How Shellcodes Work
Subject:   Writing to executable memory?
Date:   2006-05-21 21:35:11
From:   VesK
Excellent article indeed.

I am a bit surprised that writing to executable memory does not generate the segfault. Consider the following bit of code:

jmp short stuff

pop esi
; address of string
; now in ESI

xor eax,eax
; put zero into EAX

mov byte [esi + 17],al ; =======
; count 18 symbols (index starts from zero)
; and putting a zero value there (EAX register equals to zero)
; The string will become This is my string0

call code

db 'This is my string#'

The line marked with ======= is in effect writing to executable memory (i.e. self-modifying program). Since 80386 Intel introduced memory protection and this makes easy for the OS to mark pages for Read, Write and Execute. My understanding is that - at least outside ring 0 - pages marked Execute should not be writeable and pages marked Write should not be executable. What am I missing?

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Writing to executable memory?
    2006-05-22 13:35:09  gryzlo [View]

    You're missing that this code is being executed when it already resists inside stack, so mentioned write operation is made neither on read/write memory area nor on executable memory area. Stack is a different data area so it's out of operating system's page control.
  • Writing to executable memory?
    2006-05-22 10:48:22  davidrosario [View]

    I know that (at least) in Windows XP, you can enable writing to executable memory. I'm a Linux programmer, but for music production, I have Sonar Producer Edition and Cubase SX 3, and the instructions for Sonar state that you need to enable this feature. This type of code would obviously work for some XP deployments (thanks to Sonar).