Remote Debugging Linux Binaries - Stack Address Changes?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?

I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.

I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?

ida linux stack

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

asked 2 hours ago

Neon Flash

242212

add a comment | 

up vote
1
down vote

favorite

Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?

I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.

I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?

ida linux stack

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

asked 2 hours ago

Neon Flash

242212

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?

I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.

I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?

ida linux stack

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

asked 2 hours ago

Neon Flash

242212

Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?

I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.

I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?

ida linux stack

ida linux stack

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

asked 2 hours ago

Neon Flash

242212

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

asked 2 hours ago

Neon Flash

242212

share|improve this question

share|improve this question

edited 6 mins ago

NirIzr

8,89712268

edited 6 mins ago

NirIzr

8,89712268

edited 6 mins ago

NirIzr

8,89712268

8,89712268

asked 2 hours ago

Neon Flash

242212

asked 2 hours ago

Neon Flash

242212

asked 2 hours ago

Neon Flash

242212

242212

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote



accepted

On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:

/*
 * These are the functions used to load ELF style executables and shared
 * libraries. There is no binary dependent code anywhere else.
 */

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)

 unsigned long random_variable = 0;

 if (current->flags & PF_RANDOMIZE) 
 random_variable = get_random_long();
 random_variable &= STACK_RND_MASK;
 random_variable <<= PAGE_SHIFT;
 
#ifdef CONFIG_STACK_GROWSUP
 return PAGE_ALIGN(stack_top) + random_variable;
#else
 return PAGE_ALIGN(stack_top) - random_variable;
#endif

We can test this with a simple program that prints the memory address of a local variable in function main():

#include <stdio.h>

int main(void)

 int i = 3;

 printf("%pn", &i);

 return 0;

compile and execute:

$ gcc -m32 -o print_stack_address print_stack_address.c 
$ ./print_stack_address 
0xff9dc78c
$ ./print_stack_address 
0xff832d3c
$ ./print_stack_address 
0xff844c1c
$ ./print_stack_address 
0xff999e0c
$ ./print_stack_address 
0xffd1117c

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks, I resolved this issue by manually disabling ASLR on the machine.
  – Neon Flash
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @NeonFlash you are welcome
  – SYS_V♦
  37 mins ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.

Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "489"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19724%2fremote-debugging-linux-binaries-stack-address-changes%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote



accepted

On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:

/*
 * These are the functions used to load ELF style executables and shared
 * libraries. There is no binary dependent code anywhere else.
 */

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)

 unsigned long random_variable = 0;

 if (current->flags & PF_RANDOMIZE) 
 random_variable = get_random_long();
 random_variable &= STACK_RND_MASK;
 random_variable <<= PAGE_SHIFT;
 
#ifdef CONFIG_STACK_GROWSUP
 return PAGE_ALIGN(stack_top) + random_variable;
#else
 return PAGE_ALIGN(stack_top) - random_variable;
#endif

We can test this with a simple program that prints the memory address of a local variable in function main():

#include <stdio.h>

int main(void)

 int i = 3;

 printf("%pn", &i);

 return 0;

compile and execute:

$ gcc -m32 -o print_stack_address print_stack_address.c 
$ ./print_stack_address 
0xff9dc78c
$ ./print_stack_address 
0xff832d3c
$ ./print_stack_address 
0xff844c1c
$ ./print_stack_address 
0xff999e0c
$ ./print_stack_address 
0xffd1117c

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks, I resolved this issue by manually disabling ASLR on the machine.
  – Neon Flash
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @NeonFlash you are welcome
  – SYS_V♦
  37 mins ago
  

  
  
  
  

add a comment | 

up vote
2
down vote



accepted

On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:

/*
 * These are the functions used to load ELF style executables and shared
 * libraries. There is no binary dependent code anywhere else.
 */

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)

 unsigned long random_variable = 0;

 if (current->flags & PF_RANDOMIZE) 
 random_variable = get_random_long();
 random_variable &= STACK_RND_MASK;
 random_variable <<= PAGE_SHIFT;
 
#ifdef CONFIG_STACK_GROWSUP
 return PAGE_ALIGN(stack_top) + random_variable;
#else
 return PAGE_ALIGN(stack_top) - random_variable;
#endif

We can test this with a simple program that prints the memory address of a local variable in function main():

#include <stdio.h>

int main(void)

 int i = 3;

 printf("%pn", &i);

 return 0;

compile and execute:

$ gcc -m32 -o print_stack_address print_stack_address.c 
$ ./print_stack_address 
0xff9dc78c
$ ./print_stack_address 
0xff832d3c
$ ./print_stack_address 
0xff844c1c
$ ./print_stack_address 
0xff999e0c
$ ./print_stack_address 
0xffd1117c

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks, I resolved this issue by manually disabling ASLR on the machine.
  – Neon Flash
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @NeonFlash you are welcome
  – SYS_V♦
  37 mins ago
  

  
  
  
  

add a comment | 

up vote
2
down vote



accepted

up vote
2
down vote



accepted

On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:

/*
 * These are the functions used to load ELF style executables and shared
 * libraries. There is no binary dependent code anywhere else.
 */

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)

 unsigned long random_variable = 0;

 if (current->flags & PF_RANDOMIZE) 
 random_variable = get_random_long();
 random_variable &= STACK_RND_MASK;
 random_variable <<= PAGE_SHIFT;
 
#ifdef CONFIG_STACK_GROWSUP
 return PAGE_ALIGN(stack_top) + random_variable;
#else
 return PAGE_ALIGN(stack_top) - random_variable;
#endif

We can test this with a simple program that prints the memory address of a local variable in function main():

#include <stdio.h>

int main(void)

 int i = 3;

 printf("%pn", &i);

 return 0;

compile and execute:

$ gcc -m32 -o print_stack_address print_stack_address.c 
$ ./print_stack_address 
0xff9dc78c
$ ./print_stack_address 
0xff832d3c
$ ./print_stack_address 
0xff844c1c
$ ./print_stack_address 
0xff999e0c
$ ./print_stack_address 
0xffd1117c

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:

/*
 * These are the functions used to load ELF style executables and shared
 * libraries. There is no binary dependent code anywhere else.
 */

#ifndef STACK_RND_MASK
#define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
#endif

static unsigned long randomize_stack_top(unsigned long stack_top)

 unsigned long random_variable = 0;

 if (current->flags & PF_RANDOMIZE) 
 random_variable = get_random_long();
 random_variable &= STACK_RND_MASK;
 random_variable <<= PAGE_SHIFT;
 
#ifdef CONFIG_STACK_GROWSUP
 return PAGE_ALIGN(stack_top) + random_variable;
#else
 return PAGE_ALIGN(stack_top) - random_variable;
#endif

We can test this with a simple program that prints the memory address of a local variable in function main():

#include <stdio.h>

int main(void)

 int i = 3;

 printf("%pn", &i);

 return 0;

compile and execute:

$ gcc -m32 -o print_stack_address print_stack_address.c 
$ ./print_stack_address 
0xff9dc78c
$ ./print_stack_address 
0xff832d3c
$ ./print_stack_address 
0xff844c1c
$ ./print_stack_address 
0xff999e0c
$ ./print_stack_address 
0xffd1117c

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

share|improve this answer

share|improve this answer

answered 1 hour ago

SYS_V♦

3,9161940

answered 1 hour ago

SYS_V♦

3,9161940

answered 1 hour ago

SYS_V♦

3,9161940

3,9161940

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks, I resolved this issue by manually disabling ASLR on the machine.
  – Neon Flash
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @NeonFlash you are welcome
  – SYS_V♦
  37 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks, I resolved this issue by manually disabling ASLR on the machine.
  – Neon Flash
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @NeonFlash you are welcome
  – SYS_V♦
  37 mins ago
  

  
  
  
  

Thanks, I resolved this issue by manually disabling ASLR on the machine.
– Neon Flash
1 hour ago

Thanks, I resolved this issue by manually disabling ASLR on the machine.
– Neon Flash
1 hour ago

@NeonFlash you are welcome
– SYS_V♦
37 mins ago

@NeonFlash you are welcome
– SYS_V♦
37 mins ago

add a comment | 

up vote
1
down vote

Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.

Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

add a comment | 

up vote
1
down vote

Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.

Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

add a comment | 

up vote
1
down vote

up vote
1
down vote

Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.

Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.

Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

share|improve this answer

share|improve this answer

answered 29 mins ago

NirIzr

8,89712268

answered 29 mins ago

NirIzr

8,89712268

answered 29 mins ago

NirIzr

8,89712268

8,89712268

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19724%2fremote-debugging-linux-binaries-stack-address-changes%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email