Identifying Execution Location
Shellcode needs to dereference a base pointer when accessing data in a position-independent manner. Adding or subtracting values to this base value will allow it to safely access data that is included with the shellcode. Because the x86 instruction set does not provide EIP-relative data access, as it does for control-flow instructions, a general-purpose register must first be loaded with the current instruction pointer, to be used as the base pointer.
Obtaining the current instruction pointer may not be immediately obvious, because the
instruction pointer on x86 systems cannot be directly accessed by software. In fact, there is no way
to assemble the instruction mov eax, eip
to directly load a general-purpose register ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.