How Shellcodes Work
Subject:   Writing to executable memory?
Date:   2006-05-21 21:35:11
From:   VesK
Excellent article indeed.

I am a bit surprised that writing to executable memory does not generate the segfault. Consider the following bit of code:

jmp short stuff

pop esi
; address of string
; now in ESI

xor eax,eax
; put zero into EAX

mov byte [esi + 17],al ; =======
; count 18 symbols (index starts from zero)
; and putting a zero value there (EAX register equals to zero)
; The string will become This is my string0

call code

db 'This is my string#'

The line marked with ======= is in effect writing to executable memory (i.e. self-modifying program). Since 80386 Intel introduced memory protection and this makes easy for the OS to mark pages for Read, Write and Execute. My understanding is that - at least outside ring 0 - pages marked Execute should not be writeable and pages marked Write should not be executable. What am I missing?

1 to 2 of 2
1 to 2 of 2