax
您的DWORD正在进行符号扩展以生成64位值。您可以在《指令集体系结构参考》中了解这种行为,其中指出“如果源操作数是小于操作数大小的立即数,则会在堆栈上推送符号扩展值”。好的,谢谢您的回答。那么为什么我不能一次将8个字节推送到堆栈上呢?如果在任何情况下,所有内容都等于8字节,那么禁止此操作的意义何在?请参阅我的评论,我将展示如何在堆栈上推送8字节。64位代码中没有推送64位立即数。您可以将64位值移动到64位寄存器,然后将该64位寄存器推送到堆栈上。在64位模式下,很少有指令具有64位立即数操作数。只有64位寄存器加载指令可以执行此操作。
push
始终推送
qword
。此处的
dword
关键字指定一个
dword
大小的立即数。这是为了将其与字节大小为立即数的推送字节区分开来。在这两种情况下,立即数都是零扩展到一个qword中。您可以执行
mov-rax,/bin//sh'
push-rax
您的DWORD正在进行符号扩展以生成64位值。您可以在《指令集体系结构参考》中了解这种行为,其中指出“如果源操作数是小于操作数大小的立即数,则会在堆栈上推送符号扩展值”。好的,谢谢您的回答。那么为什么我不能一次将8个字节推送到堆栈上呢?如果在任何情况下,所有内容都等于8字节,那么禁止此操作的意义何在?请参阅我的评论,我将展示如何在堆栈上推送8字节。64位代码中没有推送64位立即数。您可以将64位值移动到64位寄存器,然后将该64位寄存器推送到堆栈上。在64位模式下,很少有指令具有64位立即数操作数。只有64位寄存器加载指令可以执行。 
=> 0x7fffffffea44:  push   0x68732f6e
   0x7fffffffea49:  push   0x69622f2f
   0x7fffffffea4e:  mov    rdi,rsp
   0x7fffffffea51:  push   rax
   0x7fffffffea52:  mov    rdx,rsp
   0x7fffffffea55:  push   rdi
   0x7fffffffea56:  mov    rsi,rsp
   0x7fffffffea59:  mov    al,0x3b
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea44 in ?? ()
gdb$ ni
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x68732f6e

-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x0000000000000000  RBX: 0x0000000000000000  RBP: 0xFFFFFFFFFFFFFFFF  RSP: 0x00007FFFFFFFEA80  o d I t s Z a P c 
  RDI: 0x00007FFFFFFFEA40  RSI: 0x0000555555556021  RDX: 0x0000000000000079  RCX: 0x40FFFFFFFFFFFFFF  RIP: 0x00007FFFFFFFEA49
  R8 : 0x0000000000000000  R9 : 0x00007FFFF7FE14C0  R10: 0xFFFFFFFFFFFFF8F5  R11: 0x00007FFFF7E53B60  R12: 0x0000555555555060
  R13: 0x0000000000000000  R14: 0x0000000000000000  R15: 0x0000000000000000
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffffffea49:  push   0x69622f2f
   0x7fffffffea4e:  mov    rdi,rsp
   0x7fffffffea51:  push   rax
   0x7fffffffea52:  mov    rdx,rsp
   0x7fffffffea55:  push   rdi
   0x7fffffffea56:  mov    rsi,rsp
   0x7fffffffea59:  mov    al,0x3b
   0x7fffffffea5b:  syscall 
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea49 in ?? ()
gdb$ ni
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x69622f2f

-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x0000000000000000  RBX: 0x0000000000000000  RBP: 0xFFFFFFFFFFFFFFFF  RSP: 0x00007FFFFFFFEA78  o d I t s Z a P c 
  RDI: 0x00007FFFFFFFEA40  RSI: 0x0000555555556021  RDX: 0x0000000000000079  RCX: 0x40FFFFFFFFFFFFFF  RIP: 0x00007FFFFFFFEA4E
  R8 : 0x0000000000000000  R9 : 0x00007FFFF7FE14C0  R10: 0xFFFFFFFFFFFFF8F5  R11: 0x00007FFFF7E53B60  R12: 0x0000555555555060
  R13: 0x0000000000000000  R14: 0x0000000000000000  R15: 0x0000000000000000
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7fffffffea4e:  mov    rdi,rsp
   0x7fffffffea51:  push   rax
   0x7fffffffea52:  mov    rdx,rsp
   0x7fffffffea55:  push   rdi
   0x7fffffffea56:  mov    rsi,rsp
   0x7fffffffea59:  mov    al,0x3b
   0x7fffffffea5b:  syscall 
   0x7fffffffea5d:  (bad)  
-----------------------------------------------------------------------------------------------------------------------------
0x00007fffffffea4e in ?? ()
gdb$ x/s $rsp
0x7fffffffea78: "//bi"
gdb$ x/16xb $rsp
0x7fffffffea78: 0x2f    0x2f    0x62    0x69    0x00    0x00    0x00    0x00
0x7fffffffea80: 0x6e    0x2f    0x73    0x68    0x00    0x00    0x00    0x00
gdb$