Hacking/Windows internals/Process/Memory/Stack
From Skypher
|
▼Main Page |
|
Each process on Windows has one memory region called a stack for each thread running in the process. There is always at least one: the stack of the main thread. The stack is a memory region that contains a list of DWORDS/QWORDS on 32-bit/64-bit systems respectively. It starts at the highest address in the memory reserved for the stack; this is called the bottom of the stack. As things are added on to the stack at the top, it grows down towards 0. When things are removed from the top, it shrinks back towards the highest address. The register ESP always points to the top of the stack and is used to put stuff on or off using PUSH/POP instructions.
Contents
The stack contains stack frames; each stack frame contains a number of DWORDS/QWORDS associated with a certain function call. On the top of the stack is the stack frame for the function currently being executed. Below it is the frame for the function that called the current function, below that is the frame for the function that called that function, etc... all the way to the stack frame for the first function that was executed by this thread. The register EBP is often used to point to DWORDS at the end of the current stack frame, so the current function call can easily "clean up" the stack by setting ESP to EBP to remove the current stack frame, popping EBP to get the end of the previous stack frame and returning the previous function.
Each stack frame can contain:
- local variables for the function (optional: not all functions have local variables on the stack). These can be integers, strings, arrays, structures and/or pointers to any of these that the function needs to do whatever it is supposed to do. Modern compilers can also add stack canaries before, in between or after these. Canaries are used to detect attempts to exploit bugs such as [[wikipedia:buffer overflow|buffer overflows] by looking for changes in their values before returning from the function.
- The return address for the function that is currently being executed (required). The return address points to the code immediately following the call to the current function in the function that called it. This allows the current function to return to the previous function and have the thread continue to do whatever that function was doing.
- An SEH frame which contains two pointers: The SEH handler function and a pointer to the next SEH frame in the SEH chain (or the value -1 to indicate it is the last SEH frame in the SEH chain).
Hacking and the stack
Bugs in the handling of the data on the stack can lead to security vulnerabilities. Vulnerabilities such as stack based buffer overruns and format string injections or often based on data on the stack and/or can grand an attacker control over data on the stack. Because a lot of the behavior of the code running in a thread depends on the data on its stack, control over this data on the stack often allows an attacker to control the behavior of the code. A very simple example is that if an attacker could overwrite the return address of the current function with another value, the function would not return to the function that called it, but to this new value. This allows an attacker to control code-flow.
Stack buffer overruns
The simplest example is a stack-based buffer overrun. Such a vulnerability allows an attacker to write data not only to a local array variable intended to store the data,but beyond the memory reserved for it on the stack. (Note that strings are arrays of characters; often a buffer overflow is in a string variable but not necessarily). This type of bug can allow an attacker to write over other things stored on the stack, such as other local variables, SEH frames and the return address of the current function. Because most (if not all) arrays start at lower addresses and grow towards higher addresses (the opposite of the stack), a buffer overflow often allows an attacker to overwrite not only the data in the current stack frame but also in stack frames higher up on the stack.
Format string injection
Format-string injection bugs.
