In my code I had:
void function2()
{
std::cout << "Malware payload that should never be run!\n";
}
and
void (*pFun)() = &function2;
When I inspect pFun it returns the address
0x0092141f {BufferOverrunExample.exe!function2(void)}
But in the watch window it is
Why the difference?
If we inspect 0x0092141f in the dissasembly window:
Why?
This explains about incremental linking
c++ - Why doesn't VS2015 debugger show the function address correctly in the watch window? - Stack Overflow
"This behavior seems to be because of incremental linking. When it is enabled, the function is assembled in one memory address and another address contains a jump table entry with one jump instruction to the 'real' address. The function is always called by calling the jump table. If you disable incremental linking, the 'detour' via the jump table goes away and also your example case shows just one address.
Everything else seems to show the address to the jump table, but the 'printStuff' and '&printStuff' watch expressions show the actual address where the function code is located."
Linkers & Jump tables
Canary bytes, prologues and epilogues
Stack Guard
Address layout randomisation
CC bytes
No comments:
Post a Comment