Remote Debugging Linux Binaries - Stack Address Changes?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?



I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.



I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?










share|improve this question



























    up vote
    1
    down vote

    favorite












    Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?



    I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.



    I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?










    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?



      I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.



      I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?










      share|improve this question















      Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?



      I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am using linux_server as the dbgsrv.



      I noticed that when I enter a subroutine, the stack address is different every time. Is it expected? Is it because I am debugging remotely?







      ida linux stack






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 6 mins ago









      NirIzr

      8,89712268




      8,89712268










      asked 2 hours ago









      Neon Flash

      242212




      242212




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:



          /*
          * These are the functions used to load ELF style executables and shared
          * libraries. There is no binary dependent code anywhere else.
          */

          #ifndef STACK_RND_MASK
          #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
          #endif

          static unsigned long randomize_stack_top(unsigned long stack_top)

          unsigned long random_variable = 0;

          if (current->flags & PF_RANDOMIZE)
          random_variable = get_random_long();
          random_variable &= STACK_RND_MASK;
          random_variable <<= PAGE_SHIFT;

          #ifdef CONFIG_STACK_GROWSUP
          return PAGE_ALIGN(stack_top) + random_variable;
          #else
          return PAGE_ALIGN(stack_top) - random_variable;
          #endif



          We can test this with a simple program that prints the memory address of a local variable in function main():



          #include <stdio.h>

          int main(void)

          int i = 3;

          printf("%pn", &i);

          return 0;



          compile and execute:



          $ gcc -m32 -o print_stack_address print_stack_address.c 
          $ ./print_stack_address
          0xff9dc78c
          $ ./print_stack_address
          0xff832d3c
          $ ./print_stack_address
          0xff844c1c
          $ ./print_stack_address
          0xff999e0c
          $ ./print_stack_address
          0xffd1117c





          share|improve this answer




















          • Thanks, I resolved this issue by manually disabling ASLR on the machine.
            – Neon Flash
            1 hour ago










          • @NeonFlash you are welcome
            – SYS_V♦
            37 mins ago

















          up vote
          1
          down vote













          Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.



          Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "489"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19724%2fremote-debugging-linux-binaries-stack-address-changes%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:



            /*
            * These are the functions used to load ELF style executables and shared
            * libraries. There is no binary dependent code anywhere else.
            */

            #ifndef STACK_RND_MASK
            #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
            #endif

            static unsigned long randomize_stack_top(unsigned long stack_top)

            unsigned long random_variable = 0;

            if (current->flags & PF_RANDOMIZE)
            random_variable = get_random_long();
            random_variable &= STACK_RND_MASK;
            random_variable <<= PAGE_SHIFT;

            #ifdef CONFIG_STACK_GROWSUP
            return PAGE_ALIGN(stack_top) + random_variable;
            #else
            return PAGE_ALIGN(stack_top) - random_variable;
            #endif



            We can test this with a simple program that prints the memory address of a local variable in function main():



            #include <stdio.h>

            int main(void)

            int i = 3;

            printf("%pn", &i);

            return 0;



            compile and execute:



            $ gcc -m32 -o print_stack_address print_stack_address.c 
            $ ./print_stack_address
            0xff9dc78c
            $ ./print_stack_address
            0xff832d3c
            $ ./print_stack_address
            0xff844c1c
            $ ./print_stack_address
            0xff999e0c
            $ ./print_stack_address
            0xffd1117c





            share|improve this answer




















            • Thanks, I resolved this issue by manually disabling ASLR on the machine.
              – Neon Flash
              1 hour ago










            • @NeonFlash you are welcome
              – SYS_V♦
              37 mins ago














            up vote
            2
            down vote



            accepted










            On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:



            /*
            * These are the functions used to load ELF style executables and shared
            * libraries. There is no binary dependent code anywhere else.
            */

            #ifndef STACK_RND_MASK
            #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
            #endif

            static unsigned long randomize_stack_top(unsigned long stack_top)

            unsigned long random_variable = 0;

            if (current->flags & PF_RANDOMIZE)
            random_variable = get_random_long();
            random_variable &= STACK_RND_MASK;
            random_variable <<= PAGE_SHIFT;

            #ifdef CONFIG_STACK_GROWSUP
            return PAGE_ALIGN(stack_top) + random_variable;
            #else
            return PAGE_ALIGN(stack_top) - random_variable;
            #endif



            We can test this with a simple program that prints the memory address of a local variable in function main():



            #include <stdio.h>

            int main(void)

            int i = 3;

            printf("%pn", &i);

            return 0;



            compile and execute:



            $ gcc -m32 -o print_stack_address print_stack_address.c 
            $ ./print_stack_address
            0xff9dc78c
            $ ./print_stack_address
            0xff832d3c
            $ ./print_stack_address
            0xff844c1c
            $ ./print_stack_address
            0xff999e0c
            $ ./print_stack_address
            0xffd1117c





            share|improve this answer




















            • Thanks, I resolved this issue by manually disabling ASLR on the machine.
              – Neon Flash
              1 hour ago










            • @NeonFlash you are welcome
              – SYS_V♦
              37 mins ago












            up vote
            2
            down vote



            accepted







            up vote
            2
            down vote



            accepted






            On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:



            /*
            * These are the functions used to load ELF style executables and shared
            * libraries. There is no binary dependent code anywhere else.
            */

            #ifndef STACK_RND_MASK
            #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
            #endif

            static unsigned long randomize_stack_top(unsigned long stack_top)

            unsigned long random_variable = 0;

            if (current->flags & PF_RANDOMIZE)
            random_variable = get_random_long();
            random_variable &= STACK_RND_MASK;
            random_variable <<= PAGE_SHIFT;

            #ifdef CONFIG_STACK_GROWSUP
            return PAGE_ALIGN(stack_top) + random_variable;
            #else
            return PAGE_ALIGN(stack_top) - random_variable;
            #endif



            We can test this with a simple program that prints the memory address of a local variable in function main():



            #include <stdio.h>

            int main(void)

            int i = 3;

            printf("%pn", &i);

            return 0;



            compile and execute:



            $ gcc -m32 -o print_stack_address print_stack_address.c 
            $ ./print_stack_address
            0xff9dc78c
            $ ./print_stack_address
            0xff832d3c
            $ ./print_stack_address
            0xff844c1c
            $ ./print_stack_address
            0xff999e0c
            $ ./print_stack_address
            0xffd1117c





            share|improve this answer












            On modern Linux machines ASLR is enabled by default. As a result, when the process image for the binary is created in virtual memory, the base address of the stack is located at a random offset:



            /*
            * These are the functions used to load ELF style executables and shared
            * libraries. There is no binary dependent code anywhere else.
            */

            #ifndef STACK_RND_MASK
            #define STACK_RND_MASK (0x7ff >> (PAGE_SHIFT - 12)) /* 8MB of VA */
            #endif

            static unsigned long randomize_stack_top(unsigned long stack_top)

            unsigned long random_variable = 0;

            if (current->flags & PF_RANDOMIZE)
            random_variable = get_random_long();
            random_variable &= STACK_RND_MASK;
            random_variable <<= PAGE_SHIFT;

            #ifdef CONFIG_STACK_GROWSUP
            return PAGE_ALIGN(stack_top) + random_variable;
            #else
            return PAGE_ALIGN(stack_top) - random_variable;
            #endif



            We can test this with a simple program that prints the memory address of a local variable in function main():



            #include <stdio.h>

            int main(void)

            int i = 3;

            printf("%pn", &i);

            return 0;



            compile and execute:



            $ gcc -m32 -o print_stack_address print_stack_address.c 
            $ ./print_stack_address
            0xff9dc78c
            $ ./print_stack_address
            0xff832d3c
            $ ./print_stack_address
            0xff844c1c
            $ ./print_stack_address
            0xff999e0c
            $ ./print_stack_address
            0xffd1117c






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 1 hour ago









            SYS_V♦

            3,9161940




            3,9161940











            • Thanks, I resolved this issue by manually disabling ASLR on the machine.
              – Neon Flash
              1 hour ago










            • @NeonFlash you are welcome
              – SYS_V♦
              37 mins ago
















            • Thanks, I resolved this issue by manually disabling ASLR on the machine.
              – Neon Flash
              1 hour ago










            • @NeonFlash you are welcome
              – SYS_V♦
              37 mins ago















            Thanks, I resolved this issue by manually disabling ASLR on the machine.
            – Neon Flash
            1 hour ago




            Thanks, I resolved this issue by manually disabling ASLR on the machine.
            – Neon Flash
            1 hour ago












            @NeonFlash you are welcome
            – SYS_V♦
            37 mins ago




            @NeonFlash you are welcome
            – SYS_V♦
            37 mins ago










            up vote
            1
            down vote













            Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.



            Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.






            share|improve this answer
























              up vote
              1
              down vote













              Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.



              Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.






              share|improve this answer






















                up vote
                1
                down vote










                up vote
                1
                down vote









                Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.



                Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.






                share|improve this answer












                Most modern operating systems never guaranteed the stack's location will be the same for different process creations to begin with, and this was mostly a byproduct of deterministic execution of those allocations during the operating system's process creation flow.



                Moreover, that fact was then used quite frequently to use constant values for stack addresses during exploitation, which is what ASLR prevents. for a while now stacks are being ASLRed to mitigate exploitation, and are actually guaranteed to be randomized.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 28 mins ago









                NirIzr

                8,89712268




                8,89712268



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19724%2fremote-debugging-linux-binaries-stack-address-changes%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?