I have a function f1 that takes a parameter int* x, i know the address of x in the f1 stack frame, is there a way to get the function name given this address of the function local variable in the stack ?
tried to use backtrace but this require knowing the function name
Related
Lua will write the code of a function out as bytes using string.dump, but warns that this does not work if there are any upvalues. Various snippets online describe hacking around this with debug. It looks like 'closed over variables' are called 'upvalues', which seems clear enough. Code is not data etc.
I'd like to serialise functions and don't need them to have any upvalues. The serialised function can take a table as an argument that gets serialised separately.
How do I detect attempts to pass closures to string.dump, before calling the broken result later?
Current thought is debug.getupvalue at index 1 and treat nil as meaning function, as opposed to closure, but I'd rather not call into the debug interface if there's an alternative.
Thanks!
Even with debug library it's very difficult to say whether a function has a non-trivial upvalue.
"Non-trivial" means "upvalue except _ENV".
When debug info is stripped from your program, all upvalues look almost the same :-)
local function test()
local function f1()
-- usual function without upvalues (except _ENV for accessing globals)
print("Hello")
end
local upv = {}
local function f2()
-- this function does have an upvalue
upv[#upv+1] = ""
end
-- display first upvalues
print(debug.getupvalue (f1, 1))
print(debug.getupvalue (f2, 1))
end
test()
local test_stripped = load(string.dump(test, true))
test_stripped()
Output:
_ENV table: 00000242bf521a80 -- test f1
upv table: 00000242bf529490 -- test f2
(no name) table: 00000242bf521a80 -- test_stripped f1
(no name) table: 00000242bf528e90 -- test_stripped f2
The first two lines of the output are printed by test(), the last two lines by test_stripped().
As you see, inside test_stripped functions f1 and f2 are almost undistinguishable.
I want to obtain the offset into the stack frame of a MASM procedure's local variable at assembly time (not runtime, the LEA instruction isn't useful here). E.g., if the local variable is at RBP-8 at run time, I want to obtain the constant (-8) during assembly.
Is this possible?
OFFSET operator only works on global (static) variables. Every suggestion I've found on the internet talks about using LEA, which is not what I want.
someProc proc
local a:byte, b:word, c:dword
.
.
. someConst = MagicOffset(a) ;Magically sets constant "someConst" to the offset of "a" (probably something like -8).
someProc endp
Is it possibly to dump the Lua table including function arguments?
If so, how can I do it?
I have managed to dump tables and function with addresses, but I haven't been able to figure out a way to get function args, i have tried different methods, but no luck.
So I want to receive them truth dumping tables and function plus args of the function.
Output should be something like this: Function JumpHigh(Player, height)
I don't know if it is even possible, but would be very handy.
Table only stores values.
If there's function stored in a table, then it's just a function body, there's no arguments. If arguments were applied, table would store only final result of that call.
Maybe you're talking about closure - function returned from other function, capturing some arguments from a top level function in a lexical closure? Then see debug.getupvalue() function to check closure's content.
Is this something what you're asking?
local function do_some_action(x,y)
return function()
print(x,y)
end
end
local t = {
func = do_some_action(123,478)
}
-- only function value printed
print "Table content:"
for k,v in pairs(t) do
print(k,v)
end
-- list function's upvalues, where captured arguments may be stored
print "Function's upvalues"
local i = 0
repeat
i = i + 1
local name, val = debug.getupvalue(t.func, i)
if name then
print(name, val)
end
until not name
Note that upvalues stored is not necessary an argument to a toplevel function. It might be some local variable, storing precomputed value for the inner function.
Also note that if script was precompiled into Lua bytecode with stripping debug info, then you won't get upvalues' names, those will be empty.
In this example on Wikipedia (http://en.wikipedia.org/wiki/Closure_(computer_programming) ) it claims that invoking the variable closure1 with closure1(3) will return 4. Can someone walk through the example - I don't understand.
function startAt(x)
function incrementBy(y)
return x + y
return incrementBy
variable closure1 = startAt(1)
variable closure2 = startAt(5)
Invoking the variable closure1 (which is of function type) with closure1(3) will return 4, while invoking closure2(3) will return 8. While closure1 and closure2 are both references to the function incrementBy, the associated environment will bind the identifier x to two distinct variables in the two invocations, leading to different results.
If it helps, here's my current understanding. variable closure1 = startAt(1) sets the variable closure1 to the function startAt() which by default is initialized to 1. However, invoking closure1(3) sets this default value to 3. What I don't understand then is where does y come from.
variable closure1 = startAt(1)
When you run startAt, you're creating a new function. Every time you run startAt, you're creating a brand new function. Therefore, we understand that the code
variable closure1 = startAt(1)
variable closure2 = startAt(5)
creates two distinct functions and stores them in colsure1 and closure2. The function startAt is like a factory that returns new functions. You've called it twice, and created two functions. Those two created functions are stored inside closure1 and closure2.
Here's what "closure" means: each function caries around its own variable environment. A variable environment is the set of external variables the function can see. A function builds its variable environment when it is created, based on all of the variables currently in scope. (The technical definition of a closure is: "functional code plus variable environment".)
When a call to startAt creates a new function, that new function builds its variable environment. The new function's variable environment includes the variable x that exists in-scope within the particular call to startAt.
So, the first call to startAt(1) has a variable x that equals 1. The function that is created inside that call to startAt has a variable environment includes that x equal to 1.
Functions can have arguments. The functions created by startAt each expect a single argument called y. Therefore, when you perform x + y when calling the created function, the y is supplied as an argument by that particular call, and the x is supplied by that function's variable environment. When you call closure1(3), the value of the argument y is 3 and the value of x (from the function's variable environment) is 1, so you get the result 4.
The second call to startAt creates a totally new variable x. This x has a value of 5. The function created by this second call to startAt has a different variable environment, which includse this new x whose value is 5. When you call that newly created function with closure2(3), we have x=5 and y=3, so x+y gives the result 8.
I was reading the following paper on buffer overflow : http://www1.telhai.ac.il/sources/private/academic/cs/557/2659/Materials/Smashing.pdf
According to the examples in the paper, the attacker injects code in the buffer which is overflowed and modifies the return address to point to the address of the buffer. Since, the injected code and the local variables both lie on the stack , shouldn't the attacker make sure that she/he has left enough space for local variables before overflowing the buffer with the code? In broad sense, I m confused how stack would be maintained when both the code and local variables are there on the stack ....are there chances of local variables overwriting the injected code ???
One solution is to not use any local variables. This isn't necessarily a big constraint on code that is going to be small and do its work by calling into something else anyway. (Very relative on saying its not a big constraint, it's beyond me tbh but since this isn't the easiest code to write, its not a big constraint in that context).
That's not even necessary though. A stack will look something like:
Function A Arg 2
Function A Arg 1
Function A Arg 0
Return Address into caller
Function A Local 1
Function A Local 0
Function B Arg 1
Function B Arg 0
Return Address into place in Function A's executable code.
Function B Local 2
Function B Local 1
Function B Local 0
Function C Arg 0
Return Address into place in Function B's executable code.
Function C Local 3
Function C Local 2
Function C Local 1
Function C Local 0
...
A buffer overflow tricks it into looking like:
Function A Arg 2
Function A Arg 1
Function A Arg 0
Return Address into caller
Function A Local 1
NastyCode bytes 0-3
NastyCode bytes 4-7
NastyCode bytes 8-B
NastyCode bytes C-E
NastyCode bytes F-10
NastyCode bytes 10-13
NastyCode bytes 14-17
NastyCode bytes 18-1B
NastyCode bytes 1F-20
...
NastyCode arg 0 (etc.)
Return Address (of NastyCode [may not even be valid, may return to original caller, or may jump into something it'll set up]).
NastyCode Local 2
NastyCode Local 1
NastyCode Local 0
Return Address (should be of Function F, into a point in Function E but it's changed to point to byte 0 of NastyCode)
Function F Local 2
Function F Local 1
Function F Local 0
So the executable code written into the stack can be away from the local varaibles of that code.