Canary comes from a bird name called the Canary.
Canary is used for Protecting Stack buffer.
If we exploit RAO(Return Address Overwrite), We put a bunch of data into the buffer up to the return address.
so that we can exploit what we want to execute code.
BUT, What if there is a kind of Barrier like It is compromised when something is tampered with.
YES, The barrier is called the Canary.
mov rax,QWORD PTR fs:0x28
mov [rbp-0x8], rax
Process read a Canary value from fs:0x28.
mov rcx, QWORD PTR [rbp-0x8]
xor rcx, QWORD PTR fs:0x28
je CODE
If rcx, value of rbp-0x8, is same with fs:0x28, it means Canary hasn't been tampered with!
Top comments (0)