0

I wrote a program that can access the stack of another program on linux, trying to implement something similar to Cheat engine on windows. The problem is stack frame of the main function changes on each execution, and I need to find the base pointer of main in order to find its variables. Is there a way to get the base pointer or read the register where this information is stored.

Barmar
  • 741,623
  • 53
  • 500
  • 612
bigabdoo
  • 1
  • So you aren't actually asking about Linux, but about Windows, or...? In either case you'll have ASLR so I imagine you'd need to manually hack it by peeking at certain instructions in the disassembly. – Lundin Feb 22 '21 at 15:46
  • You need to extract some information from the program you're targeting. Since you mentioned that you try this on Linux, you need to get familiar with the [ELF format](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format). The `main` function is what is known as the entry point of the program. [How to find the main function's entry point of elf executable file without any symbolic information?](https://stackoverflow.com/questions/9885545/how-to-find-the-main-functions-entry-point-of-elf-executable-file-without-any-s) might be a good place to start. – icebp Feb 22 '21 at 15:55
  • Does this answer your question? [How to find the main function's entry point of elf executable file without any symbolic information?](https://stackoverflow.com/questions/9885545/how-to-find-the-main-functions-entry-point-of-elf-executable-file-without-any-s) – icebp Feb 22 '21 at 15:56
  • @icebp This question is about the stack, that seems to be about the text. – Barmar Feb 22 '21 at 16:22
  • @Lundin I am using linux, I only mentioned windows because my program is inspired from a windows program – bigabdoo Feb 22 '21 at 16:25
  • @icebp, I read the ELF and fount the entry point address;0x400c00, but as Barmar mentioned, that's the code address of main in the text and not the actual stack frame pointer of main. – bigabdoo Feb 22 '21 at 16:30
  • 1
    @bigabdoo Please don't explain your question in comments. Instead improve your question by using the `edit` function. If you get questions in comments, extend your question with answers or a better explanation. Why should you do this?? First: It helps us to understand your environment and It's more realistic that you get a helpful answer. Second: StackOverflow is also a site where others will your question. The questions and answer will help other readers too. – harper Feb 22 '21 at 17:13
  • So you want the stack of the main thread? – icebp Feb 22 '21 at 17:26

1 Answers1

0

A hacky, not very portable idea: Read /proc/PID/auxv, it has a format of key-value, and ends with 0-0. Notice the following keys:

#define AT_PLATFORM 15  /* string identifying CPU for optimizations */
#define AT_RANDOM 25    /* address of 16 random bytes */
#define AT_EXECFN  31   /* filename of program */

Their values are pointers on the main stack. You can then read up the stack and search for return addresses of functions. The following key can help:

#define AT_ENTRY  9 /* entry point of program */

The problem is, main() isn't the first function called, and the others are libc dependent, so the solution probably won't be as portable anyway.

Another possible solution is to ptrace() (debug) the main thread, then based on registers values and the stack, parse the stack frames until you find the one you need.

Semion
  • 126
  • 4
  • Thanks for the useful info. For the first solution, as you pointed out, AT_Entry doesn't point to main, and the functions called before don't have a fixed stack frame length, hence its address isn't consistent, it can only estimate a region where main is. PTRACE_GETREGSET seems interesting to explore. Finally, while reading man porc, I found a file /proc/{pid}/stack, that is supposed to contain addresses of stack frames. – bigabdoo Feb 23 '21 at 15:35
  • /proc/PID/stack contains the stack addresses in the kernel. If the thread is in a syscall, or is in the kernel land for other reason, it contains a stack trace of the relevant kernel functions. If the tread is running in the user land it seems to be empty. Either way it doesn't give you information about the user land stack addresses.. I think traversing stack frames from rbp register or similar worth a shot – Semion Feb 26 '21 at 19:33