flat assembler
Message board for the users of flat assembler.

Index > Linux > linux command line revisited

Author
Thread Post new topic Reply to topic
MajorDill



Joined: 01 Nov 2010
Posts: 22
MajorDill 06 May 2021, 18:35
could someone explain again how to get command line info from linux and PLEASE do not refer me to FAQ which is not a very clear explanation.

on the stack is argc, then argv so you should be able to POP them into registers - right?
pop ecx ;count
pop ebx ;address of first arg (filename)

so, if the argument on command line a filename, should I just always refer to it by the pointer OR
is it better to move the whole thing into another area - (movsb loop) and how do I know when I get
to the end? check for a space(32), or LF(10) or null(00), or all three.

mov eax, 5 ;sys_open
;;; mov ebx, filename ;pointer to filename NOT NEEDED because i popped it off the stack???
mov ecx, 0 ;read only access mode
mov edx, 0777 ;file permissions (read, write, execute by all)
int 0x80
mov [fd_in], eax ;error handling
Post 06 May 2021, 18:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 06 May 2021, 19:34
You can leave the argv parameters on the stack, they will be safe there, so no need to move them elsewhere.

They are always terminated by NULL (0x00), nothing else.

The argv list is a table of pointers, so they aren't the strings themselves.

[esp+0] = argc
[esp+4] = pointer to first string (arg = 0)
[esp+8] = pointer to next string (arg = 1)
;...
[esp+argc*4] = pointer to last string (arg = argc-1)
[esp+argc*4+4] = null pointer
[esp+argc*4+8] = some other tables are also stored here
Post 06 May 2021, 19:34
View user's profile Send private message Visit poster's website Reply with quote
MajorDill



Joined: 01 Nov 2010
Posts: 22
MajorDill 08 May 2021, 02:30
i got it, thx
Post 08 May 2021, 02:30
View user's profile Send private message Reply with quote
Melissa



Joined: 12 Apr 2012
Posts: 125
Melissa 08 May 2021, 16:43
On 64 bit if you write main (rdi->argc, rsi->argv pointer)
without main is same, on RSP.
Post 08 May 2021, 16:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 08 May 2021, 18:19
For anyone familiar with Windows:

It might be surprising to learn that filenames in Linux can have any byte values except null and slash. So that includes CR, LF, space, 0xff, etc. And there is no default encoding, just raw byte values.

If the code tries to do text processing on the filename then it needs to be aware of this fact to avoid weird results. You can't simply assume ASCII printable characters only.

Displaying error message to the user that blindly copy the filename to the output can create unusual effects. Some real fun can be had by putting VT100 console escape sequences in the name.
Post 08 May 2021, 18:19
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2493
Furs 09 May 2021, 12:30
revolution wrote:
For anyone familiar with Windows:

It might be surprising to learn that filenames in Linux can have any byte values except null and slash. So that includes CR, LF, space, 0xff, etc. And there is no default encoding, just raw byte values.

If the code tries to do text processing on the filename then it needs to be aware of this fact to avoid weird results. You can't simply assume ASCII printable characters only.

Displaying error message to the user that blindly copy the filename to the output can create unusual effects. Some real fun can be had by putting VT100 console escape sequences in the name.
Worse is when the filename contains newlines ('\n') and then you process the output line-by-line assuming it's a different filename. It can actually cause security vulnerabilities, a LOT of shell scripts and dumb programs suffer from it.

That's mainly the reason most GNU core tools have a -z option to delimit filenames in the output by NUL chars '\0' instead of newline.

IMO it was a mistake to allow newlines in filenames. Nobody really uses them except for malware.
Post 09 May 2021, 12:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 09 May 2021, 21:23
With Windows when using the raw kernel functions to access an NTFS volume, it is possible to make a filename with null characters (0x0000).

Then, from a normal user program, it becomes impossible to open, delete, rename, move, etc, the file.

This is the same for registry key names.

Windows makes this possible because it stores the length of the name, and doesn't search for a terminator character. And since the APIs receive and return a null terminated string from/to the user code, then there is no way to work with the null.

Some programs have used this to detect if the user is trying to extend a free trial by deleting and reinstalling the files and registry keys. But that will fail to remove the "secret" null named file/key without using some deep level utility.
Post 09 May 2021, 21:23
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.