取得寄存器的值・386・完整版

时间：2007-03-21 来源：oliliango

郁闷，不知道cu的这个模板是怎么回事，昨天晚上发的关于取得寄存器值的文字居然不能修改了，没办法只好重新起一篇算了。今天有捣鼓了捣鼓，翻了翻intel的处理器手册，搞出了取得pc的值的办法。其实印象中很久之前就知道这样的东西，只是一直没有用就全都忘掉了。以至于只有模模糊糊的印象了，当年具体到这些东西其实是关于shellcode和缓冲区溢出相关的东西。基本的知识就是那些，也就是如何用而已。好比container_of这个宏，刚开始看到的时候觉得很神奇的样子，其实说到底就是C的基本特性，贴出代码如下：

#define container_of(ptr, type, member) ({ \
 const typeof( ((type *)0)->member ) *__mptr = (ptr); \
 (type *)( (char *)__mptr - offsetof(type,member) );})

    其中有几个可以提取出来说的就是：
       1.typeof这个gcc扩展。
       2.块语句的返回值。

    余下的就是C语言的基本知识了。如果不能理解上面那个玩意的话那就需要重新再学C了。

    先把代码贴出来再扯：

#include <stdio.h>
static unsigned long getpc(void)
{
    unsigned long address=0;
    __asm__ __volatile__ (
            "movl $4,%%eax\t\n"
            "addl %%ebp,%%eax\t\n"
            "movl (%%eax),%%eax\t\n"
            :"=a"(address)
            );
    return address;
}

static inline void showregs(void)
{
    static volatile unsigned long regs[9];
    __asm__ __volatile__ (
            "movl %%eax,%0\t\n"
            "movl %%ebx,%1\t\n"
            "movl %%ecx,%2\t\n"
            "movl %%edx,%3\t\n"
            "movl %%ebp,%4\t\n"
            "movl %%esp,%5\t\n"
            "movl %%edi,%6\t\n"
            "movl %%esi,%7\t\n"
            :"=m"(regs[0]),"=m"(regs[1]),"=m"(regs[2]),
            "=m"(regs[3]),"=m"(regs[4]),"=m"(regs[5]),"=m"(regs[6]),
            "=m"(regs[7])
            );
    regs[8]=getpc();
    printf("\teax:0x%08lx\n\tebx:0x%08lx\n\tecx:0x%08lx\n\tedx:0x%08lx\n\t" \
        "ebp:0x%08lx\n \tesp:0x%08lx\n\tedi:0x%08lx\n\tesi:0x%08lx\n\t" \
        "eip:0x%08lx\n" ,regs[0],regs[1],regs[2],regs[3],regs[4],regs[5] \
        ,regs[6],regs[7],regs[8]);
}

int main(void)
{
    printf("This will show regs of this function call1:\n");
    showregs();
    printf("This will show regs of this function call2:\n");
    showregs();
    printf("This will show regs of this function call3:\n");
    showregs();
    printf("This will show regs of this function call4:\n");
    showregs();
    return 0;
}

在编译的时候需要加-O优化参数，且不能加-finline-functions这个选项，如果用了-fXXX参数会有不同的效果，下文可以看看是为什么。而不加-O参数将不能通过编译，奇怪的很了。

首先看看加了-finline-functions这个选项的运行结果：

再看不加的运行结果：

再看看objdump出来的片断：

int main(void)
{
80483a0:       8d 4c 24 04             lea    0x4(%esp),%ecx
80483a4:       83 e4 f0                and    $0xfffffff0,%esp
80483a7:       ff 71 fc                pushl 0xfffffffc(%ecx)
80483aa:       55                      push   %ebp
80483ab:       89 e5                   mov    %esp,%ebp
80483ad:       57                      push   %edi
80483ae:       56                      push   %esi
80483af:       53                      push   %ebx
80483b0:       51                      push   %ecx
80483b1:       83 ec 28                sub    $0x28,%esp
        printf("This will show regs of this function call1:\n");
80483b4:       c7 04 24 30 87 04 08    movl   $0x8048730,(%esp)
80483bb:       e8 08 ff ff ff          call   80482c8 <puts@plt>
80483c0:       a3 80 99 04 08          mov    %eax,0x8049980
80483c5:       89 1d 84 99 04 08       mov    %ebx,0x8049984
80483cb:       89 0d 88 99 04 08       mov    %ecx,0x8049988
80483d1:       89 15 8c 99 04 08       mov    %edx,0x804998c
80483d7:       89 2d 90 99 04 08       mov    %ebp,0x8049990
80483dd:       89 25 94 99 04 08       mov    %esp,0x8049994
80483e3:       89 3d 98 99 04 08       mov    %edi,0x8049998
80483e9:       89 35 9c 99 04 08       mov    %esi,0x804999c
80483ef:       e8 9c ff ff ff          call   8048390 <getpc>
80483f4:       a3 a0 99 04 08          mov    %eax,0x80499a0
80483f9:       a1 a0 99 04 08          mov    0x80499a0,%eax
80483fe:       89 44 24 24             mov    %eax,0x24(%esp)
8048402:       8b 15 9c 99 04 08       mov    0x804999c,%edx
8048408:       8b 0d 98 99 04 08       mov    0x8049998,%ecx
804840e:       8b 1d 94 99 04 08       mov    0x8049994,%ebx
8048414:       8b 35 90 99 04 08       mov    0x8049990,%esi
804841a:       8b 3d 8c 99 04 08       mov    0x804998c,%edi
8048420:       a1 88 99 04 08          mov    0x8049988,%eax
8048425:       89 44 24 0c             mov    %eax,0xc(%esp)
8048429:       a1 84 99 04 08          mov    0x8049984,%eax
804842e:       89 44 24 08             mov    %eax,0x8(%esp)
8048432:       a1 80 99 04 08          mov    0x8049980,%eax
8048437:       89 54 24 20             mov    %edx,0x20(%esp)
804843b:       89 4c 24 1c             mov    %ecx,0x1c(%esp)
804843f:       89 5c 24 18             mov    %ebx,0x18(%esp)
8048443:       89 44 24 04             mov    %eax,0x4(%esp)
8048447:       89 74 24 14             mov    %esi,0x14(%esp)
804844b:       89 7c 24 10             mov    %edi,0x10(%esp)
804844f:       c7 04 24 5c 87 04 08    movl   $0x804875c,(%esp)
8048456:       e8 5d fe ff ff          call   80482b8 <printf@plt>
        showregs();
        printf("This will show regs of this function call2:\n");
804845b:       c7 04 24 d4 87 04 08    movl   $0x80487d4,(%esp)
8048462:       e8 61 fe ff ff          call   80482c8 <puts@plt>
8048467:       a3 80 99 04 08          mov    %eax,0x8049980
804846c:       89 1d 84 99 04 08       mov    %ebx,0x8049984
8048472:       89 0d 88 99 04 08       mov    %ecx,0x8049988
8048478:       89 15 8c 99 04 08       mov    %edx,0x804998c
804847e:       89 2d 90 99 04 08       mov    %ebp,0x8049990
8048484:       89 25 94 99 04 08       mov    %esp,0x8049994
804848a:       89 3d 98 99 04 08       mov    %edi,0x8049998
8048490:       89 35 9c 99 04 08       mov    %esi,0x804999c
8048496:       e8 f5 fe ff ff          call   8048390 <getpc>
804849b:       a3 a0 99 04 08          mov    %eax,0x80499a0
80484a0:       a1 a0 99 04 08          mov    0x80499a0,%eax
80484a5:       89 44 24 24             mov    %eax,0x24(%esp)
80484a9:       8b 15 9c 99 04 08       mov    0x804999c,%edx
80484af:       8b 0d 98 99 04 08       mov    0x8049998,%ecx
80484b5:       8b 1d 94 99 04 08       mov    0x8049994,%ebx
80484bb:       8b 35 90 99 04 08       mov    0x8049990,%esi
80484c1:       8b 3d 8c 99 04 08       mov    0x804998c,%edi
80484c7:       a1 88 99 04 08          mov    0x8049988,%eax
80484cc:       89 44 24 0c             mov    %eax,0xc(%esp)
80484d0:       a1 84 99 04 08          mov    0x8049984,%eax
80484d5:       89 44 24 08             mov    %eax,0x8(%esp)
80484d9:       a1 80 99 04 08          mov    0x8049980,%eax
80484de:       89 54 24 20             mov    %edx,0x20(%esp)
80484e2:       89 4c 24 1c             mov    %ecx,0x1c(%esp)
80484e6:       89 5c 24 18             mov    %ebx,0x18(%esp)
80484ea:       89 44 24 04             mov    %eax,0x4(%esp)
80484ee:       89 74 24 14             mov    %esi,0x14(%esp)
80484f2:       89 7c 24 10             mov    %edi,0x10(%esp)
80484f6:       c7 04 24 5c 87 04 08    movl   $0x804875c,(%esp)
80484fd:       e8 b6 fd ff ff          call   80482b8 <printf@plt>
        showregs();
        printf("This will show regs of this function call3:\n");
8048502:       c7 04 24 00 88 04 08    movl   $0x8048800,(%esp)
8048509:       e8 ba fd ff ff          call   80482c8 <puts@plt>
804850e:       a3 80 99 04 08          mov    %eax,0x8049980
8048513:       89 1d 84 99 04 08       mov    %ebx,0x8049984
8048519:       89 0d 88 99 04 08       mov    %ecx,0x8049988
804851f:       89 15 8c 99 04 08       mov    %edx,0x804998c
8048525:       89 2d 90 99 04 08       mov    %ebp,0x8049990
804852b:       89 25 94 99 04 08       mov    %esp,0x8049994
8048531:       89 3d 98 99 04 08       mov    %edi,0x8049998
8048537:       89 35 9c 99 04 08       mov    %esi,0x804999c
804853d:       e8 4e fe ff ff          call   8048390 <getpc>
8048542:       a3 a0 99 04 08          mov    %eax,0x80499a0
8048547:       a1 a0 99 04 08          mov    0x80499a0,%eax
804854c:       89 44 24 24             mov    %eax,0x24(%esp)
8048550:       8b 15 9c 99 04 08       mov    0x804999c,%edx
8048556:       8b 0d 98 99 04 08       mov    0x8049998,%ecx
804855c:       8b 1d 94 99 04 08       mov    0x8049994,%ebx
8048562:       8b 35 90 99 04 08       mov    0x8049990,%esi
8048568:       8b 3d 8c 99 04 08       mov    0x804998c,%edi
804856e:       a1 88 99 04 08          mov    0x8049988,%eax
8048573:       89 44 24 0c             mov    %eax,0xc(%esp)
8048577:       a1 84 99 04 08          mov    0x8049984,%eax
804857c:       89 44 24 08             mov    %eax,0x8(%esp)
8048580:       a1 80 99 04 08          mov    0x8049980,%eax
8048585:       89 54 24 20             mov    %edx,0x20(%esp)
8048589:       89 4c 24 1c             mov    %ecx,0x1c(%esp)
804858d:       89 5c 24 18             mov    %ebx,0x18(%esp)
8048591:       89 44 24 04             mov    %eax,0x4(%esp)
8048595:       89 74 24 14             mov    %esi,0x14(%esp)
8048599:       89 7c 24 10             mov    %edi,0x10(%esp)
804859d:       c7 04 24 5c 87 04 08    movl   $0x804875c,(%esp)
80485a4:       e8 0f fd ff ff          call   80482b8 <printf@plt>
        showregs();
        printf("This will show regs of this function call4:\n");
80485a9:       c7 04 24 2c 88 04 08    movl   $0x804882c,(%esp)
80485b0:       e8 13 fd ff ff          call   80482c8 <puts@plt>
80485b5:       a3 80 99 04 08          mov    %eax,0x8049980
80485ba:       89 1d 84 99 04 08       mov    %ebx,0x8049984
80485c0:       89 0d 88 99 04 08       mov    %ecx,0x8049988
80485c6:       89 15 8c 99 04 08       mov    %edx,0x804998c
80485cc:       89 2d 90 99 04 08       mov    %ebp,0x8049990
80485d2:       89 25 94 99 04 08       mov    %esp,0x8049994
80485d8:       89 3d 98 99 04 08       mov    %edi,0x8049998
80485de:       89 35 9c 99 04 08       mov    %esi,0x804999c
80485e4:       e8 a7 fd ff ff          call   8048390 <getpc>
80485e9:       a3 a0 99 04 08          mov    %eax,0x80499a0
80485ee:       a1 a0 99 04 08          mov    0x80499a0,%eax
80485f3:       89 44 24 24             mov    %eax,0x24(%esp)
80485f7:       8b 15 9c 99 04 08       mov    0x804999c,%edx
80485fd:       8b 0d 98 99 04 08       mov    0x8049998,%ecx
8048603:       8b 1d 94 99 04 08       mov    0x8049994,%ebx
8048609:       8b 35 90 99 04 08       mov    0x8049990,%esi
804860f:       8b 3d 8c 99 04 08       mov    0x804998c,%edi
8048615:       a1 88 99 04 08          mov    0x8049988,%eax
804861a:       89 44 24 0c             mov    %eax,0xc(%esp)
804861e:       a1 84 99 04 08          mov    0x8049984,%eax
8048623:       89 44 24 08             mov    %eax,0x8(%esp)
8048627:       a1 80 99 04 08          mov    0x8049980,%eax
804862c:       89 4c 24 1c             mov    %ecx,0x1c(%esp)
8048630:       89 5c 24 18             mov    %ebx,0x18(%esp)
8048634:       89 74 24 14             mov    %esi,0x14(%esp)
8048638:       89 7c 24 10             mov    %edi,0x10(%esp)
804863c:       89 44 24 04             mov    %eax,0x4(%esp)
8048640:       89 54 24 20             mov    %edx,0x20(%esp)
8048644:       c7 04 24 5c 87 04 08    movl   $0x804875c,(%esp)
804864b:       e8 68 fc ff ff          call   80482b8 <printf@plt>
        showregs();
        return 0;
}
8048650:       83 c4 28                add    $0x28,%esp
8048653:       31 c0                   xor    %eax,%eax
8048655:       59                      pop    %ecx
8048656:       5b                      pop    %ebx
8048657:       5e                      pop    %esi
8048658:       5f                      pop    %edi
8048659:       5d                      pop    %ebp
804865a:       8d 61 fc                lea    0xfffffffc(%ecx),%esp
804865d:       c3                      ret
804865e:       90                      nop
804865f:       90                      nop

    孰对孰错一目了然了。

    关于如何得到%eip的内容原理一样，代码就可以多种多样了，这里我也没深究，就是一种实现而已。可能真正用到的还是要在arm上面用。另写一篇关于arm的吧。代码可能还有些小花样。

    哈哈。

    btw：嵌入式汇编比纯汇编恶心......

取得寄存器的值&#12539;386&#12539;完整版

取得寄存器的值・386・完整版