Reputation: 179
How can prot argument of mmap() syscall be 0x1007?
While analyzing Metasploit's linux/x64/shell/reverse_tcp payload, I realized it was using the value 0x1007 as the prot argument of the mmap() syscall.
The mmap() man page says that the prot argument is either PROT_NONE or the bitwise OR of one or more of the following flags: PROT_EXEC, PROT_READ, PROT_WRITE PROT_NONE. According to the /usr/include/x86_64-linux-gnu/bits/mman.h file, the above mentioned flags have the values 0x4, 0x1, 0x2 and 0x0, respectively. How can this add up to 0x1007?
The syscall signature is:
void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
The part of the code I was referring to is:
global _start
section .text
_start:
xor rdi,rdi
push byte +0x9
pop rax
cdq
mov dh,0x10
mov rsi,rdx
xor r9,r9
push byte +0x22
pop r10
mov dl,0x7
loadall286
Upvotes: 2
Views: 265
Answers (1)
Reputation: 179
As stated by @MichaelPetch, the most significant byte is ignored by the mmap() syscall. It only served to give a value to the length parameter by using the mov dh,0x10 and mov rsi,rdx instructions.
Upvotes: 2
Related Questions
- Why syscall doesn't work?
- mmap system call returning -14(-EFAULT??)
- mmap does not return error nor valid pointer
- syscall use in shellcode
- In MIPS Assembly why do we use syscall? Why doesn't the program operate on the instructions given automatically?
- Why doesn't the 'syscall' instruction work under Linux?
- Assembly - mmap2 called from c
- Assembly function is confusing
- Unable to allocate memory with mmap in x86 Linux Assembly Language
- mmap in nasm using int 0x80 on linux x86