Is it safe to store data at -ebp across window apis?

Started by ThoughtCriminal, December 10, 2005, 05:52:18 PM

Previous topic - Next topic

ThoughtCriminal

I'm writeing a program using no stack frames and I keep ebp constant.  I'm using ebp and edi a pointer to functions and data respectevly.

API0 = 0
.CreateFile = API0+0 ; 7
.CreateFileMapping = API0+4 ; 6
.ExitProcess = API0+8 ; 1
.GetCommandLine = API0+12 ; 0
.GetLastError = API0+16 ; 0
.GetStdHandle = API0+20 ; 1
.MapViewOfFile = API0+24 ; 5
.VirtualAlloc = API0+28 ; 4
.WriteConsole = API0+32 ; 5
.WriteFile = API0+36 ; 5
INIT0 = API0+(10*4)
FetchApi = INIT0+0
ParseCmdLine = INIT0+4
CreateSections = INIT0+8
FILE_F0 = INIT0+(3*4);+4
LoadSourceFile = FILE_F0+0
ReportError = FILE_F0+4
PARSE0 = FILE_F0+(2*4)
ByteParse = PARSE0+0


CONS0 = 0
conio = CONS0+0
c_num = CONS0+4
    FILE_D0 = CONS0+(2*4)
MainFileHandle = FILE_D0+0
MapFileHandle = FILE_D0+4
MainFileLoadAddress = FILE_D0+8
FilePtrCurrent= FILE_D0+12
ERROR$0 = FILE_D0+(4*4)
serr1 = ERROR$0+0
berr1 = ERROR$0+4
serr2 = ERROR$0+8
berr2 = ERROR$0+12
serr3 = ERROR$0+16
berr3 = ERROR$0+20

Making great use of numeric equates.  My code works fine only needing the occasional push,pop becuase I really need to use them for something else.

The point is all my offsets are positive.  I get mabey 30 32-bit pointers until I reach and offset +128 where my 3 byte opcodes go to 5 o 6 bytes.  So how about negative offsets to -127?  I get about 60 then.  What I'm worried about is a API writting in the nagative offset area if I keep ebp and edi constant.  Perhaps I shoud mov ebp and edi to a safe place before calling an API if I do this.  Ane experience or advice?

Thanks.

manhattan

It's a good idea. I would say it is safe because there is no reason for the function to overwrite the memory pointed to by ebp or edi. If ebp is used as a frame pointer it will be saved by the called function. It will point on the stack and not on your data.

ThoughtCriminal

Thanks.  I traced into a few APIs since they do use frames, I don't.  It looks as though the stack is far away for my data sections.

zooba

The stack should be in a different segment to your data, so that shouldn't be an issue.

When you call an API function they always (AFAIK) preserve ebp as part of the standard prologue:

push ebp
mov  ebp, esp


So as long as esp is valid on calling you should be fine.

MichaelW

QuoteThe stack should be in a different segment to your data, so that shouldn't be an issue.
I have seen statements to this effect before. I don't know if the statement is literally true, but it looks to me like it is not effectively true. How could this be depended on for protection when you can access data in the data segment or on the stack with CS, DS,  or SS (and probably ES), using the same offset for each segment?

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    include \masm32\include\masm32rt.inc
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    .data
        somedata dd 1234h
    .code
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
start:
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    print "CS = "
    mov   eax,cs
    print uhex$(eax),13,10
    print "DS = "
    mov   eax,ds
    print uhex$(eax),13,10
    print "ES = "
    mov   eax,es
    print uhex$(eax),13,10
    print "SS = "
    mov   eax,ss
    print uhex$(eax),13,10

    print "CS:data in data segment: "
    nop
    nop
    nop   
    mov   eax,cs:somedata
    print uhex$(eax),"h",13,10

    print "DS:data in data segment: "
    nop
    nop
    nop   
    mov   eax,somedata
    print uhex$(eax),"h",13,10

    print "SS:data in data segment: "
    nop
    nop
    nop   
    mov   eax,ss:somedata
    print uhex$(eax),"h",13,10

    print "CS:data on stack: "
    push  5678h
    nop
    nop
    nop
    mov   eax,esp
    mov   eax,cs:[eax]
    pop   edx
    print uhex$(eax),"h",13,10

    print "DS:data on stack: "
    push  5678h
    nop
    nop
    nop
    mov   eax,esp
    mov   eax,[eax]
    pop   edx
    print uhex$(eax),"h",13,10

    print "SS:data on stack: "
    push  5678h
    nop
    nop
    nop
    mov   eax,[esp]
    pop   edx
    print uhex$(eax),"h",13,10

    mov   eax, input(13,10,"Press enter to exit...")
    exit
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end start


CS = 0000001B
DS = 00000023
ES = 00000023
SS = 00000023
CS:data in data segment: 00001234h
DS:data in data segment: 00001234h
SS:data in data segment: 00001234h
CS:data on stack: 00005678h
DS:data on stack: 00005678h
SS:data on stack: 00005678h


eschew obfuscation

AeroASM

That is right. WIndows uses paging rather than segmentation to protect memory.