Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Epilogue ModificationsWhen a function returns, it must check to make sure that the cookie that was stored on the stack has not been tampered with. To accomplish this, the compiler inserts the following instructions into a function's prologue:
.text:00402223 mov ecx, [ebp+2A8h+var_4] .text:00402229 xor ecx, ebp .text:0040222B pop esi .text:0040222C call __security_check_cookie The value of the cookie that was stored on the stack is moved into ecx and then XOR'd with the current frame pointer to get it back to the expected value. Following that, a call is made to __security_check_cookie where the stack frame's cookie value is passed in the ecx register. The __security_check_cookie routine is very short and sweet. The passed in cookie value is compared with the image file's global cookie. If they don't match, __report_gsfailure is called and the process eventually terminates. This is what one would expect in the case of a buffer overflow scenario. However, if they do match, the routine simply returns, allowing the calling function to proceed with execution and cleanup.
.text:0040634B cmp ecx, __security_cookie .text:00406351 jnz short loc_406355 .text:00406353 rep retn .text:00406355 loc_406355: .text:00406355 jmp __report_gsfailure
|