3

In Linux, with ASLR enabled, is there a range of addresses where user stack address lies? What about heap, instruction addresses(text section)? In general, is it possible to look at an address and tell if it is for data or for code?

I am trying to write a Pintool that looks at the EIP after a return and checks if the EIP points to a data area. Let's assume that NX is not enabled on this system.

abjoshi - Reinstate Monica
  • 145
  • 5

2 Answers2

2

Yes, there is a range, and you can determine that range trivially for any running process. Read a given process' /proc/<pid>/maps to see its memory layout, as well as the type of memory in each address range. This is described in proc(5). A sample from an embedded device:

root@UP-7197:~# cat /proc/self/maps
00400000-0044b000 r-xp 00000000 1f:02 944        /bin/busybox
0045b000-0045c000 rw-p 0004b000 1f:02 944        /bin/busybox
77450000-77472000 r-xp 00000000 1f:02 802        /lib/libgcc_s.so.1
77472000-77473000 rw-p 00012000 1f:02 802        /lib/libgcc_s.so.1
77474000-77506000 r-xp 00000000 1f:02 891        /lib/libc.so
77513000-77514000 r--p 00000000 00:00 0          [vvar]
77514000-77515000 r-xp 00000000 00:00 0          [vdso]
77515000-77517000 rw-p 00091000 1f:02 891        /lib/libc.so
77517000-77519000 rwxp 00000000 00:00 0
7fc55000-7fc76000 rw-p 00000000 00:00 0          [stack]

The syntax is explained over at Stack Overflow.

forest
  • 64,616
  • 20
  • 206
  • 257
0

Yes, it is generally possible to guess, where the different sections start and end, though it may not be perfectly reliable. To learn more about how a process is structured in memory, read about the ELF format.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • You don't have to guess. This is exposed in `proc(5)`. – forest May 06 '18 at 12:19
  • @forest I am pretty sure I watched somewhere on Defcon that these things can be confused by malware to make analysis harder. Though maybe it was only because the tools were not good? Not sure now. Anyway, that is why i wrote guessed, considering this question is for security application. – Peter Harmann May 06 '18 at 13:02
  • @forest, Peter Thanks. I guess I could register a callback which looks at /proc/maps and decides if the last loaded value to EIP is indeed from a code area(text section). Correct? If correct, let me know what you think of this situation: What if NX bit is enabled and I need to prevent ROP. Then the above approach will fail. In this case, I would try to prevent next step, i.e. stack pivoting. So now, a reasonable(not fool-proof) strategy would be to check if the location in the (corrupted)SP value is a sane value from the stack.(and not from the heap or any other section). – abjoshi - Reinstate Monica May 06 '18 at 20:22
  • Note, the stack pivoting can also be done with the target locations on the stack(i.e SP is loaded with some malicious value residing on the stack) and I don't know how to prevent that (yet). Kindly let me know your thoughts on this. – abjoshi - Reinstate Monica May 06 '18 at 20:22