如何在LLVM上获取堆栈上的返回地址
我想实现异或随机金丝雀,所以我必须在函数的序言和尾声中获取返回地址。
在函数的序言中,在我插入堆栈上的金丝雀之前,我可以通过以下方式获取返回地址:
ConstantInt* ci = llvm::ConstantInt::get(Type::getInt32Ty(RI->getContext()), 0);
Value* Args1[] = {ci};
CallInst* callInst = CallInst::Create(Intrinsic::getDeclaration(M, Intrinsic::returnaddress),
&Args1[0], array_endof(Args1), "Call Return Address", InsPt);
callInst 将获取返回地址并且它可以工作。
同时,在函数的尾声中,由于已经插入了金丝雀。我写了类似的代码:
ConstantInt* ci2 = llvm::ConstantInt::get(Type::getInt32Ty(RI->getContext()), 1);
Value* Args3[] = {ci2};
CallInst* callInst1 = CallInst::Create(Intrinsic::getDeclaration(M, Intrinsic::returnaddress),
&Args3[0], array_endof(Args3), "Caaall Return Address", BB);
但是这次不起作用。我无法获取退货地址。
什么是问题?我如何获得退货地址?
I want to implement the Xor random canary, so I have to get the return address in the prologue and epilogue of the function.
In the prologue of the function, before I insert into the canary on the stack, I can get the return address by:
ConstantInt* ci = llvm::ConstantInt::get(Type::getInt32Ty(RI->getContext()), 0);
Value* Args1[] = {ci};
CallInst* callInst = CallInst::Create(Intrinsic::getDeclaration(M, Intrinsic::returnaddress),
&Args1[0], array_endof(Args1), "Call Return Address", InsPt);
callInst will get the return address and it works.
While, in the epilogue of the function, due to the canary has been inserted. I write the similar code:
ConstantInt* ci2 = llvm::ConstantInt::get(Type::getInt32Ty(RI->getContext()), 1);
Value* Args3[] = {ci2};
CallInst* callInst1 = CallInst::Create(Intrinsic::getDeclaration(M, Intrinsic::returnaddress),
&Args3[0], array_endof(Args3), "Caaall Return Address", BB);
But it does not work this time. I cannot get the return address.
What is problem? How can I get the return address?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不知道你为什么这样做,但在尾声中,你正在调用
它试图获取调用堆栈上上一个函数的返回地址。即使您插入了金丝雀,您仍然需要尾声中的当前函数的返回地址。因此,您应该像在序言中那样调用
正如旁注所示,使用 0 以外的参数调用 llvm.returnaddress 可能不起作用。来自文档:
I don't know why you do this but in the epilogue, you are calling
which tries to get the return address of the previous function on the call stack. Even though you inserted a canary, you still want the return address of the current function in the epilogue. So you should, like you do in the prologue, call
Just as a side note, calling
llvm.returnaddresswith an argument other than 0 will probably not work. From the docs: