In the example of self-modifying code, you can use the function name as a label to get the actual address of the program, plus the offset of the byte to be modified, and then get the actual address of the byte to be modified, and finally modify the byte. So, is it possible to get the base address directly at run time without using tags like function names? Plus the offset that I got ahead of time directly to the actual address of the byte to be modified?
The example: https://shanetully.com/2013/12/writing-a-self-mutating-x86_64-c-program/
void *foo_addr = (void*)foo; // Get the actual address of the function
// Change the immediate value in the addl instruction in foo() to 42
unsigned char *instruction = (unsigned char*)foo_addr + 22;
*instruction = 0x2A;
Its address information is: foo_addr = 0x3b882c0, + 22 = 0x3b882d6
Now, I don't want to be constrained by the function, suppose I get the offset from the starting position of the current byte to be modified through static analysis. So now I want to get the base address directly at run time, base address + offset = position of the byte to be modified. Is this feasible? If so, how do you get the base address?
Linux uses Address Space Layout Randomization (since 2001), so you can't blindly assume that code is where you expect it to be. That doesn't matter for function pointers, because your compiler knows how ASLR works. Call
&fooworks no matter wherefoois actually loaded. Static analysis can't help here since it's too early.Furthermore, the function pointer points to the first instruction. You can't assume that all other instructions in the function follow directly after. Inlining and outlining can both break that.