Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
my $a = "a"; my $b = "b"; my $offset = \$b - \$a; printf "a: %s\nAddress: %p\n", $a, $a; printf "b: %s\nAddress: %p\n", $b, $b; printf "Buffer Offset: %d\n", $offset;
Why does it matter what the offset is between 2 SV *? SV *s are allocated from a pool/arena/bucket system. I dont think the delta between 2 SV *s means anything at all and I believe they are random (someone correct me if my knowledge of the SV arena allocator is wrong) (for example, someone could think that a SV * with a higher pointer is "newer" or later in the perl script than an lower SV *).

Thanks for this response! It pretty much is a reflection of my understanding of Perl's memory addressing capabilities so far. As for my underlying objective, I am trying to understand the concept of buffer overflow and have been experimenting around with it a little. In particular, I have been unable to create a simple buffer overflow (in analogy to how this would be achieved in a simple C programme) and am therefore trying to gain deeper insight into how Perl manages memory allocation. It's exactly at this point that I would like to see what values certain memory addresses have been allocated.

Maybe I am being harsh, since you seem to very little understanding of C, yet you are very interested in "memory allocation" and as you said "buffer overflows" (which nearly impossible in the Perl interp, XS excluded). I will post this question and answer it.

Can I cause a buffer overflow on the C stack to |-|4(|<()Я a Perl machine with a http://en.wikipedia.org/wiki/Return-to-libc_attack or http://en.wikipedia.org/wiki/Return-oriented_programming or put shellcode on the C stack and then execute it?

The answer is no. If XS is involved, thats a different story.

The actual contents of Perl language variables (like strings/PVs) never appear on the C stack. Perl interp does not use fixed length buffers or vulnerable printfs or strlens. Perl interp length tracks all buffers at all times, (XS excluded). Everything your see in the Perl Language is malloced from the heap, not from the C stack. The Perl language callstack and the C callstack are not related. Perl code is not compiled into C, it is compiler into Perl bytecode. Unless you are using XS, with callbacks into the perl interp with call_*(). 99% of the runtime of the Perl interp is spent in Perl_runops-* and 1 pp_* function deep after runops, from a C stack viewpoint that is. A pp_* (XS excluded) will almost never cause a second runops to appear on the C stack (except tied/magic). The Perl callstack is not maintained on the C stack, its a separate bunch of non contiguous malloced stacks, see illguts for more.
ntdll.dll!_KiFastSystemCallRet@0() ntdll.dll!_ZwWaitForMultipleObjects@20() + 0xc kernel32.dll!_WaitForMultipleObjectsEx@20() - 0x48 user32.dll!_RealMsgWaitForMultipleObjectsEx@20() + 0xd9 user32.dll!_MsgWaitForMultipleObjects@20() + 0x1f > perl512.dll!win32_msgwait(interpreter * my_perl=0x003942ac, unsig +ned long count=1, void * * handles=0x0006f998, unsigned long timeout= +4294967295, unsigned long * resultp=0x00000000) Line 2181 + 0x19 +C perl512.dll!win32_spawnvp(int mode=0, const char * cmdname=0x0082 +30bc, const char * const * argv=0x00822fe4) Line 4249 + 0x19 C perl512.dll!do_spawn2(interpreter * my_perl=0x003942ac, const cha +r * cmd=0x00822e9c, int exectype=2) Line 784 + 0x11 C perl512.dll!Perl_do_spawn(interpreter * my_perl=0x003942ac, char +* cmd=0x00822e9c) Line 820 + 0xf C perl512.dll!Perl_pp_system(interpreter * my_perl=0x003942ac) Lin +e 4277 + 0x5e C perl512.dll!Perl_runops_debug(interpreter * my_perl=0x003942ac) +Line 2049 + 0xd C perl512.dll!S_run_body(interpreter * my_perl=0x003942ac, long old +scope=1) Line 2308 + 0xd C perl512.dll!perl_run(interpreter * my_perl=0x003942ac) Line 2233 + + 0xd C perl512.dll!RunPerl(int argc=3, char * * argv=0x00282478, char * +* env=0x00285260) Line 270 + 0x9 C++ perl.exe!main(int argc=3, char * * argv=0x00282478, char * * env= +0x00282de8) Line 23 + 0x12 C perl.exe!mainCRTStartup() Line 398 + 0xe C kernel32.dll!_BaseProcessStart@4() + 0x23
The callstack snapshot was taken while the perl interp was frozen. The command was "perl -e "system('pause');". The above example is Windows only of course.

If you want to see Perl bytecodes decoded, read my post Re: [B::Deparse] Trying to find sub's code. If you want to know how SVs allocate their buffers, see sv.c#l1461 in perl.git. If you want to know how malloc works, see http://en.wikipedia.org/wiki/Dynamic_memory_allocation#Dynamic_memory_allocation or for an actual implementation, this is HeapAlloc from windows, http://doxygen.reactos.org/d8/d68/lib_2rtl_2heap_8c_source.html#l02011.

In reply to Re^5: How to access the contents of a specific memory address? by bulk88
in thread How to access the contents of a specific memory address? by pat_mc

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others taking refuge in the Monastery: (14)
    As of 2014-09-19 11:11 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      How do you remember the number of days in each month?











      Results (135 votes), past polls