You'll have to change the memory attributes of the array to read and execute and then point the instruction pointer at it.

Here's an example that displays 'Hello, World!'. Note this will only work on a Linux 64 bit PC.

#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>

unsigned char mya[] = 	{
			  0x50,0x57,0x56,0x52,0xe8,
			  0x00,0x00,0x00,0x00,0x5e,
			  0x48,0x81,0xc6,0x24,0x00,
			  0x00,0x00,0x48,0xc7,0xc0,
			  0x01,0x00,0x00,0x00,0x48,
			  0xc7,0xc7,0x01,0x00,0x00,
			  0x00,0x48,0xc7,0xc2,0x0e,
			  0x00,0x00,0x00,0x0f,0x05,
			  0x5a,0x5e,0x5f,0x5a,0xc3,
			  0x48,0x65,0x6c,0x6c,0x6f,
			  0x2c,0x20,0x57,0x6f,0x72,
			  0x6c,0x64,0x21,0x0a,0x00
			};
			
int main(int argc, char**argv)
{
  void *addr = (void*)((unsigned long)mya & ((0UL - 1UL) ^ 0xfff));/*get memory page*/
  int ans = mprotect(addr, 1, PROT_READ|PROT_WRITE|PROT_EXEC);/*set page attributes*/
  if (ans)
  {
    perror("mprotect");
    exit(EXIT_FAILURE);
  }
  
  ((void(*)(void))mya)();/*execute array*/
  
  return 0;
}

Edited 5 Years Ago by gerard4143: n/a

Comments
Absolutely good, hard to find this information too.

Forgot to mention I'm using Windows.

Also, what is the reason for bitwise AND'ing the address of the array with -1UL then XOR'ing it with 0xfff ?

Edited 5 Years Ago by pseudorandom21: n/a

Memory pages on my system are 4096 bytes which is 0xfff so that line of code is getting the address of the memory page that contains the array mya. Why you ask? The mprotect() function requires that the address past to it be aligned on a page boundary.

Edited 5 Years Ago by gerard4143: n/a

This article has been dead for over six months. Start a new discussion instead.