Segmentation fault in mov instruction

Question

rdi contains the address of a piece of code.I'm trying to implement XOR encoding to that code.When I run that code,the mov instruction causes segmentation fault.Can anyone help?

mov byte al,[rdi];   No errors
xor al,0x7f
mov byte [rdi],al;   Causes segmeation fault

Complete Code:

section .text
    global _start
    _start:
        call encrypt
    code:
        xor rax,rax
        xor rdx,rdx
        xor rcx,rcx
        xor rdx,rdx
        mov rdi,0x636e2f6e69622f2f
        shr rdi,0x8
        push rdi
        mov rdi,rsp
        mov rsi,0x6c2dffffffffffff
        shr rsi,0x30
        push rsi
        mov rsi,rsp
        mov rbx,0x702dffffffffffff
        shr rbx,0x30
        push rbx
        mov rbx,rsp
        mov rcx,0x30393039ffffffff
        shr rcx,0x20
        push rcx
        mov rcx,rsp
        mov rdx,0x652dffffffffffff
        shr rdx,0x20
        push rdx
        mov rdx,rsp
        xor r8,r8
        mov r8,0x68732f6e69622f2f
        shr r8,0x8
        push r8
        mov r8,rsp
        push r8
        push rdx
        push rcx
        push rbx
        push rsi
        push rdi
        mov rsi,rsp
        mov al,59
        syscall
    encrypt:
        pop rdi
        mov cl,0x8a
        mov bl,0
    loo:
        dec cl
        mov byte al,[rdi]
        xor al,0x7f
        mov byte [rdi],al  ;segfault occurs here
        inc rdi
        jne loo
        jmp code

Can you post your complete code please? Without seeing where `rdi` points, it is hard to say what exactly went wrong. — fuz, Jun 22 '18 at 11:54
@John For the future, always mention what operating system and architecture and operating system you are programming for right away! Check out the `mprotect` system call. You can use it to make the text segment writable. — fuz, Jun 22 '18 at 13:00
Possible duplicate of [Self modifying code always segmentation faults on Linux](https://stackoverflow.com/questions/4169417/self-modifying-code-always-segmentation-faults-on-linux) — Sneftel, Jun 22 '18 at 13:39

paxdiablo · Accepted Answer · 2018-06-22T13:29:09.050

3

rdi contains the address of a piece of code

Many systems provide protection from malicious code by actively preventing writes to code areas^(a). For example, the code selector may point to a memory block which is marked read-only (unless you're running the code trying to modify it in some form of privileged mode).

You're almost certainly running into this protection mechanism in this case. How you solve it (assuming it's allowed) will depend on more details on your environment than you have currently provided (operation system, for example).

For example, under Linux, you can use mprotect to change protections for some address ranges in your virtual memory space.

^(a) Some also stop you from executing data as if it was code which means that, even if you move the code to somewhere you can write, you may not be able to execute it.

edited Jun 22 '18 at 13:29

answered Jun 22 '18 at 11:58

paxdiablo

854,327
234
1,573
1,953

is there anyother way to write to that location? – John Jun 22 '18 at 12:03
@John not enought data to say. But probably no. – Michał Walenciak Jun 22 '18 at 12:04
@John: Not from inside your user-space process. You could make a modified *copy* of the code and execute it from somewhere else, e.g. if you allocated a page of memory with R+W+X permissions. IDK why you're only XORing one byte at a time, not 4 or 8, (or 16 with SSE2). Also not sure why you're apparently hard-coding absolute addresses of code in the source, although I guess if you want an XORed version of an address you can't get the linker to do that for you. But it won't work with code ASLR in a library or PIE executable. – Peter Cordes Jun 22 '18 at 16:14
I used mprotect syscall to change the memory protection to writable on that page.Now its working perfectly – John Jun 23 '18 at 13:20

Segmentation fault in mov instruction

1 Answers1