N
N
Nikita Gushchin2014-05-07 00:25:57
C++ / C#
Nikita Gushchin, 2014-05-07 00:25:57

Hide the address of the called function. C/C++?

Hello! There is a task - to hide the address of the function in the program, so that during static analysis the "intruder" could not find the place where this function was called.
With variables (global) I did this:

char gStr[] = "Hello Toster!"; // Глобальная переменная

Further somewhere in the function:
void foo(int a)
{
    char *str = gStr + 10;
    ...
    puts(str-a); // параметр a - всегда равен 10
}

The point was that during compilation, the expression gStr + 10 , containing two constants, will be automatically calculated (and the result will be assigned to str) and in the future, if someone manages to find the address of gStr, he will not find the place where it was used .
I wanted to do the same with functions: I took the function foo (from the example above) and tried to make a pointer to it with an offset:
void foo2(int a)
{
    void (*fptr)(int) = (void(*)(int)) &((int*)f)[3]; // сложная конструкция :(((
    // void (*fptr)(int) = (void(*)(int)) (f+3); // пробовал и так
    ...
}

But the compiler stubbornly refuses to evaluate &((int*)f)[3] when compiling. Although the function name is a constant at compile time. Tell me - what is the problem and how to be? Thanks in advance!)
PS Compiled in Visual Studio 2012 under win32. Tried both debug and release. The example with a constant has always worked, with a function - never.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
N
Nikita Gushchin, 2014-05-07
@iNikNik

I found a solution: make the pointer a global variable . And not local, as we had before.
And, then in function foo2 :

void foo2(int a)
{
    void (*fptr)(int) = gFunPtr;
    ...
}

In a release build, this assignment would look like this:
mov eax,[000403024]
...

In turn, at the address 00403024 (this is the address of our global variable gFunPtr) we see:
As you know, we have a reverse byte order - therefore , the variable gFunPtr contains the value 0040106C . And this is nothing more than:
Everything turned out!)

J
jcmvbkbc, 2014-05-07
@jcmvbkbc

the compiler stubbornly refuses to evaluate the expression &((int*)f)[3] when compiling

What does he say?
False statement. The address of the function becomes known only at the linking stage, and if the function is imported from a dll, then only at the time of loading. If the link is relatable, then the address may change at the time of download. Another thing is that a constant string in this sense differs little from a function.
The complex structure should look like this:
void (*fptr)(int) = (void(*)(int)) (((int*)f) + 3);
The option with (f + 3) will not compile, because pointer arithmetic does not work with function pointers.
On Linux, this construct compiles and works.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question