{"id":41223,"date":"2004-01-01T07:00:00","date_gmt":"2004-01-01T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2004\/01\/01\/dont-trust-the-return-address\/"},"modified":"2004-01-01T07:00:00","modified_gmt":"2004-01-01T07:00:00","slug":"dont-trust-the-return-address","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20040101-00\/?p=41223","title":{"rendered":"Don&#039;t trust the return address"},"content":{"rendered":"<p>Sometimes people ask, &#8220;So I know how to get my return address\n[use\n<a HREF=\"http:\/\/msdn.microsoft.com\/en-us\/library\/64ez38eh(v=vs.100).aspx\">\nthe _ReturnAddress() intrinsic<\/a>];\nhow do I figure out what DLL that return address belongs to?&#8221;<\/p>\n<p>\nBeware.\n<\/p>\n<p>\nEven if you figure out which DLL the return address belongs to\n[use\n<a HREF=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms683200(v=vs.100).aspx\">\nGet&shy;Module&shy;Handle&shy;Ex(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)<\/a>],\nthat doesn&#8217;t mean that that is actually the DLL that called you.\n<\/p>\n<p>\nA common trick is to search through a &#8220;trusted&#8221; DLL for some code\nbytes that coincidentally match ones you (the attacker) want to execute.\nThis can be something as simple as a &#8220;retd&#8221; instruction, which\nare quite abundant. The attacker then builds a stack frame that\nlooks like this, for, say, a function that takes two parameters.\n<\/p>\n<pre>\ntrusted_retd\nhacked parameter 1\nhacked parameter 2\nhacker_code_addr\n<\/pre>\n<p>\nAfter building this stack frame, the attacker then jumps to\nthe start of the function being attacked.\n<\/p>\n<p>\nThe function being attacked looks\nat the return address and sees <code>trusted_retd<\/code>,\nwhich resides in a trusted DLL.  It then foolishly trusts the\ncaller and allows some unsafe operation to occur, using\nhacked parameters 1 and 2. The function being attacked then\ndoes a &#8220;retd 8&#8221; to return and clean the parameters.\nThis transfers control to the <code>trusted_retd<\/code>,\nwhich performs a simple <code>retd<\/code>, which now gives\ncontrol to the <code>hacker_code_addr<\/code>, and the hacker\ncan use the result to continue his nefarious work.\n<\/p>\n<p>\nThis is why you should be concerned if somebody says,\n&#8220;This code verifies that its caller is trusted&#8230;&#8221;\nHow do they know who the caller really is?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sometimes people ask, &#8220;So I know how to get my return address [use the _ReturnAddress() intrinsic]; how do I figure out what DLL that return address belongs to?&#8221; Beware. Even if you figure out which DLL the return address belongs to [use Get&shy;Module&shy;Handle&shy;Ex(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)], that doesn&#8217;t mean that that is actually the DLL that called you. [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-41223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>Sometimes people ask, &#8220;So I know how to get my return address [use the _ReturnAddress() intrinsic]; how do I figure out what DLL that return address belongs to?&#8221; Beware. Even if you figure out which DLL the return address belongs to [use Get&shy;Module&shy;Handle&shy;Ex(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)], that doesn&#8217;t mean that that is actually the DLL that called you. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/41223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=41223"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/41223\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=41223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=41223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=41223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}