This process is called the function prolog.
In assembly code, the prolog looks like this:
0x804835c
: push %ebp
0x804835d : mov %esp,%ebp
0x804835f : sub $0x190,%esp
The last thing a called function does before returning to the calling program is to clean
up the stack by incrementing esp to ebp, effectively clearing the stack as part of the leave
statement. Then the saved eip is popped off the stack as part of the return process. This is
referred to as the function epilog. If everything goeswell, eip still holds the next instruction
to be fetched and the process continues with the statement after the function call.
In assembly code, the epilog looks like this:
0x804838e : leave
0x804838f : ret
These small bits of assembly code will be seen over and over when looking for buffer
overflows.
References
Introduction to Buffer Overflows www.governmentsecurity.org/archive/t1995.html
Links for Information on Buffer Overflows http://community.core-sdi.com/~juliano/
Summary of Stacks and Functions www.unixwiz.net/techtips/win32-callconv-asm.html
Buffer Overflows
Now that you have the basics down, we can get to the good stuff.
As described in Chapter 6, buffers are used to store data in memory.
Pages:
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315