Data Exfiltration Techniques
|
|
- MargaretMargaret Byrd
- 5 years ago
- Views:
Transcription
1 Data Exfiltration Techniques Introduction In this article we will see how malware encode or encrypt data that s exfiltrated to the Command and Control Server from infected machines. This is often done using a custom encoding or encryption algorithm. It is becoming increasingly common these days to see malware using this technique to prevent Security Analysts from understanding the type of data that is being exchanged between the malware and its Server. Similarly, these algorithms can also be used for randomizing the artifact details such as names of the files or registry keys created on the infected machine. In all such cases, Behavioral Analysis of the malware is not sufficient. Only after analyzing the code used by the malware can these algorithms be understood. Randomization Most malware create certain disk artifacts once they execute. If these disk artifacts have names that remain the same upon multiple executions of the malware, then it becomes easy to discover the presence of the malware on other machines using the indicators gathered during Behavioral Analysis. To prevent this, malwares can use custom algorithms that are used to generate random names for the disk artifacts they create. Similarly, most malware will gather some data from the infected machine and send it to the attacker s controlled server. If this communication channel is not encrypted or it sends the data in plain text, then it becomes trivial to understand the intention of the malware and its nature. There are certain Win32 APIs which are often used to generate a random value which in turn is used in a custom obfuscation or encryption algorithm to randomize the disk artifact names or encrypt the communication channel. Two of these Win32 APIs which are quite commonly used are: GetTickCount() and QueryPerformanceCounter(). In this article, we are going to look into a Custom Encryption and Encoding algorithm that uses QueryPerformanceCounter to generate a 16 byte Random Seed. For the purpose of completeness, we will look at how the data is gathered from the machine and what type of data it is, followed by the details of the Encryption and Encoding algorithms. Collection of Data Once the malware has successfully executed on the machine, it proceeds to gather various details specific to the machine like the MAC Address, Username, Hostname, IP Address, Timestamp and destination domain name. Below is a high level overview of how these details are gathered and in what format are they captured. Data is collected by calling Win32 APIs like GetAdaptersAddresses, GetUserNameA, GetCurrentProcessID, gethostname, gethostbyname and GetLocalTime. The data is gathered using the return values of the above functions and stored at 0041C1D0 as shown below:
2 Here mark:xxsy is a marker for the data collected. Then it calls the main Encryption Routine at to encrypt this data: Stack arguments: 0041C1D0 Pointer to the Data Collected from the machine 0041C360 Encrypted Data will be stored here Random Seed Generation Once the data has been collected from the system, it starts the encryption routine. The first step in the encryption routine is to generate the random seed which will be used in the algorithm. To generate the random seed, the QueryPerformanceCounter API is used as shown below: The function prototype of QueryPerformanceCounter() is: BOOL WINAPI QueryPerformanceCounter( _Out_ LARGE_INTEGER *lpperformancecount ); It accepts one argument, which is a pointer to the Performance Counter. Once the API has executed, it will return the Performance Counter value at this memory address. The return value has a size of 2 DWORDs. In our case, the algorithm uses only the first DWORD. Stack arguments just before the call to QueryPerformanceCounter: So, the return value will be stored at the address, 0012FD78: Below is an explanation of the code used to generate the 16 byte Random Seed:
3 LEA EAX,DWORD PTR SS:[EBP-1C] PUSH EAX ; pointer to Performance 1 2 Counter CALL DWORD PTR DS:[<&KERNEL32.QueryPerf>; QueryPerformanceCounter 3 PUSH DWORD PTR SS:[EBP-1C] ; Arg1 (1st DWORD of Performance Counter) CALL sysmgr.00404e15 POP ECX CALL sysmgr.00404e27 ; Subroutine to modify the first 8 9 DWORD MOV BYTE PTR DS:[EDI+ESI],AL ; Form the Random Seed byte 10by byte 11 TEST AL,AL 12JNZ SHORT sysmgr b7 13MOV BYTE PTR DS:[EDI+ESI],1 14INC EDI CMP EDI,10 ; Total Length of the seed is 0x10 bytes JL SHORT sysmgr After it retrieves the value of the Performance Counter, the first DWORD is passed to the subroutine at address 00404E27: This subroutine will modify the value of the DWORD and finally store the lower byte of the high order word in AL. This value will then be written to the new memory location. In each loop, one byte of random seed is generated. Since the total length of the seed is 16 bytes, there will be 16 invocations of QueryPerformanceCounter and it will write a new byte each time to the memory address where the random seed is stored. The random seed will be stored at the memory address [EDI+ESI], which is 00922D00 in our case. Before the random seed generation: It contains 0xBAADF00D because it is a new chunk of memory allocated by RtlAllocateHeap. After the first execution of the loop, the byte 0 27 is written to this location: After the above loop completes and the complete 16 byte random seed is generated and stored at 00922D00, it will copy the random seed to a new location. Below is an explanation of the code: 1PUSH 10 2LEA EAX,DWORD PTR DS:[EBX+1] 3PUSH ESI 4PUSH EAX 5MOV BYTE PTR DS:[EBX],1 ; EBX is 00B30018 where the random seed is 6copied to.
4 CALL sysmgr.00403ed0 EBX points to the location where the value of random seed will be copied to. This memory address is 00B30018 in our case. The first byte of this is fixed and it is The subroutine at 00403ED0 is used to write the random seed to the new memory location. MOV AL,BYTE PTR DS:[ESI] ; ESI points to the original location of 1 random seed. 2 MOV BYTE PTR DS:[EDI],AL ; EDI points to the new location of 3 random seed. 4 MOV AL,BYTE PTR DS:[ESI+1] 5 MOV BYTE PTR DS:[EDI+1],AL 6 MOV AL,BYTE PTR DS:[ESI+2] 7 SHR ECX,2 8 MOV BYTE PTR DS:[EDI+2],AL 9 ADD ESI,3 10ADD EDI,3 11 CMP ECX,8 JB SHORT sysmgr.00403f54 It copies the random seed this way: 1. It first copies 3 bytes of the random seed to the new location, byte by byte. 2. It then copies 3 DWORDs of the random seed to the new location, DWORD by DWORD as shown below. 1. It then writes 1 byte to the new location. After the above subroutine has executed, the new random seed is stored as shown below. Encryption Key Formation Once the random seed is generated and copied to 00B30018, it calls a subroutine at to form the Encryption Key. The stack arguments: 0012ED30 Location of the new encryption key 00922D00 Original location of the random seed 00B30019 New location of the random seed After we step into the subroutine at : 1MOV ECX,sysmgr.00416CA0 ; 00416CA0 is the location of the private 2key 3PUSH 12 ; The total size of the key is 0x12 DWORDs 4XOR EDX,EDX 5SUB ECX,EAX // subtract 12ED30 from 416CA0
5 POP EDI ; EDI will be used as the outer loop counter The malware has the private key used for the encryption stored at the address, 00416CA0. The size of this key is 0 12 DWORDs or 72 bytes. This key along with the random seed will be used to form a new key located at 0012ED byte key located at 00416CA0: Here is the loop used to generate the new key: Here is the explanation of the code: XOR ESI,ESI MOV DWORD PTR SS:[EBP-8],4 ; Initialize the inner loop counter to 4 1 MOV EBX,DWORD PTR SS:[EBP+C] ; EBX points to the original 2 location of random seed 3 MOVZX EBX,BYTE PTR DS:[EDX+EBX] ; Read one byte at a time from the 4 random seed 5 SHL ESI,8 6 OR ESI,EBX ; ESI will stored one DWORD from the random seed 7 INC EDX 8 CMP EDX,10 ; Check if all the bytes from the random seed have 9 been read 10JL SHORT sysmgr c7 11 XOR EDX,EDX ; If all the bytes from the random seed are read then 12reset EDX 13DEC DWORD PTR SS:[EBP-8] 14JNZ SHORT sysmgr b3 15MOV EBX,DWORD PTR DS:[ECX+EAX] 16XOR EBX,ESI ; XOR the DWORD from random seed with the private key 17MOV DWORD PTR DS:[EAX],EBX ; new Encryption key will be stored at ED30 ADD EAX,4 DEC EDI ; There are a total of 12 DWORDs in the key JNZ SHORT sysmgr aa Here is an explanation of the encryption routine: 1. It reads one DWORD (byte by byte) from the random seed. 2. It XORs the DWORD read from the random seed with the DWORD read from private key. 3. It stores the result into the location of the new encryption key. 4. It reads the bytes from the random seed in a cyclic order. Since the length of the random seed is 0 10 bytes or 4 DWORDs and the length of the private key is 0 48 bytes or 0 12 DWORDs, it reads the bytes from the random seed from start once it has finished reading all the bytes. Before the key formation routine has completed executing, at address 0012ED30:
6 Once the above loop has executed, the new encryption key is stored at 0012ED30 as shown below: Key Modification Routine Once the new encrypted key is formed and stored at 0012ED30, in the next loop this key is modified. It reads 2 DWORDs at a time and modifies them using a subroutine at Below is an explanation of the code: MOV ECX,DWORD PTR SS:[EBP+8] ; ECX points to the key LEA EAX,DWORD PTR SS:[EBP-4] ; This will hold the final modified value of the first DWORD PUSH EAX ; EAX points to 0012ED00 LEA EBX,DWORD PTR SS:[EBP-8] ; This will hold the final modified value of the second DWORD CALL sysmgr MOV EAX,DWORD PTR SS:[EBP+8] ; EAX points again to the start of the Key, 0012ED30 POP ECX ; 0012ED00 MOV ECX,DWORD PTR SS:[EBP-4] ; Final DWORD from previous iteration is stored in ECX MOV DWORD PTR DS:[EAX+ESI*4],ECX ; Modify the first DWORD of the key MOV ECX,DWORD PTR SS:[EBP-8] ; 13MOV DWORD PTR DS:[EAX+ESI*4+4],ECX ; Modify the second DWORD of 14 the key 15 INC ESI INC ESI ; Increment ESI two times since we are modifying two DWORDs at a time CMP ESI,12 ; The total length of the key is 0x12 DWORDs JL SHORT sysmgr e1 Before the execution of the above loop, the key at 0012ED30 is: Once the above subroutine has executed, the key is modified as shown below: Encryption of Data Once the encryption key has been formed, the data that was gathered previously from the machine
7 will be encrypted using it. In the Data Encryption Subroutine, we read two DWORDs at a time from the data and use the encryption key to modify them. Once this is done, each of these 2 DWORDs are written to the new memory location. The subroutine at is used to encrypt two DWORDs at a time. It passes 2 parameters: 12FD8C One of the 2 encrypted DWORDs will be stored here. 41C1D0 Points to the data to be encrypted It reads two DWORDs at a time from the data to be encrypted and stores them at addresses 12FD88 and 12FD8C as shown below: Once the subroutine at has executed, these two DWORDs will be encrypted as shown below: Now these two DWORDs will be written to the new memory location. Below is an explanation of the encryption subroutine:
8 The MOV subroutine EAX,DWORD at 00403ED0 PTR SS:[EBP+8] will be used to write ; the EAX DWORD holds to the memory data location. to be encrypted MOV ECX,DWORD PTR DS:[EAX+EDI*8] ; First DWORD from the data to be encrypted is stored in ECX As 1 MOV can be EAX,DWORD seen above, the PTR DWORDs DS:[EAX+EDI*8+4] at 12FD88 and 12FD8C ; Second are swapped DWORD and from written the to data the new to memory 2 be encrypted location, 00B is stored in EAX 3Also, MOV it is DWORD important PTR to SS:[EBP-C],EAX note that during Random ; Seed Store Generation, second the DWORD 16 byte at random 0012FD88 seed was 4written LEA to EAX,DWORD the memory PTR address, SS:[EBP-8] 00B MOV DWORD PTR SS:[EBP-8],ECX ; Store the first DWORD at 0012FD8C So, the encrypted data is stored after the random seed. 6 PUSH EAX 7The LEA loop EBX,DWORD above continues PTR to SS:[EBP-C] execute for the entire length of the data. 8After LEA the ECX,DWORD loop has executed PTR completely, SS:[EBP-1064] the encrypted ; Points data is stored the as shown 0x48 below: byte key 9 CALL sysmgr ; Modify the first and second DWORDs stored 10at 0012FD88 and 0012FD8C 11 PUSH 4 12 Obfuscation LEA EAX,DWORD of Encrypted PTR Data SS:[EBP-8] 13PUSH EAX 14 Once the data is encrypted and stored at 00B30029, in the next subroutine at E8 it is LEA EAX,DWORD PTR DS:[ESI-4] 15 obfuscated. PUSH EAX 16CALL sysmgr.00403ed0 ; Store the second DWORD at new memory 17address 18PUSH 4 19 The 2 parameters passed to the obfuscation routine are: MOV EAX,EBX 20PUSH EAX 21PUSH ESI 22 00B30018 CALL sysmgr.00403ed0 Pointer to the random ; seed Store and encrypted the first data DWORD at the new memory 23address C360 ADD ESP,1C The final obfuscated data will be stored here 25 If we INC step EDI into ; the Increment subroutine at E8, EDI to read we can the see the next obfuscation DWORDs algorithm from here: the data to 26be encrypted ADD ESI,8 CMP EDI,DWORD PTR SS:[EBP+10] ; Total of 13 iterations are The required inner loop will to run read 3 times all and data write 3 bytes to the new memory location. The outer loop will use JL the SHORT 3rd byte sysmgr fa from the previous sequence of bytes and modify it and write to the new memory location. Outer loop will run 0 39 times; it will write 4 bytes to the new memory location each time. Below is an explanation of the code:
9 MOV EDI,EDX MOV DWORD PTR SS:[EBP-8],2 ; Initialize local variable (this will 1 be incremented in steps of 2) 2 MOV BYTE PTR SS:[EBP-1],0 ; Initialize local variable 3 MOV EAX,ESI 4 MOV DWORD PTR SS:[EBP-C],6 ; Initialize local variable (this will 5 be decremented in steps of 2) 6 SUB EDI,ESI 7 MOV DWORD PTR SS:[EBP-10],3 ; Inner loop counter 8 MOV BL,BYTE PTR DS:[EAX] ; Read a byte from the encrypted data 9 MOV CL,BYTE PTR SS:[EBP-8] 10ADD DWORD PTR SS:[EBP-8],2 ; Increment local variable by 2 11 SHR BL,CL ; modify BL 12MOV ECX,DWORD PTR SS:[EBP-C] 13 SUB DWORD PTR SS:[EBP-C],2 ; Decrement local variable by 2 14 OR BL,BYTE PTR SS:[EBP-1] ; Modify BL 15 MOV BYTE PTR DS:[EDI+EAX],BL ; Write BL to new location MOV BL,BYTE PTR DS:[EAX] 18 SHL BL,CL 19 SHR BL,2 20 INC EAX 21 DEC DWORD PTR SS:[EBP-10] ; Decrement inner loop counter 22MOV BYTE PTR SS:[EBP-1],BL ; This value will be used in OR 23operation in next iteration 24JNZ SHORT sysmgr b 25MOV AL,BYTE PTR DS:[ESI+2] 26AND AL,3F 27MOV BYTE PTR DS:[EDX+3],AL 28ADD ESI,3 29ADD EDX,4 DEC DWORD PTR SS:[EBP-14] ; Decrement outer loop counter JNZ SHORT sysmgr c As can be seen above, it modifies the bytes of Encrypted Data and the Random Seed. It also adds an extra byte after every 3 bytes which is a modification of the third byte in the previous byte sequence. Before the obfuscation of encrypted data: After the obfuscation of encrypted data: So, the new size of the obfuscated data is greater than the encrypted data. Encoding the Obfuscated Data Once the data is encrypted and stored at 0041C360, in the next subroutine the malware will encode this data as shown below:
10 Below is an explanation of the code: MOV ESI,EAX SHL ESI,2 ; ESI will be the total length of the encrypted data above (0xE4 bytes) 1 XOR EDX,EDX 2 TEST ESI,ESI 3 JLE SHORT sysmgr b5 4 MOV EAX,DWORD PTR SS:[EBP+C] ; EAX points to encrypted data 5 LEA ECX,DWORD PTR DS:[EDX+EAX] ; EDX is the counter used as an 6 offset into the encrypted data 7 MOV AL,BYTE PTR DS:[ECX] ; Read a byte from the encrypted data 8 CMP AL,19 ; If less than 19 then add 41 to it 9 JA SHORT sysmgr ADD AL,41 11 JMP SHORT sysmgr c 12CMP AL,1A ; If it is greater than 19 then it checks if it is 13lesser than 1A 14JB SHORT sysmgr CMP AL,33 16JA SHORT sysmgr ADD AL,47 ; Add 47 if it is greater than 1A but less than JMP SHORT sysmgr c 19 CMP AL,34 20 JB SHORT sysmgr a0 21 CMP AL,3D JA SHORT sysmgr a0 SUB AL,4 ; If greater than 34 but less than 3D then subtract MOV BYTE PTR DS:[ECX],AL ; Write the modified byte into encrypted 27 data 28JMP SHORT sysmgr b0 29CMP AL,3E 30JNZ SHORT sysmgr a9 31MOV BYTE PTR DS:[ECX],2B 32JMP SHORT sysmgr b0 33CMP AL,3F 34JNZ SHORT sysmgr b0 35MOV BYTE PTR DS:[ECX],2F INC EDX CMP EDX,ESI JL SHORT sysmgr This encoding algorithm will check the value of each byte read from the encrypted data and modify it based on various comparisons. The resulting encrypted data will consist of readable ASCII characters as shown below: Random Seed Transfer Once the encrypted data is received by the Server, it will use the Decryption algorithm to retrieve the data. However in order to decrypt, the Server requires the random seed which was generated at
11 the client side and used to form the encrypted data. All other elements used to perform the encryption such as the private key are already available to the Server. If we look at the encrypted data stored at 0041C360 as shown above, the first byte is always fixed as The next 16 bytes are the obfuscated version of the random seed. In the random seed generation section, we can see that the 16 byte random seed is written to the memory address 00B After it is used to form the encryption key and encrypt the data, in the obfuscation stage, the random seed itself is also obfuscated. So, the random seed is present in the Header of the Encrypted Data sent to the Server. In this way, the Server now has all the elements required to decrypt and retrieve the data. Sending the Encrypted Data Now that the data is encrypted and stored at 00413C60, it is ready to be transferred to the Server. In our case, the malware makes use of HTTP Protocol to send this data to the Server. It first forms the HTTP Header field, Set-Cookie: as shown below: Stack arguments: The subroutine at 00404A40 takes 2 arguments. 00B30018 Pointer to the Set-Cookie: Header 0041C360 Pointer to the encrypted data After this subroutine has executed: Once this is done, it will add this field to the HTTP Request Headers: Stack arguments: 00CC000C Handle returned by HTTPOpenRequestA 00B30018 Pointer to the Set-Cookie field that needs to be added to the HTTP Request Headers Then it creates a Thread in the Suspended State: Stack arguments:
12 It resumes the Thread by calling WaitForSingleObject: 0x1C8 is the handle of the Thread created above. Once WaitForSingleObject has executed, we break at the Thread Function at C. This Thread Function will be used to send the HTTP Request to the Server: Once HTTPSendRequestA has executed, it will send the HTTP request to the Server along with the encrypted data sent in the Set-Cookie header field. Conclusion In this way, we can see how malware protect the data exchanged between them and their servers from behavioral analysis. These methods can also be used to randomize the artifact details to prevent the discovery of malware on other machines.
LdPinch Report. Feng Zhu Jinpeng Wei
LdPinch Report Feng Zhu (fzhu001@fiu.edu), Jinpeng Wei (weijp@cs.fiu.edu) 1 Malware General Information Malware Name: LdPinch (named by ThreatExpert) File size: 641,536 bytes File type: PE32 executable
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More information16.317: Microprocessor Systems Design I Fall 2014
16.317: Microprocessor Systems Design I Fall 2014 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationConditional Processing
١ Conditional Processing Computer Organization & Assembly Language Programming Dr Adnan Gutub aagutub at uqu.edu.sa Presentation Outline [Adapted from slides of Dr. Kip Irvine: Assembly Language for Intel-Based
More informationEECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution
1. (40 points) Write the following subroutine in x86 assembly: Recall that: int f(int v1, int v2, int v3) { int x = v1 + v2; urn (x + v3) * (x v3); Subroutine arguments are passed on the stack, and can
More information16.317: Microprocessor Systems Design I Fall 2015
16.317: Microprocessor Systems Design I Fall 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More information16.317: Microprocessor Systems Design I Spring 2015
16.317: Microprocessor Systems Design I Spring 2015 Exam 2 Solution 1. (16 points, 4 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationSOEN228, Winter Revision 1.2 Date: October 25,
SOEN228, Winter 2003 Revision 1.2 Date: October 25, 2003 1 Contents Flags Mnemonics Basic I/O Exercises Overview of sample programs 2 Flag Register The flag register stores the condition flags that retain
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationStarForce 3 - Brief insight into a hidden world. By [yates] [http://www.yates2k.net] [http://www.reteam.org]
StarForce 3 - Brief insight into a hidden world. By [yates] [http://www.yates2k.net] [http://www.reteam.org] These notes are intended for anyone wishing to study the working elements of this protection.
More informationEECE.3170: Microprocessor Systems Design I Summer 2017
EECE.3170: Microprocessor Systems Design I Summer 2017 Lecture 8: Key Questions June 5, 2017 1. (Review) Describe the structure of a typical x86 stack frame. EECE.3170: Microprocessor Systems Design I
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 6: Conditional Processing
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 6: Conditional Processing (c) Pearson Education, 2002. All rights reserved. Chapter Overview Boolean and Comparison Instructions
More informationMarking Scheme. Examination Paper. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam First Semester Date: 30/01/2018 Section 1 Weighting 40% of the
More informationUsing MMX Instructions to Perform Simple Vector Operations
Using MMX Instructions to Perform Simple Vector Operations Information for Developers and ISVs From Intel Developer Services www.intel.com/ids Information in this document is provided in connection with
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 10 Advanced Procedures May, 2014 1 Assembly Language LAB Stack Parameters There are
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationTitle: Reverse Engineering: Anti-Cracking Techniques. Date: April 12th Website:
Title: Reverse Engineering: Anti-Cracking Techniques Date: April 12th 2008 Website: http://www.astalavista.com Author: Nicolaou George Mail: ishtus@astalavista.com Author: Charalambous Glafkos Mail: glafkos@astalavista.com
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationRev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html
Rev101 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose of teaching how reverse engineering works. Use your mad skillz only in CTFs
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationReverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 Reverse Engineering Low Level Software CS5375 Software Reverse Engineering Dr. Jaime C. Acosta Machine code 2 3 Machine code Assembly compile Machine Code disassemble 4 Machine code Assembly compile
More informationInline Assembler. Willi-Hans Steeb and Yorick Hardy. International School for Scientific Computing
Inline Assembler Willi-Hans Steeb and Yorick Hardy International School for Scientific Computing e-mail: steebwilli@gmail.com Abstract We provide a collection of inline assembler programs. 1 Using the
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationBasic Pentium Instructions. October 18
Basic Pentium Instructions October 18 CSC201 Section 002 Fall, 2000 The EFLAGS Register Bit 11 = Overflow Flag Bit 7 = Sign Flag Bit 6 = Zero Flag Bit 0 = Carry Flag "Sets the flags" means sets OF, ZF,
More information22 Assembly Language for Intel-Based Computers, 4th Edition. 3. Each edge is a transition from one state to another, caused by some input.
22 Assembly Language for Intel-Based Computers, 4th Edition 6.6 Application: Finite-State Machines 1. A directed graph (also known as a diagraph). 2. Each node is a state. 3. Each edge is a transition
More informationReversing Basics A Practical Approach
Reversing Basics A Practical Approach Author: Amit Malik (DouBle_Zer0) E-Mail: m.amit30@gmail.com Note: Keep Out of Reach of Children/Danger-Software Poison. Download EXE/Crackme: https://sites.google.com/site/hacking1now/crackmes
More informationaes_x86_v2.asm Page 1
1: 2: ; --------------------------------------------------------------------------- 3: ; Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved. 4: ; 5: ; LICENSE TERMS 6: ; 7: ; The
More informationSA33901 / CVE
Released by Secunia 23 February, 2009 6 pages Table of Contents Terms and Conditions 2 Introduction 3 Technical Details 3 Exploitation 5 Characteristics 5 Tested Versions 6 Fixed Versions 6 References
More informationCOMPUTER ENGINEERING DEPARTMENT
Page 1 of 11 COMPUTER ENGINEERING DEPARTMENT December 31, 2007 COE 205 COMPUTER ORGANIZATION & ASSEMBLY PROGRAMMING Major Exam II First Semester (071) Time: 7:00 PM-9:30 PM Student Name : KEY Student ID.
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationSA30285 / CVE
Generated by Secunia 17 December, 2008 6 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 5 Characteristics 6 Tested Versions 6 Fixed Versions 6 References 6 Generated by Secunia
More informationCS61 Section Solutions 3
CS61 Section Solutions 3 (Week of 10/1-10/5) 1. Assembly Operand Specifiers 2. Condition Codes 3. Jumps 4. Control Flow Loops 5. Procedure Calls 1. Assembly Operand Specifiers Q1 Operand Value %eax 0x104
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationQ1: Multiple choice / 20 Q2: Data transfers and memory addressing
16.317: Microprocessor Systems Design I Fall 2014 Exam 1 October 1, 2014 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
More informationComparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/f-13 Labs
Comparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/f-13 Labs [www.f13-labs.net] Overview Introduction What is Win32 and ELF32? The PE File Format and ELF File Format Win32
More informationIt is possible to define a number using a character or multiple numbers (see instruction DB) by using a string.
1 od 5 17. 12. 2017 23:53 (https://github.com/schweigi/assembler-simulator) Introduction This simulator provides a simplified assembler syntax (based on NASM (http://www.nasm.us)) and is simulating a x86
More informationInstructions moving data
do not affect flags. Instructions moving data mov register/mem, register/mem/number (move data) The difference between the value and the address of a variable mov al,sum; value 56h al mov ebx,offset Sum;
More informationmain.cpp /* Metin2FileExtractor pushedx edxlabs
Downloaded from: justpaste.it/metin2_filext_source main.cpp /* Metin2FileExtractor pushedx edxlabs This program serves as a file extractor for the Metin2 data files. The EIX files are the header files
More informationadministrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?
administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions? exam on Wednesday today s material not on the exam 1 Assembly Assembly is programming
More informationReversing the Inception APT malware
Reversing the Inception APT malware After reading the Inception paper by Snorre Fagerland and Waylon Grange, I got curious about this threat and did some reversing. I felt that it would be good to write
More informationLoad Effective Address Part I Written By: Vandad Nahavandi Pour Web-site:
Load Effective Address Part I Written By: Vandad Nahavandi Pour Email: AlexiLaiho.cob@GMail.com Web-site: http://www.asmtrauma.com 1 Introduction One of the instructions that is well known to Assembly
More informationprintf("this program adds the value 10 to a given integer number.\n\n");
PA1 Sample Solution Program 1 void add10(int *n); //Prototype int n; printf("this program adds the value 10 to a given integer number.\n\n"); printf("please enter an integer number: "); scanf("%d", &n);
More informationCSE351 Autumn 2012 Midterm Exam (5 Nov 2012)
CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove to
More informationCOMPUTER ENGINEERING DEPARTMENT
Page 1 of 14 COMPUTER ENGINEERING DEPARTMENT Jan. 7, 2010 COE 205 COMPUTER ORGANIZATION & ASSEMBLY PROGRAMMING Major Exam II First Semester (091) Time: 3:30 PM-6:00 PM Student Name : KEY Student ID. :
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationCOMP211 ASSEMBLY PROGRAMMING
COMP211 ASSEMBLY PROGRAMMING Chapter 6: Conditional Processing Cristina G. Rivera 2 Chapter Overview Boolean and Comparison Instructions Conditional Jumps Conditional Loop Instructions Conditional Structures
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationWe will first study the basic instructions for doing multiplications and divisions
MULTIPLICATION, DIVISION AND NUMERICAL CONVERSIONS We will first study the basic instructions for doing multiplications and divisions We then use these instructions to 1. Convert a string of ASCII digits
More informationAssembly Language for Intel-Based Computers, 5 th Edition. Kip R. Irvine. Chapter 6: Conditional Processing
Assembly Language for Intel-Based Computers, 5 th Edition Kip R. Irvine Chapter 6: Conditional Processing Chapter Overview Boolean and Comparison Instructions Conditional Jumps Conditional Loop Instructions
More informationBinghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections
x86 Assembler Computer Systems: Sections 3.1-3.5 Disclaimer I am not an x86 assembler expert. I have never written an x86 assembler program. (I am proficient in IBM S/360 Assembler and LC3 Assembler.)
More informationFLARE-On 4: Challenge 3 Solution greek_to_me.exe
FLARE-On 4: Challenge 3 Solution greek_to_me.exe Challenge Author: Matt Williams (@0xmwilliams) greek_to_me.exe is a Windows x86 executable whose strings reveal what is likely the desired state of the
More informationEqua%onal Reasoning of x86 Assembly Code. Kevin Coogan and Saumya Debray University of Arizona, Tucson, AZ
Equa%onal Reasoning of x86 Assembly Code Kevin Coogan and Saumya Debray University of Arizona, Tucson, AZ Assembly Code is Source Code Commercial libraries oeen do not come with source code, but there
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationIn executable we have several anti-debugging, anti-tracing and anti-patching tricks:
------------------------------------------------------------------ Author: ReWolf e-mail: rewolf@rewolf.pl www : http://rewolf.pl ------------------------------------------------------------------ HACKER
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationCSE351 Spring 2018, Midterm Exam April 27, 2018
CSE351 Spring 2018, Midterm Exam April 27, 2018 Please do not turn the page until 11:30. Last Name: First Name: Student ID Number: Name of person to your left: Name of person to your right: Signature indicating:
More informationHunting Zero Days in Crash Dumps. hotwing
Hunting Zero Days in Crash Dumps hotwing /usr/bin/whoami D923AE0C-190D-4EDF-B07A-76AC571FBFD4 SCSKEX.cab filever /v SCSKEX.ocx --a-- W32i DLL ENU 4.0.31.7 shp 858,832 scskex.ocx Language 0x0409 (English
More informationCS Basics 8) Strings. Emmanuel Benoist. Fall Term Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1
CS Basics 8) Strings Emmanuel Benoist Fall Term 2016-17 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1 Strings Loops on Strings Strings in assembly STOre String
More informationCPS104 Recitation: Assembly Programming
CPS104 Recitation: Assembly Programming Alexandru Duțu 1 Facts OS kernel and embedded software engineers use assembly for some parts of their code some OSes had their entire GUIs written in assembly in
More informationAssembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall
Assembly Language Programming: Procedures EECE416 uc Charles Kim Howard University Fall 2013 www.mwftr.com Before we start Schedule of the next few weeks T Nov 19: Procedure and Calls (continued) R Nov
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 6: Conditional Processing. Chapter Overview. Boolean and Comparison Instructions
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 6: Conditional Processing Slides prepared by Kip R. Irvine Revision date: 10/19/2002 Chapter corrections (Web) Assembly language
More informationChapter 3: Addressing Modes
Chapter 3: Addressing Modes Chapter 3 Addressing Modes Note: Adapted from (Author Slides) Instructor: Prof. Dr. Khalid A. Darabkh 2 Introduction Efficient software development for the microprocessor requires
More informationCSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1
CSE P 501 Compilers x86 Lite for Compiler Writers Hal Perkins Autumn 2011 10/25/2011 2002-11 Hal Perkins & UW CSE J-1 Agenda Learn/review x86 architecture Core 32-bit part only for now Ignore crufty, backward-compatible
More informationLABORATORY WORK NO. 7 FLOW CONTROL INSTRUCTIONS
LABORATORY WORK NO. 7 FLOW CONTROL INSTRUCTIONS 1. Object of laboratory The x86 microprocessor family has a large variety of instructions that allow instruction flow control. We have 4 categories: jump,
More informationQ1: Multiple choice / 20 Q2: Protected mode memory accesses
16.317: Microprocessor-Based Systems I Summer 2012 Exam 2 August 1, 2012 Name: ID #: For this exam, you may use a calculator and one 8.5 x 11 double-sided page of notes. All other electronic devices (e.g.,
More information16.317: Microprocessor Systems Design I Fall 2013
16.317: Microprocessor Systems Design I Fall 2013 Exam 2 Solution 1. (20 points, 5 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by circling
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationY86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View
Computer Architecture I Instruction Set Architecture Assembly Language View Processor state Registers, memory, Instructions addl, movl, andl, How instructions are encoded as bytes Layer of Abstraction
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View! Processor
More informationInstruction Set Architecture
CS:APP Chapter 4 Computer Architecture Instruction Set Architecture Randal E. Bryant Carnegie Mellon University http://csapp.cs.cmu.edu CS:APP Instruction Set Architecture Assembly Language View Processor
More informationmith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #9 Spring 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Watch at a Later Time https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationmith College Computer Science CSC231 Assembly Week #10 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #10 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu 2 Videos to Start With https://www.youtube.com/watch?v=fdmzngwchdk https://www.youtube.com/watch?v=k2iz1qsx4cm
More informationData Transfers, Addressing, and Arithmetic. Part 2
Islamic University Of Gaza Assembly Language Faculty of Engineering Discussion Computer Department Chapter 4 Created By: Eng. Ahmed M. Ayash Modified and Presented by: Eng. Eihab S. El-Radie Chapter 4
More informationMarking Scheme. Examination Paper Department of CE. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 02/06/2018 Section 1 Weighting 40% of
More informationGhost in the allocator Abusing the windows 7/8 Low Fragmentation Heap
Ghost in the allocator Abusing the windows 7/8 Low Fragmentation Heap Steven Seeley, Stratsec HiTB, Amsterdam, May 2012 HITBAMS2012 1 Overview Why are we targeting the heap manager? Heap terms Windows
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 8. Conditional Processing
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 8 Conditional Processing April, 2014 1 Assembly Language LAB Unconditional Jump The
More informationLab 6: Conditional Processing
COE 205 Lab Manual Lab 6: Conditional Processing Page 56 Lab 6: Conditional Processing Contents 6.1. Unconditional Jump 6.2. The Compare Instruction 6.3. Conditional Jump Instructions 6.4. Finding the
More informationUMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.
Intel Assembly Format of an assembly instruction: LABEL OPCODE OPERANDS COMMENT DATA1 db 00001000b ;Define DATA1 as decimal 8 START: mov eax, ebx ;Copy ebx to eax LABEL: Stores a symbolic name for the
More information03-Basic Dynamic Analysis & Assembly Language
CYS5120 - Malware Analysis Bahcesehir University Cyber Security Msc Program Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2 1 ozgur.catak@tubitak.gov.tr 2 mehmetcan.doslu@tubitak.gov.tr 2017-2018 Fall Table
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationInspecting and Manipulating binaries
Inspecting and Manipulating binaries Introduction. x86 architecture. Assembler. Binary inspection. General sample (crackme) Binary manipulation. Python to the rescue! Malware analysis What we (you) are
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationLow-Level Essentials for Understanding Security Problems Aurélien Francillon
Low-Level Essentials for Understanding Security Problems Aurélien Francillon francill@eurecom.fr Computer Architecture The modern computer architecture is based on Von Neumann Two main parts: CPU (Central
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title : Adobe Acrobat and Reader "newclass" invalid pointer vulnerability Version :
More informationCSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II
1 byte{ 1 byte{ CSCI 334: Principles of Programming Languages Lecture 11: Control Structures II Computer Architecture (a really really fast introduction) Instructor: Dan Barowy Memory Instructions main
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationA Survey of Obfuscations in Prevalent Packer Tools
A Survey of Obfuscations in Prevalent Packer Tools Kevin Roundy Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin March 26, 2012 1 Types of program analysis Source code Friendly binary Uncooperative
More information16.317: Microprocessor Systems Design I Spring 2014
16.317: Microprocessor Systems Design I Spring 2014 Exam 1 Solution 1. (20 points, 5 points per part) Multiple choice For each of the multiple choice questions below, clearly indicate your response by
More informationAbysssec Research. 1) Advisory information. 2) Not vulnerable version
Abysssec Research 1) Advisory information Title : Java CMM readmabcurvedata stack overflow Version : Java runtime
More information