Intercepti on [1 ed.]

Citation preview

CSE363

Offensive Security

2020-02-19

x86 101

Michalis Polychronakis Stony Brook University

1

2

x86 ISA Instruction set backwards-compatible to Intel 8086 Released in 1978 as a 16-bit extension to the 8-bit 8080

Hybrid CISC architecture, little endian byte order Variable instruction length Valid 8086 15-byte-long instruction:

67 66 f0 3e 81 84 8e 78 56 34 12 89 ab cd ef lock add dword [dword ds:esi+ecx*4+0x12345678],0xefcdab89

Current generation: Kaby Lake, Cascade Lake x86-64 (64-bit) instruction set, many extensions: MMX, AES-NI, CLMUL, FMA3, SSE, SSE2, SSE3, SSSE3, SSE4, SSE4.1, SSE4.2, AVX, AVX2, AVX-512, TXT, TSX, SGX, VT-x, VT-d

3

32-bit

4

64-bit

5

Basic Program Execution Registers

6

Other Registers

7

IA-32 General Instruction Format

ModRM: Mode, Register, Memory: Describes the operation and operands (optional)

SIB: Scale, Index, Base: Indexed register-indirect addressing 8

General-Purpose Register Names

9

Fundamental Data Types

10

Byte Order in Memory

11

https://agilescientific.com/blog/2017/3/31/little-endian-is-legal

12

EFLAGS Register

13

Status Flags CF

Carry: indicates a carry or a borrow out of the most significant bit of the result; cleared otherwise. Indicates an overflow condition for unsigned integer arithmetic

PF

Parity: set if the least-significant byte of the result contains an even number of 1 bits; cleared otherwise

AF

Auxiliary Carry: set if an operation generates a carry or a borrow out of bit 3 of the result (used in BCD arithmetic)

ZF

Zero: set if the result is zero; cleared otherwise

SF

Sign: set to the most significant bit of the result, which is the sign of a signed integer (0 == positive, 1 == negative)

OF

Overflow: set if the result is too large a positive or too small a negative number (excluding the sign bit) to fit in the destination operand; cleared otherwise

DF

Direction: used in string operations to determine whether the instructions increment or decrement

14

Instruction Set Summary General purpose x87 FPU x87 FPU and SIMD state management Intel MMX technology SSE extensions SSE2 extensions SSE3 extensions System instructions 15

General-purpose Instruction Summary Data transfer

mov, push, pop, xchg, … add, mul, div, inc, cmp, …

Binary arithmetic Decimal arithmetic Logical

and, or, xor, not

Shift and rotate Bit and byte

sar, shr, ror, rol, …

bt, bsf, set, test, …

Control transfer String

daa, das, aaa, …

jmp, je/jz, loop, call, ret, …

movs, cmps, lods, stos, …

Misc: I/O, flag control (EFLAGS), segment, ENTER/LEAVE, LEA, NOP, CPUID, … 16

Data Transfer Instructions MOV and friends From memory to a register / from a register to memory Between registers Immediate data to a register / to memory No memory-to-memory data transfer instruction (!)

Exchange: swap the contents of operands Conditional move Stack manipulation Type conversion 17

mov eax, ecx Move into EAX, the contents of ECX

mov eax, [ecx] Move into EAX the contents of the address contained in ECX Brackets […] denote memory dereference In C notation: eax = *ecx

mov eax, [0xDEADC0DE] Move into EAX the contents of address 0xDEADC0DE

mov eax, 5 Move into EAX the value 5 (immediate value)

18

Memory Addressing Offset (effective address) Computation

19

PUSH: decrements the stack pointer (ESP), then copies the source operand to the top of stack

Common uses Place parameters on the stack before calling a procedure (not in x86-64: arguments are typically passed through registers) Reserve space on the stack for temporary variables 20

POP: copies the value at the top of the stack (indicated by ESP) to the location specified by the destination operand, then increments ESP

The destination operand can be a general-purpose register, a segment register, or a memory location PUSHA/POPA: similar, but save/restore all general purpose registers 21

Calling Procedures using CALL and RET

When executing a call, the processor: 1. Pushes the current value of EIP on the stack 2. Loads the offset of the called procedure in EIP 3. Begins execution of the called procedure

When executing a return, the processor: 1. Pops the top-of-stack value (the return instruction pointer) into EIP 2. If the RET instruction has an optional n operand, increments ESP by n bytes to release parameters from the stack 3. Resumes execution of the calling procedure 22

Compilers Assemblers Linkers

© http://www.tenouk.com/ModuleW.html

23

Object Files and Executables PE (Portable Executable) Used in Windows Based on the older COFF format

ELF (Executable and Linkable Format) Used in *nix Replacement of the older a.out format (no shared lib support)

Section: logical collection of code or data Specific permissions (R/W/X) Naming convention (.text, .bss, .data, …)

24

Main ELF Sections .text the executable instructions of the program .bss uninitialized global and static variables .data initialized global and static variables and their values .rdata read-only data (e.g., constants and string literals) .reloc relocation information .symtab symbol table .got global offset table .plt procedure linkage table 25

Dynamic Linking The compiler and linker cannot know the addresses of imported functions The linker creates an import table with all the used functions from external modules The loader initializes the import table after modules are loaded in their final memory locations The addresses are found by going over the each module’s export table

© Reversing: Secrets of Reverse Engineering, 2005

26

Virtual Address Space 4GB in 32-bit mode

The kernel is always mapped into the address space of each process

© Gustavo Duarte - http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

27

Standard Process Memory Layout

© Gustavo Duarte - http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

28