Exploiting the Hard-Working DWARF: Trojans With No Native Executable Code
All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format bytecode. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding. Despite being present in a large class of programs - and therefore potentially providing a huge attack surface - this mechanism is not widely known or studied. Of particular interest to them is that the exception handling mechanism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and register values.