Showing posts with label c. Show all posts
Showing posts with label c. Show all posts

Sunday, September 13, 2020

PHP Unix Socket under Windows

It's been a while that Windows 10 have support of Unix Domain Socket/UDS (although with limitation but that doesn't matter for this blog). While PHP language has some questionable design decisions, let me tell you something.

PHP already prepared for AF_UNIX support in Windows older than you think.

Checking the PHP source code, the earliest presence of sockaddr_un struct in the code existed since PHP 4.1.0. First let's test whetever UDS is supported in PHP 7.4. The server code

In my machine, that code runs (no error message)


So, the client code:

Running the client code prints the following message.

That means UDS is working. "Wait, that's probably PHP completely emulating UDS in Windows", fine, let's write the client code with C instead!

Compiling that code and running it shows this output.


That also means PHP didn't emulate UDS and uses WinSock directly.

So, UDS works in PHP 7.4.1 under Windows. What about earlier version? It should be, right? Since reference to UDS in Windows existed since PHP 4.1.0. So let's try with PHP 5.3.19.

Note: The reason I choose PHP 5.3.19 because I didn't look at older commits that reference sockaddr_un in Windows, and I just see that it's there since 4.1.0 while writing this blog, after doing all testing.



The reverse is also possible, i.e. PHP 7.4.1 connecting to UDS which was created for PHP 5.3.19 and vice versa, but that will clutter this blog post with images.

This is surprising discovery in my opinion. What if PHP team already predicted this blog post after all? Well ...

That's story for another blog post.


Posted by at No comments:
Labels: , , , , , ,

Sunday, October 4, 2015

Executing x86 machine code from char array in C/C++

The idea is:
  1. create bunch of char array in a file containing the machine code(not as const)
  2. mark the memory as executable with mprotect or VirtualProtect.
  3. declare typedef function with their correct parameters and pointing to the address of our char array
  4. call it
It's just pretty straightforward for a simple function, like a function that do x+1 or a*b, but function calling another function(e.x.: function calling strlen, malloc, etc.) needs the pointer to be calculated at first or the function will call wrong code(undefined berhaviour).

Okay so let's start. I've been make simple function that XOR 7303014 by x. This is the code


#include <stdio.h>
 
int foo_bar(int baz) {
 int foo=7303014;
 return foo^baz;
}
 
int main() {
 int val=1904132;
 int out=foo_bar(val);
 printf("%s",&out);
 return 0;
}


It looks simple right. It only prints string "bar" in the console. Now what we need is the foo_bar function as machine code. Open Hex Editor and open the executable then find the function.

Note: We are using x86 byte code for this. Take care of this if you're try to compile it as 64-bit code.
The highlighted hex is the foo_bar function that we need to get their machine code representation and put them in our new code. This is our char array declaration

char foo_bar[]={0x55, 0x89, 0xE5, 0x83, 0xEC, 0x10, 0xC7, 0x45, 0xFC, 0x66, 0x6F, 0x6F, 0x00, 0x8B, 0x45, 0x08, 0x8B, 0x55, 0xFC, 0x31, 0xD0, 0xC9, 0xC3};

Now we have completed point 1 above, now let's make some code to finish point 2, 3, and 4

typedef int (*foo_bar_t)(int );
 
int main() {
 foo_bar_t foo=(foo_bar_t)(void*)foo_bar;
 DWORD old_protect;
 VirtualProtect(foo,sizeof(foo_bar),PAGE_EXECUTE_READWRITE,&old_protect);
 int out=foo(0);
 printf("%s",&out);
 return 0;
}

Q: Why cast to void* first then cast it to foo_bar_t?
A: Visual Studio doesn't like casting foo_bar_t directly from char* so, cast it to void* first. GCC works fine without cast to void* above.

Ok that's our complete main function. Now let's explain it.

The point 2 is in the VirtualProtect function. VirtualProtect function mark address pointed by foo variable to be executable, readable, and writeable(see PAGE_EXECUTE_READWRITE). Without this call, point 4 will very likely to fail(throws Segmentation Fault/Access Violation)(be sure to include Windows.h)
The point 3 is above the main. The typedef.
Then, point 4 is below point 2. Again, calling the function without setting the memory protection would likely causes your program stop working.

Alright, this is the complete code


#include <stdio.h>
#include <windows.h>
 
typedef int (*foo_bar_t)(int );
 
char foo_bar[]={0x55, 0x89, 0xE5, 0x83, 0xEC, 0x10, 0xC7, 0x45, 0xFC, 0x66, 0x6F, 0x6F, 0x00, 0x8B, 0x45, 0x08, 0x8B, 0x55, 0xFC, 0x31, 0xD0, 0xC9, 0xC3};
 
int main() {
 foo_bar_t foo=(foo_bar_t)(void*)foo_bar;
 DWORD old_protect;
 VirtualProtect(foo,sizeof(foo_bar),PAGE_EXECUTE_READWRITE,&old_protect);
 int out=foo(0);
 printf("%s",&out);
 return 0;
}


Now let's compile it and run it.







Our program run without error. That means we've been successfully run our machine code. That's for today.

Challenge: Compile both complete code above and find out why it prints "bar" and "foo".
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Comments (Atom)