Databases
StackOverflow2013
Postsdbo
POFind out function arguments value from stack pointer
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POFind out function arguments value from stack pointer
    text
    copied!<p>Given stack pointer value, is it possible to determine the value of the passed arguments to the function? Where are the arguments stored in the stack frame.</p> <p>Lets say, executing <code>gcc</code> compiled ELF binary on <code>x86</code> architecture on Linux platform:</p> <pre><code>int foo(int a, int b) { ... } </code></pre> <p><code>foo(a,b)</code> is called from <code>main()</code> and I know the stack pointer(SP) value which is pointing to <code>foo()</code> now. How can I retrive the value of arguments <code>a</code> and <code>b</code>?</p> <p><strong>EDIT</strong>: If stack grows from smaller address to larger address, and arguments are passed right to left using <code>cdecl</code>, can I obtain args value like this:</p> <pre><code>b = *(SP + 1); a = *(SP + 2); </code></pre> <p><strong>EDIT</strong>: The following program prints the value of functions args <code>a</code>, <code>b</code> using above arch and specifications.</p> <pre><code>void foo(int a, int b) { int i; register int stackptr asm("sp"); int *sp = (int *)stackptr; printf("\n\ta=%d b=%d\n", a, b); for (i=0; i&lt;16; i++) { printf("*(sp + %d) = %d\n", i, *(sp +i)); } } int main() { foo(3, 8); foo(9, 2); foo(1, 4); return 0; } </code></pre> <p>The output of above code is:</p> <pre><code> a=3 b=8 *(sp + 0) = 134514016 *(sp + 1) = 0 *(sp + 2) = 0 *(sp + 3) = 134513373 *(sp + 4) = 8239384 *(sp + 5) = 134513228 *(sp + 6) = 6 *(sp + 7) = -1076716032 *(sp + 8) = 134513456 *(sp + 9) = 0 *(sp + 10) = -1076715960 *(sp + 11) = 134513759 *(sp + 12) = 3 //value of arg a *(sp + 13) = 8 //value of arg b *(sp + 14) = 134513817 *(sp + 15) = 10612724 a=9 b=2 *(sp + 0) = 134514016 *(sp + 1) = 0 *(sp + 2) = 0 *(sp + 3) = 134513373 *(sp + 4) = 8239384 *(sp + 5) = 134513228 *(sp + 6) = 6 *(sp + 7) = -1076716032 *(sp + 8) = 134513456 *(sp + 9) = 0 *(sp + 10) = -1076715960 *(sp + 11) = 134513779 *(sp + 12) = 9 //value of arg a *(sp + 13) = 2 //value of arg b *(sp + 14) = 134513817 *(sp + 15) = 10612724 a=1 b=4 *(sp + 0) = 134514016 *(sp + 1) = 0 *(sp + 2) = 0 *(sp + 3) = 134513373 *(sp + 4) = 8239384 *(sp + 5) = 134513228 *(sp + 6) = 6 *(sp + 7) = -1076716032 *(sp + 8) = 134513456 *(sp + 9) = 0 *(sp + 10) = -1076715960 *(sp + 11) = 134513799 *(sp + 12) = 1 //value of arg a *(sp + 13) = 4 //value of arg b *(sp + 14) = 134513817 *(sp + 15) = 10612724 </code></pre> <p>Why function arguments are stored from <strong>offset 12</strong> of SP? Also notice values at offset 0 to 10 are always same, and value at offset 11 increases by 20 on each invocation of function <code>foo()</code>.</p> <p><strong>UPDATE</strong>: I found that <code>gcc</code> has <a href="http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html" rel="nofollow">in-build function</a> to retrieve frame pointer address</p> <pre><code>void * __builtin_frame_address (unsigned int level) </code></pre> <p>When I print values at offsets starting from <code>__builtin_frame_address(0)</code> the function arguments start from <code>offset 2</code>. How can I confirm that this behavior is always consistent?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload