Using self modifying code under Linux

by Karsten Scheibler
thanks to Stefan Esser and Maciej Hrebien

Remark (a):: Save this page as smc.html and use the following command to extract the source code with a sample Makefile:
sh -c "( mkdir smc && cd smc && awk '/^<!--eof/{d=0}{if(d)print>f}/^<!--sof/{f=\$2;d=1}' ) < smc.html"
Remark (b):: Some browsers try to be super smart and reformat the html code so you may have trouble to extract the files. This is the right time to learn more about wget, a tool to download files via http or ftp ;-)
Remark (c):: Some versions of nasm are known to generate broken code. I have used nasm-0.98 for this example which worked for me.

I know that this is not the cleanest way of programming, but sometimes this programming style is faster. Furthermore this method is used by JIT (just in time) compilers. Transmeta also uses some sort of self modifying code to implement a x86 software emulation. They call it Codemorphing ;-) This example code will show how this can be done under Linux.

The idea behind: There is a syscall sys_mprotect which allows a program to change the flags for (nearly) every page. A page is the smallest memory unit available for virtual memory management. On the x86 architecture the page size is 4KB. But as i noticed we didn't need this call to make a page in the section .bss executable, because on x86 a readable page is also a executable page, and the section .bss is read/write. But this behavior may be change with the appearance of the NX-flag in modern processors, so the sys_mprotect becomes mandatory.

The first two examples copy codesnippets to section .bss and execute them. Because we have read/write/execute permissions in this memory area the code is allowed to modify itself. The first example copies a snippet of code which writes text to screen (via sys_write), but before calling it we modify some values in the code itself (the start and the length of the text). The second one does some real self modification (see code2_start). The rep stosb instruction overwrites the first four inc ebx with nop, so that the line put on screen contains a 04h instead of the expected 08h. The third example modifies code in section .text. It looks like an endless loop, but it isn't. Find out yourself why ;-).

Note 1:: The call instruction in this code must be done indirect, because if the address is given directly it is a relative address (signed 32 Bit) after copying and starting the code you will get a SEGFAULT. If the address is given indirectly it is an absolute value, which should work position independent.
Note 2:: If you see a 08h instead of a 04h in the output, you get to know another strange effect of self modifying code. If i remember right there was something like a prefetch queue. This prefetch queue holds the next bytes after the currently processed instruction in the processor (on my old 386SX it was 13 Bytes long, examined with a DOS Assemblyprogram long time ago ;-). If you overwrite this queued instructions it depends on the processor if the prefetch queue is reloaded or not. I expected it also on my K6-2, but as Stefan Esser mentioned: "any Clone of the Pentium or above should behave friendly cause with the Pentium Intel build some Prefetch Queue Modification Detection into the CPU. If you write to the code that normaly would be inside the prefetch range the pentium automaticly discards its queque and reloads...". If you want to make sure that the reload happens use a jmp instruction (try a jmp after the rep stosb).

 ;**************************************************************************** ;**************************************************************************** ;* ;* USING SELF MODIFYING CODE UNDER LINUX ;* ;* written by Karsten Scheibler, 2004-AUG-09 ;* ;**************************************************************************** ;**************************************************************************** global smc_start ;**************************************************************************** ;* some assign's ;**************************************************************************** %assign SYS_WRITE 4 %assign SYS_MPROTECT 125 %assign PROT_READ 1 %assign PROT_WRITE 2 %assign PROT_EXEC 4 ;**************************************************************************** ;* data ;**************************************************************************** section .bss alignb 4 modified_code: resb 0x2000 ;**************************************************************************** ;* smc_start ;**************************************************************************** section .text smc_start: ;calculate the address in section .bss, it must lie on a page ;boundary (x86: 4KB = 0x1000) ;NOTE: In this example obsolete because each segment is page ; aligned and we use it only once, so we know that it is ; aligned to a page boundary, but if you have more than ; one section .bss in your code (or link several objects ; together) you can't be sure about that mov dword ebp, (modified_code + 0x1000) and dword ebp, 0xfffff000 ;change flags of this page to read + write + executable, ;NOTE: On x86 Architecture this call is obsolete, because for ; section .bss PROT_READ and PROT_WRITE are already set. ; PROT_EXEC is on x86 also set if PROT_READ is set, this ; results in rwx for this segment, but this behavior may ; change with appearance of the NX-flag in modern processors mov dword eax, SYS_MPROTECT mov dword ebx, ebp mov dword ecx, 0x1000 mov dword edx, (PROT_READ | PROT_WRITE | PROT_EXEC) int byte 0x80 test dword eax, eax js near smc_error ;execute unmodified code first code1_start: mov dword eax, SYS_WRITE mov dword ebx, 1 mov dword ecx, hello_world_1 code1_mark_1: mov dword edx, (hello_world_2 - hello_world_1) code1_mark_2: int byte 0x80 code1_end: ;copy code snippet from above to our page (address is still in ebp) mov dword ecx, (code1_end - code1_start) mov dword esi, code1_start mov dword edi, ebp cld rep movsb ;append 'ret' opcode to it, so that we can do a call to it mov byte al, [return] stosb ;change some values in the copied code: start address of the text ;and its length mov dword eax, hello_world_2 mov dword ebx, (code1_mark_1 - code1_start) mov dword [ebx + ebp - 4], eax mov dword eax, (hello_world_3 - hello_world_2) mov dword ebx, (code1_mark_2 - code1_start) mov dword [ebx + ebp - 4], eax ;finally call it call dword ebp ;copy second example mov dword ecx, (code2_end - code2_start) mov dword esi, code2_start mov dword edi, ebp rep movsb ;do something real nasty: edi points right after the 'rep stosb' ;instruction, so this will really modify itself mov dword edi, ebp add dword edi, (code2_mark - code2_start) call dword ebp ;modify code in section .text itself endless: ;allow us to write to section .text mov dword eax, SYS_MPROTECT mov dword ebx, smc_start and dword ebx, 0xfffff000 mov dword ecx, 0x2000 mov dword edx, (PROT_READ | PROT_WRITE | PROT_EXEC) int byte 0x80 test dword eax, eax js near smc_error ;write message to screen mov dword eax, SYS_WRITE mov dword ebx, 1 mov dword ecx, endless_loop mov dword edx, (hello_world_1 - endless_loop) int byte 0x80 ;here comes the magic, which prevents endless execution mov dword ecx, (smc_end_1 - smc_end) mov dword esi, smc_end mov dword edi, endless rep movsb ;do it again jmp short endless ;**************************************************************************** ;* code2 ;**************************************************************************** ;this is the ret opcode we copy above ;and the nop opcode needed by code2 return: ret no_operation: nop ;here some real selfmodifying code, if copied ;to .bss and edi correctly loaded ebx should contain 0x4 instead ;of 0x8 code2_start: mov byte al, [no_operation] xor dword ebx, ebx mov dword ecx, 0x04 rep stosb code2_mark: inc dword ebx inc dword ebx inc dword ebx inc dword ebx inc dword ebx inc dword ebx inc dword ebx inc dword ebx call dword [function_pointer] ret code2_end: align 4 function_pointer: dd write_hex ;**************************************************************************** ;* write_hex ;**************************************************************************** write_hex: mov byte bh, bl shr byte bl, 4 add byte bl, 0x30 cmp byte bl, 0x3a jb short .number_1 add byte bl, 0x07 .number_1: mov byte [hex_number], bl and byte bh, 0x0f add byte bh, 0x30 cmp byte bh, 0x3a jb short .number_2 add byte bh, 0x07 .number_2: mov byte [hex_number + 1], bh mov dword eax, SYS_WRITE mov dword ebx, 1 mov dword ecx, hex_text mov dword edx, 9 int byte 0x80 ret section .data hex_text: db "ebx: " hex_number: db "00h", 10 ;**************************************************************************** ;* some text ;**************************************************************************** endless_loop: db "No endless loop here!", 10 hello_world_1: db "Hello World!", 10 hello_world_2: db "This code was modified!", 10 hello_world_3: ;**************************************************************************** ;* smc_error ;**************************************************************************** section .text smc_error: xor dword eax, eax inc dword eax mov dword ebx, eax int byte 0x80 ;**************************************************************************** ;* smc_end ;**************************************************************************** section .text smc_end: xor dword eax, eax xor dword ebx, ebx inc dword eax int byte 0x80 smc_end_1: ;*********************************************** linuxassembly@unusedino.de *