Local Buffer in Stack Memory

Index > Windows > Local Buffer in Stack Memory

Author

Thread

Core i7

Joined: 14 Nov 2024
Posts: 139
Location: Socket on motherboard

Core i7 19 Oct 2025, 08:41

Hello all!
I'm learning about stack buffer overflow protection using "Canary word", and I've encountered this problem. How do I allocate a buffer in a procedure's local memory so that its address can be passed to the gets() runtime function? I tried "local buff[32]:BYTE" as suggested in the help file, but it doesn't work, and fasm throws an error.

Code:

proc  myProc buffSize
locals
  var1  dd  0x12345678
  var2  dd  0x9ABCDEF0
endl
local   buff[32]:BYTE    

       cinvoke  gets,buff      ;<--------------- ERROR!
       cinvoke  printf,<'Hello, %s',0>,buff
        ret
endp

You can solve the problem by explicitly allocating memory using "sub esp,32",
but this is inconvenient, since you'll have to manually restore the stack on exit using "add esp,32".

Code:

proc  myProc buffSize
locals
  var1  dd  0x12345678
  var2  dd  0x9ABCDEF0
endl

        sub     esp,32
       cinvoke  gets,esp      ;<--------------- OK !
       cinvoke  printf,<'Hello, %s',0>,esp
        add     esp,32
        ret
endp

19 Oct 2025, 08:41

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20754
Location: In your JS exploiting you and your system

revolution 19 Oct 2025, 08:57

Core i7 wrote:

I tried "local buff[32]:BYTE" as suggested in the help file, but it doesn't work, and fasm throws an error

What error is shown?

Have the included files used been modified from the reference files?

Please show a a minimal sample showing all the "include"s referenced.

19 Oct 2025, 08:57

Core i7

Joined: 14 Nov 2024
Posts: 139
Location: Socket on motherboard

Core i7 19 Oct 2025, 09:05

Here is the code and the error:

Description:
Filesize:	22.44 KB
Viewed:	257 Time(s)

Last edited by Core i7 on 21 Oct 2025, 02:45; edited 1 time in total

19 Oct 2025, 09:05

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20754
Location: In your JS exploiting you and your system

revolution 19 Oct 2025, 09:12

Here is a minimal example that works with fasm 1.73.31

Code:

format PE console
include 'win32ax.inc'

.code

a_proc  dd ?

proc begin
        local   buff[1024]:BYTE
        cinvoke a_proc,addr buff
        ret
endp

.end begin

19 Oct 2025, 09:12

Core i7

Joined: 14 Nov 2024
Posts: 139
Location: Socket on motherboard

Core i7 19 Oct 2025, 09:36

revolution, this design works,
but the buffer is allocated not on the stack (where the return address I need is located), but in the first section 0x00401000.

Description:
Filesize:	9.69 KB
Viewed:	250 Time(s)

19 Oct 2025, 09:36

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20754
Location: In your JS exploiting you and your system

revolution 19 Oct 2025, 09:55

The example I posted allocated in the stack.

Code:

00000208  55                push ebp
00000209  89E5              mov ebp,esp
0000020B  81EC00040000      sub esp,0x400
00000211  8D9500FCFFFF      lea edx,[ebp-0x400]  ; <--- it's on the stack
00000217  52                push edx
00000218  FF1500104000      call [dword 0x401000]
0000021E  83C404            add esp,byte +0x4
00000221  C9                leave
00000222  C3                ret

19 Oct 2025, 09:55

Core i7

Joined: 14 Nov 2024
Posts: 139
Location: Socket on motherboard

Core i7 19 Oct 2025, 10:28

revolution sorry, your example works fine - thank you very much!

19 Oct 2025, 10:28

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum