search

bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
Apache License 2.0
888 stars 115 forks source link

_loop: sub rsp,1024 jmp _loop // There is no return value indicating that the stack has been exhausted? #75

Closed icyfox168168 closed 2 years ago

vlutas commented 2 years ago

Hello,

There is no particular error to indicate that the stack has been exhausted. The SHEMU_ABORT_GLA_OUTSIDE error can be used to determine whether an access has been made outside the shellcode/stack memory, but it does not indicate explicitly that the stack has been exhausted.

icyfox168168 commented 2 years ago

I run the simulation function for a long time without any return, it seems like an infinite loop

SHEMU_ABORT_GLA_OUTSIDE no return

icyfox168168 commented 2 years ago

I take the image size of the whole exe as the shellcode size, my doubt is that the stack obviously exceeds the size I set but does not return

icyfox168168 commented 2 years ago

Clang compiles strange code, and uses stack consumption to trigger exceptions. The bdd simulation function cannot detect stack exhaustion. If it can detect stack exhaustion, and then judge whether there is abnormal function processing, it should be possible to simulate successfully this function.

STATUS_STACK_OVERFLOW

div: 00000001400618D0 | 90 | nop | 00000001400618D1 | 662E:0F1F8400 00000000 | nop word ptr cs:[rax+rax],ax | 00000001400618DB | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax | 00000001400618E0 | 55 | push rbp | relocapi.cpp:5592 00000001400618E1 | 48:83EC 30 | sub rsp,30 | 00000001400618E5 | 48:8D6C24 30 | lea rbp,qword ptr ss:[rsp+30] | 00000001400618EA | E8 E1FFFFFF | call <yasm.void cdecl div(void)> | relocapi.cpp:5595 00000001400618EF | EB 18 | jmp yasm.140061909 | 00000001400618F1 | EB 00 | jmp yasm.1400618F3 | relocapi.cpp:5596 00000001400618F3 | 8945 FC | mov dword ptr ss:[rbp-4],eax | 00000001400618F6 | 48:8D0D 70C02000 | lea rcx,qword ptr ds:[<"Exception caught...\n">] | relocapi.cpp:5599, 000000014026D96D:"Exception caught...\n" 00000001400618FD | E8 7E2BFAFF | call | 0000000140061902 | 90 | nop | relocapi.cpp:5601 0000000140061903 | 48:83C4 30 | add rsp,30 | 0000000140061907 | 5D | pop rbp | 0000000140061908 | C3 | ret | 0000000140061909 | EB F7 | jmp yasm.140061902 | relocapi.cpp:5596 000000014006190B | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax | 0000000140061910 | 48:83EC 28 | sub rsp,28 | relocapi.cpp:5606 0000000140061914 | E8 C7FFFFFF | call <yasm.void cdecl x_seh(void)> | relocapi.cpp:5607 0000000140061919 | 31C0 | xor eax,eax | relocapi.cpp:5608 000000014006191B | 48:83C4 28 | add rsp,28 | 000000014006191F | C3 | ret |

_Pragma("clang optimize off") void __div() { (int)(0) = 69; } void x_seh(void) { try { div(); } __except(1) { printf("Exception caught...\n"); } } _Pragma("clang optimize on")