Linux 来自程序集的 sys_execve 系统调用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9342410/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
sys_execve system call from Assembly
提问by Alex F
asm_execve.s:
asm_execve.s:
.section .data
file_to_run:
.ascii "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl NAME = asm_execve
$(NAME) : $(NAME).s
gcc -o $(NAME) $(NAME).s
x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl file_to_run, %edi
movl %edi, -0x4(%ebp)
movl alex@alex32:~/project$ make
gcc -o asm_execve asm_execve.s
alex@alex32:~/project$ ./asm_execve
alex@alex32:~/project$
, -0x8(%ebp)
movl , %eax # sys_execve
movl file_to_run, %ebx # file to execute
leal -4(%ebp), %ecx # command line parameters
movl alex@alex32:~/project$ ./asm_execve
$ exit
alex@alex32:~/project$
, %edx # environment block
int char *data[2];
data[0] = "/bin/sh";
data[1] = NULL;
execve(data[0], data, NULL);
x80
leave
ret
makefile:
生成文件:
.section .data
file_to_run:
.asciz "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl .global _main
.section .text
.data
file_to_run:
.asciz "/bin/sh"
.section .text
.globl main
_main:
pushl %ebp
movl %esp, %ebp
movl , %eax # sys_execve
movl $file_to_run, %ebx # file to execute
movl ##代码##, %ecx # Null value will work too
movl ##代码##, %edx # Null will works too
int ##代码##x80
leave
ret
x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl $file_to_run, %edi
movl %edi, -0x8(%ebp)
movl ##代码##, -0x4(%ebp)
movl , %eax # sys_execve
movl $file_to_run, %ebx # file to execute
leal -8(%ebp), %ecx # command line parameters
movl ##代码##, %edx # environment block
int ##代码##x80
leave
ret
Program is executed, but sys_execve is not called:
程序已执行,但未调用 sys_execve:
##代码##Expected output is:
预期输出为:
##代码##This Assembly program is supposed to work like the following C code:
这个汇编程序应该像下面的 C 代码一样工作:
##代码##Something wrong in system call parameters?
系统调用参数有问题吗?
采纳答案by Matthew Slattery
The execvesystem call isbeing called, but you are indeed passing it bad parameters.
该execve系统调用时被调用,但你确实传递错误参数。
(You can see this by running your executable using strace.)
(您可以通过使用 运行您的可执行文件来查看这一点strace。)
There are three problems:
存在三个问题:
.asciidoes not 0-terminate the string. (You might get lucky, as there is nothing following it in your.datasection in this example, but that's not guaranteed...) Add a 0, or use.asciz(or.string) instead.movl file_to_run, %edimoves the value pointed toby thefile_to_runsymbol into%edi, i.e. the first 4 bytes of the string (0x6e69622f). The addressof the string is just the value of the symbol itself, so you need to use the$prefix for literal values:movl $file_to_run, %edi. Similarly, you need to saymovl $file_to_run, %ebxa few lines further down. (This is a common source of confusion between AT&T syntax and Intel syntax!)The parameters are placed on the stack in the wrong order:
-0x8(%ebp)is a lower address than-0x4(%ebp). So the address of the command string should be written to-0x8(%ebp), the 0 should be written to-0x4(%ebp), and thelealinstruction should beleal -8(%ebp), %ecx.
.ascii不以 0 结束字符串。(您可能会很幸运,因为.data在此示例中您的部分中没有任何内容,但这不能保证......)添加 0,或使用.asciz(or.string) 代替。movl file_to_run, %edi移动的值指向由所述file_to_run符号到%edi,即,第一个4个字节的字符串(0x6e69622f)。字符串的地址只是符号本身的值,因此您需要$对文字值使用前缀:movl $file_to_run, %edi。同样,您需要进一步说movl $file_to_run, %ebx几行。(这是 AT&T 语法和 Intel 语法之间常见的混淆来源!)参数以错误的顺序放置在堆栈中:
-0x8(%ebp)是比 低的地址-0x4(%ebp)。所以命令串的地址应该写-0x8(%ebp),0应该写-0x4(%ebp),leal指令应该是leal -8(%ebp), %ecx。
Fixed code:
固定代码:
##代码##回答by Shank
You actually don't need to load anything in the other arguments. If you are doing this in x86 the following simpler code will also work:
您实际上不需要在其他参数中加载任何内容。如果您在 x86 中执行此操作,以下更简单的代码也将起作用:
##代码##This will essentially open a shell terminal after invoking the system call.
这实际上将在调用系统调用后打开一个 shell 终端。
