Calling a function means setting one of the registers onto which the instructions for the function are stayed.

Even when you call it at multiple times, the memory you access will never be changed by contrast with the allocation of the footprint of the computation (which is called often stack or heap).

We often pay too much attention to the memory where the actual computation is done because they are always so dynamic that you need to keep track of all the stuffs which had been done, which is ongoing, and which are going to be performed, especially you allocated something on memory outside of stack area.

But, these dynamic computation; jump, allocation and deallocation, is just governed by another special area which is often called code area, and they are mapped onto somewhere on virtual memory in a same manner that other areas are allocated. The each role that code area and execution area is in charge of seems to be distinct by nature. One is statically telling CPU what is done next and another is engaging on it's embodiment or performance. Of course, since the performance is influenced from running environment which is varying constantly such as external file which will be opened, sets of runtime arguments, or environment variables, the patterns of accessing the memory of code area will get some feedbacks from it which we often call it branching. Nevertheless, it's nature is distinctly split as one is statically recognised by CPU, another is dynamically following it.

Self-modifying code is something which are different from the perspective we saw above. Codes can be constructed on its running time and executed on the spot which makes us think computation as much more colourful and flexible as it was thought.

Today, I will introduce a piece of very concise code which are copied from text area on the fly to wherever you like and executed.

when you write a function,

int f1(){
   return 1;
}

They are translated to binary and sit onto a chunk of memory in a pretty obedient manner. The memory where the binary sits is not user-defined but instead mapped by kernel and kept tracked by libc.so as a chain of dynamic shared objects which is hidden on libc. What you are able to know is just the head of it,

printf("0x%x",&f1);

then, you will see the starting address.

if you want to know what was pasted as binary figure on this function, then you should define another function just under the function(how each functions are aligned depends on compiler..), and examine the data in between.

int f1(){
   return 1;
}

void f2(){}

char* start = &f1;
char* end = &f2;
for(;start != &end;start++)
     printf("0x%x",*start);

When kernel maps these instructions, you are often not allowed to write your arbitrary data to the memory.

*start = 1;

Instead, you can make executable mapping, pasting them and can run on it eventually.

char* ret = (char*) mmap( (void*)0, 4096*1, PROT_READ|PROT_WRITE|PROT_EXEC,
                                              MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);

memcpy(ret, ptr, len_f1);
int (*_f1)() = (int (*)())(ptr);
printf("%d\n",_f1());

I allocated executable memory on the very beginning of virtual memory as libc often allocates program to higher memory.

Of course, you can modify its binary as you love.

This is just the very trivial example of self-modification code but somewhat may blow your mind, that was my intention of this writing.

Entire code snippet is here.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>

// binary(instruction) which are mapped.
// 0x55(push esp)
// 0x48,0x89,0xe5(mov %esp %eip)
// 0xb8,0x01,0x00,0x00,0x00(mov:immidiate assignment to %eax)
// 0x5d(leave)
// 0xc3(ret)
// this binary is mapped on to a mapped memory.
// if you modify any of them, it will change its behavior.
int f1() {
  return 1;
}

// binary(instruction) which are mapped.
// 0x55(push esp)
// 0x48,0x89,0xe5
// 0x89,0x7d,0xfc(first argument handling)
// 0x89,0x75,0xf8,0x8b(second argument handling)
// 0x55(push esp)
// 0xfc,0x8b(add %eax)
// 0x45(pop)
// 0xf8,0x01,0xd0(mov)
// 0x5d(leave)
// 0xc3(ret)
int f2(int a, int b) {
  return a+b;
}

// main has lots of binary.
int main(int argc, char **argv, char **envp) {

  for (;*envp;envp++) {
    if (*envp == "DONE")
      exit(1);
  }

  char* ptr;
  // grab a head address of area where instruction code is packed.
  ptr = (char*)&f1;
  
  // allocate a memory where you can execute and not yet mapped.
  // MAP_FIXED is not necessary according to your OS unless you map
  // ever-mapped & (m)protected area.
  char* ret = (char*) mmap( (void*)0, 4096*1, PROT_READ|PROT_WRITE|PROT_EXEC,
                MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);

  // get the length of codes on the scope of function f1 checking the difference
  // between next function pointer and itself.
  const size_t len_f1 = (void*)&f2 - (void*)&f1;  

  // copy memory which contains instructions of f1,f2,f3, main from allocated by libc.so
  // to the executable memory.
  memcpy(ret, ptr, len_f1);

  // execute f1, notify what is returned.
  int (*_f1)() = (int (*)())(ret);
  printf("%d\n",_f1());

  // let the pointer ahead to proceed to next function.
  ptr += len_f1;

  // main function is also mapped with the rest of function.
  const size_t len_f2 = (void*)&main - (void*)&f2;
  memcpy(ret, ptr, len_f2);

  // allocate a pointer type on a current stack.
  int (*_f2)(int a1, int a2) = (int (*)(int,int))(ret);

  char* tmpr = ptr;
  for(;*tmpr;tmpr++){
    printf("0x%x\n",*tmpr);    
  }

  // print second function.
  printf("%d\n",_f2(1,2));

  // step pointer up again.
  ptr += len_f2;

  // at this time, we use strcpy
  // as there is no following function after main which is not obvious to know
  // when the binary of this function is split(in fact, there are ways to know the end of
  // program header asking libc).  
  strcpy(ret, (char*)&main);
  int (*_main)(int argc, char **argv, char **envp) = (int (*)(int ,char** ,char**))(ptr);

  // prevent the program from being endless loop setting fake environment variable.
  envp[0] = "DONE";
  // execute main function again but not exactly itself
  // as its instruction was copied and mapped to lowest virtual area.
  printf("%d\n",_main(0,argv,envp));
  
}

How CPU works for memory access

When CPU is ordered to access a value on virtual address, it needs to address a specific page. Accessing same virtual address on two different processes must address mutually distinct physical pages.

Given a memory access instruction is supplied on a CPU, it follows these steps below to read or write data.

To accomplish this automatically via CPU, kernel needs to tell CPU the mapping when a process starts. Specifically on each step,

Step1 : Page Directory Preparation, CR3 register setup to Page Directory Step2 : Setup for Page Directory Entry Step3 : Setup for Page Table Step4 : Setup for Page Table Entry

are required.

CR3

On xv6, when a new process is created, control register3 (often abbrebiated as CR3) points to head address of page directory. The procedure is done like below.

// vm.c
void
switchuvm(void)
{
  ....
  ltr(SEG_TSS << 3);
  lcr3(V2P(p->pgdir));  // switch to process's address space
  popcli();
}

// x86.h
static inline void
lcr3(uint val)
{
  asm volatile("movl %0,%%cr3" : : "r" (val));
}

Page Directory

A page directory consists of one or multiple page directory entries. Each page directory entry is 32bit in xv6 and consists of pointer to page table and some additional flags. Absolute address to page table entry is not required as page table entry is always allocated per page unit, which means you can omit last 12bit; 22bit is required. space which is left can be compensated by additional flags where its emptiness, user or kernel, rwx about pages which is managed by the pointed page table.

Page directory can be sparse because it needs to be searched by virtual address. High 10bit of virtual address should represent index of page directory entry. If elf program header specifies highest virtual address (e.g. higest bit is 0b1111111111), the last page directory entry on page directory will be used.

Page Table

You also need to prepare a page table required from a page directory entry. Each page table consists of page table entries and each of them manges one page.