Link to this headingCreating Exploits
- Complex Instruction Set Computing (CISC)
- x86 and x86-64 use little-endian format
https://syscalls.mebeim.net/?table=x86/64/x64/latest
Link to this headingCall types
cdecl:
- Arguments pushed on the stack in reverse order. (right to left)
- EAX, ECX, and EDX are saved before the call execution
- Others registers are saved in the function
- This cleans up its own stack before returning
syscall:
- EAX, ECX, and EDX are not saved before call
- arguments are pushed right to left
stdcall:
- Arguments pushed on the stack in reverse order. (right to left)
- EAX, ECX, and EDX are saved before the call execution
- Return values are stored in the EAX register.
- The Callie cleans up the stack
__fastcall:
- Uses ECX and EDX, then stack for arguments passed from right to left.
- The MS version uses RCX, RDX, R8 and R9 then the stack
- The Callie cleans up the stack
__vectorcall:
- Large Vector types passed as registers
__thiscall
- ECX is a pointer to the this variable
- Arguments are pushed on to the stack in reverse order.
- The top of the stack is the first argument
- The Callie cleans up the stack
Link to this headingDefault Linux and OSX Argument and return Values
| x86 32-bit function | x64 64-bit function | Arm 32-bit function | Arm 64-bit function | |
|---|---|---|---|---|
| Arg 7 | [ebp-8] or [esp+24] | [ebp-8] or [esp] | ||
| Arg 8 | [ebp-4] or [esp+28] | [ebp-4] or [esp+4] |
Link to this headingLinux Syscall
List of Syscall Argument registers for Comp Architectures
x86 and x64:
| 32-bit syscall | 64-bit syscall | |
|---|---|---|
| instruction | int $0x80 | syscall |
| syscall number | EAX (execve = 0xb) | RAX, (execve = 0x3b) |
| 1-6 Args | EBX|ECX|EDX|ESI|EDI|EBP | RDI|RSI|RDX|R10|R8|R9 |
| 6+ Args | EBX points to list in mem | Forbidden |
Link to this headingx86 Instructions
ret = pop rip
Link to this headingStack
Here is how the stack is laid out in a function.
________________
ESP -> | . |
| . |
| . |
|________________|
| Callee saved |
| Registers |
| EBX, ESI & EDI |
| (as needed) |
|________________|
| temporary |
| storage |
|________________|
| local var #2 | [EBP - 8]
|________________|
| local var #1 | [EBP - 4]
|________________|
EBP -> | Caller's EBP |
|________________|
| Return Address | [EBP + 4]
|________________|
| Argument #1 | [EBP + 8]
|________________|
| Argument #2 | [EBP + 12]
|________________|
| Argument #3 | [EBP + 16]
|________________|
| Caller saved |
| registers |
| EAX, ECX & EDX |
| (as needed) |
|________________|
Stack pointer is stored on the stack and is overwritten with stack buffer overflow.
Link to this headingFile tables
.dtors: destructor function table
.ctors: constructor function table
.got: global offset table
.plt: procedure linkage table
Link to this headingShellcode
NOP sled can be hidden with @CABHKIJ. This is because these are the following instructions for this in order do not change the values of the registers.
| Instruction | Hex | ASCII |
|---|---|---|
| inc eax | 0x40 | @ |
| inc ebx | 0x43 | C |
| inc ecx | 0x41 | A |
| inc edx | 0x42 | B |
| dec eax | 0x48 | H |
| dec ebx | 0x4B | K |
| dec ecx | 0x49 | I |
| dec edx | 0x4A | J |
Tools:
Shellcode in Golang