We often get to see x64 assembly instructions like the following:
mov rax,QWORD PTR fs:0x28
In this article, we will discuss what fs:0x28 is in x86 assembly.
In x86 64-bit assembly, fs:0x28 is a stack guard value that is stored in the stack frame of a function. When we enter the function, the stack canary is stored after the saved value of the RBP. When the function exits, the stack guard value is checked again. If the value is unchanged, we know that the stack frame is not corrupted. If the value changes, we know that the stack frame is corrupted and the same is notified by calling __stack_chk_fail@plt.
Let’s look at an example to understand the concept in a better way. Let’s write a small piece of C code and analyze the corresponding assembly instructions.
#include <stdio.h> int main() { int array[2]; array[0] = 1; array[1] = 2; return 0; }
Let’s compile the above program and look into the corresponding assembly code using the following commands:
$ gcc array.c $ objdump -M intel -d a.out
The corresponding assembly code will look like the following:
0 Comments