Though there are many functions running on system , how could the value of stackpointer (ESP) is same everytime for every function running on stack (because every function has different address )???? Especialy when ASLR is off????
Asked
Active
Viewed 601 times
-1
-
1I doubt that the stack pointer is "the same every time for every function". – Oliver Charlesworth Aug 17 '14 at 10:31
-
“the same” across what? It is not the same when the function is called from callstacks of differing depths. – Pascal Cuoq Aug 17 '14 at 10:32
2 Answers
1
ASLR being turned on actually may influence the base address of stack for every separate thread. Here is the quote from "Windows Internals, Sixth Edition, Part 2", pp.249-250:
"The next step in ASLR is to randomize the location of the initial thread’s stack (and, subsequently, of each new thread). This randomization is enabled unless the flag
StackRandomizationDisabledwas enabled for the process and consists of first selecting one of 32 possible stack locations separated by either 64 KB or 256 KB. This base address is selected by finding the first appropriate free memory region and then choosing the xth available region, where x is once again generated based on the current processor’s TSC shifted and masked into a 5-bit value (which allows for 32 possible locations).Once this base address has been selected, a new TSC-derived value is calculated, this one 9 bits long. The value is then multiplied by 4 to maintain alignment, which means it can be as large as 2,048 bytes (half a page). It is added to the base address to obtain the final stack base".
The flag mentioned above (StackRandomizationDisabled) resides in kernel space structure EPROCESS and cannot be set from user space explicitly. However if to turn ASLR off then stack base address for main thread in the application will be the same with different re-runs. Practically it means that if you are inside the same function at the same line every time you run the application then ESP/RSP will be the same.
Some examples demonstrating this concept.
Please note that every process in the operating system has its own virtual address space but it's not the same as physical address space. So if you run two instances of your application at the same time (ASLR turned off) and step at the same place, you will see the same values of ESP/RSP. Each value belongs to its own process' virtual address space and has no correlation with other processes. You may refer, for example, to this link for more info on memory layout.
Community
- 1
- 1
greenpiece
- 621
- 8
- 20
0
The value of the stack pointer is not the same for every function, and does not depend on ASLR settings. The stack pointer is set at some location when a thread of execution is created, and functions increment or decrement it for data storage as the program executes. In particular, function code is not typically stored on the stack; pointers to function code are.
Without ASLR, once you've got a stack buffer overflow bug, you can insert a "blob of code" that calls other functions in the exploited app because you know where such functions are. With ASLR, you can't easily do that because you don't know where that code lives.
Billy ONeal
- 104,103
- 58
- 317
- 552
-
Suppose we have turned ASLR off. Then when we print out the esp , it shows the same value every time. So how could be it possible for esp to always point to same address. Many function are running on the system everytime . – user3460964 Aug 19 '14 at 06:16
-
@user: ASLR does not move the stack. ASLR moves the code. The stack does not contain code; it only contains pointers to the code. If you were to print the value of return addresses on the stack you would expect those to be different run over run, but the stack itself is known. There would be no advantage to applying ASLR to the stack -- the shellcode could get its location at any time just by asking ESP :) – Billy ONeal Aug 19 '14 at 07:33