7

This is something that recently crossed my mind, quoting from wikipedia: "To initialize a function pointer, you must give it the address of a function in your program."

So, I can't make it point to an arbitrary memory address but what if i overwrite the memory at the address of the function with a piece of data the same size as before and than invoke it via pointer ? If such data corresponds to an actual function and the two functions have matching signatures the latter should be invoked instead of the first.

Is it theoretically possible ?

I apologize if this is impossible due to some very obvious reason that i should be aware of.

Improve this question
6
  • That's how malware works, I think, like this: en.wikipedia.org/wiki/Heap_spray Commented Dec 3, 2013 at 16:45
  • 1
    How did this question get upvoted? Commented Dec 3, 2013 at 16:47
  • 4
    Because it is a real question about a useful technique. Commented Dec 3, 2013 at 16:49
  • 4
    @AndersLindén Maybe because the answer in non-trivial. Commented Dec 3, 2013 at 16:50
  • 5
    @AndersLindén By clicking on the ^ button. Commented Dec 3, 2013 at 16:53

5 Answers 5

Reset to default
4

If you're writing something like a JIT, which generates native code on the fly, then yes you could do all of those things.

However, in order to generate native code you obviously need to know some implementation details of the system you're on, including how its function pointers work and what special measures need to be taken for executable code. For one example, on some systems after modifying memory containing code you need to flush the instruction cache before you can safely execute the new code. You can't do any of this portably using standard C or C++.

You might find when you come to overwrite the function, that you can only do it for functions that your program generated at runtime. Functions that are part of the running executable are liable to be marked write-protected by the OS.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Likewise, most writable parts of the heap are marked execute-protected. Most OSs have an API to change this, though.
@Dan: the difference being that in order to support JITs the OS will let you mark a heap-region executable, but it still probably won't let you mark your own executable writable.
So far this answer is the most detailed, i will wait a bit more for fairness before marking it as accepted.
1

The issue you may run into is the Data Execution Prevention. It tries to keep you from executing data as code or allowing code to be written to like data. You can turn it off on Windows. Some compilers/oses may also place code into const-like sections of memory that the OS/hardware protect. The standard says nothing about what should or should not work when you write an array of bytes to a memory location and then call a function that includes jmping to that location. It's all dependent on your hardware and your OS.

Improve this answer

Comments

1

While the standard does not provide any guarantees as of what would happen if you make a function pointer that does not refer to a function, in real life and in your particular implementation and knowing the platform you may be able to do that with raw data.

I have seen example programs that created a char array with the appropriate binary code and have it execute by doing careful casting of pointers. So in practice, and in a non-portable way you can achieve that behavior.

Improve this answer

Comments

1

It is possible, with caveats given in other answers. You definitely do not want to overwrite memory at some existing function's address with custom code, though. Not only is typically executable memory not writeable, but you have no guarantees as to how the compiler might have used that code. For all you know, the code may be shared by many functions that you think you're not modifying.

So, what you need to do is:

  1. Allocate one or more memory pages from the system.

  2. Write your custom machine code into them.

  3. Mark the pages as non-writable and executable.

  4. Run the code, and there's two ways of doing it:

    1. Cast the address of the pages you got in #1 to a function pointer, and call the pointer.

    2. Execute the code in another thread. You're passing the pointer to code directly to a system API or framework function that starts the thread.

Improve this answer

Comments

0

Your question is confusingly worded.

You can reassign function pointers and you can assign them to null. Same with member pointers. Unless you declare them const, you can reassign them and yes the new function will be called instead. You can also assign them to null. The signatures must match exactly. Use std::function instead.

You cannot "overwrite the memory at the address of a function". You probably can indeed do it some way, but just do not. You're writing into your program code and are likely to screw it up badly.

Improve this answer

2 Comments

I guess my question could be reworded into 2 sub-questions 1)is it possible to overwrite the memory at the address of a function ? 2) is it possible to invoke via pointer the function that corresponds to the data you just writed if the signatures match ?
@user1909612: depends what you mean by "possible". Some systems will not prevent you doing it, but the result is likely to be undefined.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.