flat assembler
Message board for the users of flat assembler.

Index > Linux > Symbol representing primary loaded segment virtual address

Author
Thread Post new topic Reply to topic
skeggse



Joined: 11 Dec 2020
Posts: 2
skeggse
Is there a way in fasm to get the (rip-relative, maybe) virtual address of the start of the segment that contains the ELF and program headers? The closest I've gotten is $$, but that just gets me the start of what looks like the current section. I mayyy be attempting to read those structures and manipulate the loaded memory pages themselves.
Post 11 Dec 2020, 09:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18626
Location: In your JS exploiting you and your system
revolution
This might work for 32-bit:
Code:
format ELF executable 0
entry main

AT_NULL                 = 0
AT_SYSINFO_EHDR         = 33
SYS_EXIT                = 1
SYS_WRITE               = 4
STD_OUTPUT              = 1

struc Elf32_auxv_t {
        .a_type         rd 1
        .a_val          rd 1
}
virtual at 0
        Elf32_auxv_t            Elf32_auxv_t
        sizeof.Elf32_auxv_t     = $
end virtual

segment executable

default_sys_call:
        int     0x80
        retn

main:
        mov     eax,[esp]                       ;argument count (argc)
        lea     ebx,[esp + 4 + (eax + 1) * 4]   ;skip the args and the final null
    .skip_environment:
        cmp     dword[ebx],0                    ;last entry in environment?
        lea     ebx,[ebx + 4]                   ;next entry in environment
        jnz     .skip_environment
    .scan_auxv:
        mov     eax,[ebx + Elf32_auxv_t.a_type]
        mov     edx,[ebx + Elf32_auxv_t.a_val]
        add     ebx,sizeof.Elf32_auxv_t         ;next auxv entry
        cmp     eax,AT_NULL                     ;end of auxv table?
        jz      .auxv_done
        cmp     eax,AT_SYSINFO_EHDR
        jnz     .scan_auxv
        mov     ecx,EHDR_at
        call    write_hex
        mov     eax,SYS_WRITE
        mov     ebx,STD_OUTPUT
        mov     ecx,EHDR
        mov     edx,EHDR_len
        call    [sys_call]
    .auxv_done:
        mov     eax,SYS_EXIT
        xor     ebx,ebx
        call    [sys_call]

write_hex:
        ;ecx = address
        ;edx = value
    .next_nibble:
        mov     eax,edx
        shr     eax,28
        cmp     al,10
        sbb     al,0x69
        das
        mov     [ecx],al
        inc     ecx
        shl     edx,4
        jnz     .next_nibble
        retn

segment readable writeable

align 4
sys_call dd default_sys_call

EHDR:           db      'EHDR at 0x'
EHDR_at         db      '00000000',10
EHDR_len        =       $ - EHDR    
Post 11 Dec 2020, 10:58
View user's profile Send private message Visit poster's website Reply with quote
skeggse



Joined: 11 Dec 2020
Posts: 2
skeggse
Hey, thanks for the thorough example! I hadn't gleaned that there was an auxv table in the stack, which was the big piece I was missing. Thanks!
Post 14 Dec 2020, 05:34
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.