Owning Command and Control: Reverse Engineering Malware. Risk Mitigators
|
|
- Lynne Bates
- 5 years ago
- Views:
Transcription
1 Owning Command and Control: Reverse Engineering Malware
2 Agenda 1- About Synapse-labs a) Bio's b) Synapse-labs 2- Debuggers (Immunity & OllyDBG) 3- Assembler Primer 4- PE (Portable Executable) Structure 5- IAT (Import Address Table) 6- Packers (Upx) 7- Manually bypassing Anti-debug techniques 8- Process injection 9- Reversing The Malware Specimen (covers all above) A- Tools used in this presentation B- Conclusion
3 About Synapse-labs Biography: Sofiane Talmat (Algeria): - Founder of Synapse-labs - OSCP Ehab Hussein (Egypt): - Co-Founder of synapse-labs - Operations Network Security Manager at Tedata Carlos Mario (Colombia): - Co-Founder of synapse-labs - OSCE
4 About Synapse-labs Synapse Services Penetration Testing & Security Audits & Incident Response Software Quality Assurance & Security Testing Malware Analysis & Infection Detection Log Analysis & Reporting
5 About Synapse-labs Reversing and Exploitation Level Audit and Penetration Test Coming soon
6 Debuggers Demo Walk Through Immunity debugger Interface
7 Debuggers Demo Walk Through OllyDBG Interface
8 Assembler Primer General purpose Registers: Eax : accumulator Reg storing return values Ebx : Base Reg can be used as a pointer to memory addresses Ecx : Counter Reg used in loop iterations Edx : Data Reg I/O port access,arithmetic, some interrupt calls( An interrupt is a special type of signal that is sent to the processor)
9 Assembler Primer Index Registers: Esi: Source index register Edi: Destination index register Are used to copy a block from a location to another or you can compare for instance two strings.
10 Assembler Primer Segment Registers: * Segmentation involves composing a memory address from two parts, a segment and an offset.the segment points to the beginning of a 64 KB group of addresses and the offset determines how far from this beginning address the desired address CS Code segment DS Data segment SS Stack segment ES Extra segment Example: Segment:offset Mov eax, DS:offset mystring
11 Assembler Primer Pointer Registers: ESP - Stack pointer points to the top of the stack. EBP - Base pointer points to a specific location in the stack. EIP - Instruction pointer pointer to the next address to be executed.
12 Assembler Primer Flags: OF: Overflow Flag : indicates an overflow when set DF: Direction Flag : used for string operations to check direction SF: Sign Flag : if set, resulting number of calculation is negative ZF: Zero Flag : if set, resulting number of calculation is zero CF: Carry Flag : used to indicate when an arithmetic carry or borrow has been generated out of the most significant ALU bit position
13 Assembler Primer Masm32: * * * * * Microsoft Macro Assembler Makes Assembler As Easy As C programming the code is readable and maintainable Can Access the Windows API Functions The Sky is the Limit
14 Assembler Primer Masm32 Template:.386 ; processor arch 386, 486,586,686.model flat,stdcall ; How you call your arguments right to left option casemap:none ; not case sensitive ; include libraries include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\user32.inc includelib \masm32\lib\user32.lib include \masm32\include\masm32.inc includelib \masm32\lib\masm32.lib.data ; the data section of initialized variables Mystring db Hello World, synapse,0.data? ; uninitialized variables Buffer db 100 dup (?).const ; constant variables BUFFER_SIZE equ 1024.code ; code section or refered to as.text start: ;Your code goes here! Invoke MessageBox,NULL,addr Mystring,addr Mystring,MB_OK jmp hello PUSHAD hello: mov ecx,buffer_size end start
15 PE Structure Defined in WinNT.h MZ (0x54AD) "This program cannot be run in DOS mode" IMAGE_NT_HEADER : Primary location where specifics of the PE file are stored. PE File Signature: Value 0x (PE00) IMAGE_FILE_HEADER: It contains some basic information about the file and a field describing the size of the optional data that follows it. IMAGE_OPTIONAL_HEADER: The address book for important locations within the executable. IMAGE_SECTION_HEADER: Arrays of IMAGE_SECTION_HEADER. Provides information about its associated section, including location, length, characteristics.
16 IAT ( Import Address Table) lists the functions in the Windows application programming interface (API) in alphabetical order
17 UPX Packer Packers: 1) Designed to compress executable code 2) Hide the presence of malware from antivirus scanners 3) Makes the life of a Reverse Engineer harder (NOT!).
18 UPX Packer Before
19 UPX Packer After
20 Unpack UPX Unpacking UPX Manually Demo: Demo How to bypass & unpack UPX in Ollydbg, rebuild IAT with IMPRec. Check the Malware Specimens/Specimen 1 folder
21 Anti-Debugging Techniques IsDebuggerPresent() (WinApi Function): Determines whether the calling process is being debugged. RDTSC : Read Time stamp counter, an instruction to access the CPU cycles counter. BlockInput : Blocks keyboard and mouse input events from reaching applications. TLS CallBacks (Thread Local Storage) : used for calling code execution before and after main application code execution. (thanks to ap0x from headcoders.net for the lovely example) Spoofing Packer Signatures : Used to mislead a reverse engineer into thinking that the executable is packed. * There Are many more types of anti-debugging techniques.
22 Anti-debug bybass Anti-Debugging Technique Demo: Demo: How to bypass anti debugging techniques in immunity and OLLYdbg. *Check AntiDebug Folder
23 Process Injection Demo Process Injection. Check the process injection folder
24 Reversing Malware Specimen Demo Reversing malware specimen. Check the Malware Specimens/Specimen 2 folder
25 Tools Used 1) Masm32 2) Immunity Debugger & Ollydbg with ollydump plugin + ollyadvanced 3) PEID 4) ImpRec 5) UPX 6) Beesa Process injector 7) Brain and patience
26 Conclusions Do not delete malware that you receive in your inbox. Now you know how valuable it is!!!!
27 Thanks...! For More Information checkout : Find us on Twitter Find us on FaceBook: For The complete presentation, video demos and tools goto:
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationEXPERIMENT WRITE UP. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM
EXPERIMENT WRITE UP AIM: Assembly language program for 16 bit BCD addition LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM TOOLS/SOFTWARE
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationComplex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
More informationLow Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationAssembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
More informationIntroduction to IA-32. Jo, Heeseung
Introduction to IA-32 Jo, Heeseung IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationINTRODUCTION TO IA-32. Jo, Heeseung
INTRODUCTION TO IA-32 Jo, Heeseung IA-32 PROCESSORS Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationAssembler Programming. Lecture 12
Assembler Programming Lecture 12 Lecture 12 Writting Windows 32 applications. Writting dynamic libraries. One memory model: flat, there are no segments. Some theory Programs run in protected mode. Registers
More informationAssembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
More informationHardware and Software Architecture. Chapter 2
Hardware and Software Architecture Chapter 2 1 Basic Components The x86 processor communicates with main memory and I/O devices via buses Data bus for transferring data Address bus for the address of a
More informationAddressing Modes on the x86
Addressing Modes on the x86 register addressing mode mov ax, ax, mov ax, bx mov ax, cx mov ax, dx constant addressing mode mov ax, 25 mov bx, 195 mov cx, 2056 mov dx, 1000 accessing data in memory There
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationExperiment 3 3 Basic Input Output
Experiment 3 3 Basic Input Output Introduction The aim of this experiment is to introduce the use of input/output through the DOS interrupt. Objectives: INT Instruction Keyboard access using DOS function
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit Slides prepared by Kip R. Irvine Revision date: 09/25/2002
More informationMachine and Assembly Language Principles
Machine and Assembly Language Principles Assembly language instruction is synonymous with a machine instruction. Therefore, need to understand machine instructions and on what they operate - the architecture.
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationCode segment Stack segment
Registers Most of the registers contain data/instruction offsets within 64 KB memory segment. There are four different 64 KB segments for instructions, stack, data and extra data. To specify where in 1
More informationWe can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...
COMPUTER ARCHITECTURE II: MICROPROCESSOR PROGRAMMING We can study computer architectures by starting with the basic building blocks Transistors and logic gates To build more complex circuits Adders, decoders,
More informationEECE416 :Microcomputer Fundamentals and Design. X86 Assembly Programming Part 1. Dr. Charles Kim
EECE416 :Microcomputer Fundamentals and Design X86 Assembly Programming Part 1 Dr. Charles Kim Department of Electrical and Computer Engineering Howard University www.mwftr.com 1 Multiple Address Access
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationMarking Scheme. Examination Paper Department of CE. Module: Microprocessors (630313)
Philadelphia University Faculty of Engineering Marking Scheme Examination Paper Department of CE Module: Microprocessors (630313) Final Exam Second Semester Date: 02/06/2018 Section 1 Weighting 40% of
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationThe Microprocessor and its Architecture
The Microprocessor and its Architecture Contents Internal architecture of the Microprocessor: The programmer s model, i.e. The registers model The processor model (organization) Real mode memory addressing
More informationFaculty of Engineering Computer Engineering Department Islamic University of Gaza Assembly Language Lab # 2 Assembly Language Fundamentals
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2011 Assembly Language Lab # 2 Assembly Language Fundamentals Assembly Language Lab # 2 Assembly Language Fundamentals
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationIA32 Intel 32-bit Architecture
1 2 IA32 Intel 32-bit Architecture Intel 32-bit Architecture (IA32) 32-bit machine CISC: 32-bit internal and external data bus 32-bit external address bus 8086 general registers extended to 32 bit width
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationBasic Execution Environment
Basic Execution Environment 3 CHAPTER 3 BASIC EXECUTION ENVIRONMENT This chapter describes the basic execution environment of an Intel Architecture processor as seen by assembly-language programmers.
More informationSYSC3601 Microprocessor Systems. Unit 2: The Intel 8086 Architecture and Programming Model
SYSC3601 Microprocessor Systems Unit 2: The Intel 8086 Architecture and Programming Model Topics/Reading SYSC3601 2 Microprocessor Systems 1. Registers and internal architecture (Ch 2) 2. Address generation
More informationAssembler Programming. Lecture 2
Assembler Programming Lecture 2 Lecture 2 8086 family architecture. From 8086 to Pentium4. Registers, flags, memory organization. Logical, physical, effective address. Addressing modes. Processor Processor
More informationComputer Organization (II) IA-32 Processor Architecture. Pu-Jen Cheng
Computer Organization & Assembly Languages Computer Organization (II) IA-32 Processor Architecture Pu-Jen Cheng Materials Some materials used in this course are adapted from The slides prepared by Kip
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationLab 2: Introduction to Assembly Language Programming
COE 205 Lab Manual Lab 2: Introduction to Assembly Language Programming - page 16 Lab 2: Introduction to Assembly Language Programming Contents 2.1. Intel IA-32 Processor Architecture 2.2. Basic Program
More informationTutorial 10 Protection Cont.
Tutorial 0 Protection Cont. 2 Privilege Levels Lower number => higher privilege Code can access data of equal/lower privilege levels only Code can call more privileged data via call gates Each level has
More informationCS499. Intel Architecture
CS499 Intel Architecture Intel Architecture References IA-32 Intel Architecture Software Developer s Manual, Volume 1: Basic Architecture Volume 2: Instruction Set Reference www.intel.com/design/pentiumii/manuals/
More informationMicroprocessor and Assembly Language Week-5. System Programming, BCS 6th, IBMS (2017)
Microprocessor and Assembly Language Week-5 System Programming, BCS 6th, IBMS (2017) High Speed Memory Registers CPU store data temporarily in these location CPU process, store and transfer data from one
More informationAssembly Language Lab # 9
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2011 Assembly Language Lab # 9 Stacks and Subroutines Eng. Doaa Abu Jabal Assembly Language Lab # 9 Stacks and Subroutines
More informationMemory Models. Registers
Memory Models Most machines have a single linear address space at the ISA level, extending from address 0 up to some maximum, often 2 32 1 bytes or 2 64 1 bytes. Some machines have separate address spaces
More informationAn Introduction to x86 ASM
An Introduction to x86 ASM Malware Analysis Seminar Meeting 1 Cody Cutler, Anton Burtsev Registers General purpose EAX, EBX, ECX, EDX ESI, EDI (index registers, but used as general in 32-bit protected
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationLab 4: Basic Instructions and Addressing Modes
COE 205 Lab Manual Lab 4: Basic Instructions and Addressing Modes - page 36 Lab 4: Basic Instructions and Addressing Modes Contents 4.1. Data Transfer Instructions 4.2. Addition and Subtraction 4.3. Data
More informationCSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM
CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM February 7, 2008 1 Overview The purpose of this assignment is to introduce you to the assembly language
More informationChapter 11. Addressing Modes
Chapter 11 Addressing Modes 1 2 Chapter 11 11 1 Register addressing mode is the most efficient addressing mode because the operands are in the processor itself (there is no need to access memory). Chapter
More informationmith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut
mith College Computer Science CSC231 Assembly Week #11 Fall 2017 Dominique Thiébaut dthiebaut@smith.edu Back to Conditional Jumps Review sub eax, 10 jz there xxx xxx there:yyy yyy Review cmp eax, 10 jz
More informationMalware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware
Malware Analysis and Antivirus Technologies: Using Debuggers to Analyze Malware Protecting the irreplaceable f-secure.com Agenda Debugger basics Introduction Scenarios and tools How debuggers work Debug
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationIslamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack
Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB Lab # 7 Procedures and the Stack April, 2014 1 Assembly Language LAB Runtime Stack and Stack
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationLecture Dependable Systems Practical Report Software Implemented Fault Injection. July 31, 2010
Lecture Dependable Systems Practical Report Software Implemented Fault Injection Paul Römer Frank Zschockelt July 31, 2010 1 Contents 1 Introduction 3 2 Software Stack 3 2.1 The Host and the Virtual Machine.....................
More information3.1 DATA MOVEMENT INSTRUCTIONS 45
3.1.1 General-Purpose Data Movement s 45 3.1.2 Stack Manipulation... 46 3.1.3 Type Conversion... 48 3.2.1 Addition and Subtraction... 51 3.1 DATA MOVEMENT INSTRUCTIONS 45 MOV (Move) transfers a byte, word,
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationADVANCE MICROPROCESSOR & INTERFACING
VENUS INTERNATIONAL COLLEGE OF TECHNOLOGY Gandhinagar Department of Computer Enggineering ADVANCE MICROPROCESSOR & INTERFACING Name : Enroll no. : Class Year : 2014-15 : 5 th SEM C.E. VENUS INTERNATIONAL
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017
ICS143A: Principles of Operating Systems Midterm recap, sample questions Anton Burtsev February, 2017 Describe the x86 address translation pipeline (draw figure), explain stages. Address translation What
More informationComputer Processors. Part 2. Components of a Processor. Execution Unit The ALU. Execution Unit. The Brains of the Box. Processors. Execution Unit (EU)
Part 2 Computer Processors Processors The Brains of the Box Computer Processors Components of a Processor The Central Processing Unit (CPU) is the most complex part of a computer In fact, it is the computer
More informationCS 16: Assembly Language Programming for the IBM PC and Compatibles
CS 16: Assembly Language Programming for the IBM PC and Compatibles Discuss the general concepts Look at IA-32 processor architecture and memory management Dive into 64-bit processors Explore the components
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationAssembly Language for x86 Processors 7 th Edition. Chapter 2: x86 Processor Architecture
Assembly Language for x86 Processors 7 th Edition Kip Irvine Chapter 2: x86 Processor Architecture Slides prepared by the author Revision date: 1/15/2014 (c) Pearson Education, 2015. All rights reserved.
More informationFor your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to
For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. Contents at a Glance About the Author...xi
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture. Chapter Overview.
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 2: IA-32 Processor Architecture Slides prepared by Kip R. Irvine Revision date: 09/25/2002 Chapter corrections (Web) Printing
More informationSystems Architecture I
Systems Architecture I Topics Assemblers, Linkers, and Loaders * Alternative Instruction Sets ** *This lecture was derived from material in the text (sec. 3.8-3.9). **This lecture was derived from material
More informationAssembly Language Programming Introduction
Assembly Language Programming Introduction October 10, 2017 Motto: R7 is used by the processor as its program counter (PC). It is recommended that R7 not be used as a stack pointer. Source: PDP-11 04/34/45/55
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationLab 3. The Art of Assembly Language (II)
Lab. The Art of Assembly Language (II) Dan Bruce, David Clark and Héctor D. Menéndez Department of Computer Science University College London October 2, 2017 License Creative Commons Share Alike Modified
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationEthical Hacking. Assembly Language Tutorial
Ethical Hacking Assembly Language Tutorial Number Systems Memory in a computer consists of numbers Computer memory does not store these numbers in decimal (base 10) Because it greatly simplifies the hardware,
More informationVARDHAMAN COLLEGE OF ENGINEERING (AUTONOMOUS) Shamshabad, Hyderabad
Introduction to MS-DOS Debugger DEBUG In this laboratory, we will use DEBUG program and learn how to: 1. Examine and modify the contents of the 8086 s internal registers, and dedicated parts of the memory
More informationAgenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationSubprograms: Local Variables
Subprograms: Local Variables ICS312 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) Local Variables in Subprograms In all the examples we have seen so far, the subprograms were
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationMicroprocessor. By Mrs. R.P.Chaudhari Mrs.P.S.Patil
Microprocessor By Mrs. R.P.Chaudhari Mrs.P.S.Patil Chapter 1 Basics of Microprocessor CO-Draw Architecture Of 8085 Salient Features of 8085 It is a 8 bit microprocessor. It is manufactured with N-MOS technology.
More informationLecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee
Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee ١ INTERNAL MICROPROCESSOR ARCHITECTURE Before a program is written or instruction investigated, internal configuration of the
More informationWriting 32-Bit Applications
335 CHAPTER 13 Writing 32-Bit Applications This chapter is an introduction to 32-bit programming for the 80386. The guidelines in this chapter also apply to the 80486 processor, which is basically a faster
More informationSPRING TERM BM 310E MICROPROCESSORS LABORATORY PRELIMINARY STUDY
BACKGROUND 8086 CPU has 8 general purpose registers listed below: AX - the accumulator register (divided into AH / AL): 1. Generates shortest machine code 2. Arithmetic, logic and data transfer 3. One
More informationAdvanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More informationSecond Part of the Course
CSC 2400: Computer Systems Towards the Hardware 1 Second Part of the Course Toward the hardware High-level language (C) assembly language machine language (IA-32) 2 High-Level Language g Make programming
More informationComputer Architecture and Assembly Language. Practical Session 5
Computer Architecture and Assembly Language Practical Session 5 Addressing Mode - "memory address calculation mode" An addressing mode specifies how to calculate the effective memory address of an operand.
More informationx86 assembly CS449 Spring 2016
x86 assembly CS449 Spring 2016 CISC vs. RISC CISC [Complex instruction set Computing] - larger, more feature-rich instruction set (more operations, addressing modes, etc.). slower clock speeds. fewer general
More informationcomplement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]
The following pages contain references for use during the exam: tables containing the x86 instruction set (covered so far) and condition codes. You do not need to submit these pages when you finish your
More informationUMBC. 1 (Feb. 9, 2002) seg_base + base + index. Systems Design & Programming 80x86 Assembly II CMPE 310. Base-Plus-Index addressing:
Data Addressing Modes Base-Plus-Index addressing: Effective address computed as: seg_base base index. Base registers: Holds starting location of an array. ebp (stack) ebx (data) Any 32-bit register except
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationiapx Systems Electronic Computers M
iapx Systems Electronic Computers M 1 iapx History We analyze 32 bit systems: generalization to 64 bits is straigtforward Segment Registers (16 bits) Code Segment Stack Segment Data Segment Extra Ssegment
More informationLoad Effective Address Part I Written By: Vandad Nahavandi Pour Web-site:
Load Effective Address Part I Written By: Vandad Nahavandi Pour Email: AlexiLaiho.cob@GMail.com Web-site: http://www.asmtrauma.com 1 Introduction One of the instructions that is well known to Assembly
More informationWhat You Need to Know for Project Three. Dave Eckhardt Steve Muckle
What You Need to Know for Project Three Dave Eckhardt Steve Muckle Overview Introduction to the Kernel Project Mundane Details in x86 registers, paging, the life of a memory access, context switching,
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationHistory of the Intel 80x86
Intel s IA-32 Architecture Cptr280 Dr Curtis Nelson History of the Intel 80x86 1971 - Intel invents the microprocessor, the 4004 1975-8080 introduced 8-bit microprocessor 1978-8086 introduced 16 bit microprocessor
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationSRI VENKATESWARA COLLEGE OF ENGINEERING AND TECHNOLOGY DEPARTMENT OF ECE EC6504 MICROPROCESSOR AND MICROCONTROLLER (REGULATION 2013)
SRI VENKATESWARA COLLEGE OF ENGINEERING AND TECHNOLOGY DEPARTMENT OF ECE EC6504 MICROPROCESSOR AND MICROCONTROLLER (REGULATION 2013) UNIT I THE 8086 MICROPROCESSOR PART A (2 MARKS) 1. What are the functional
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 5: Procedures. Chapter Overview. The Book's Link Library
Assembly Language for Intel-Based Computers, 4 th Edition Kip R Irvine Chapter 5: Procedures Slides prepared by Kip R Irvine Revision date: 10/3/2003 Chapter corrections (Web) Assembly language sources
More informationPacker Analysis Report-Debugging and unpacking the NsPack 3.4 and 3.7 packer.
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Packer
More informationMicrokernel Construction
Microkernel Construction Kernel Entry / Exit Nils Asmussen 05/04/2017 1 / 45 Outline x86 Details Protection Facilities Interrupts and Exceptions Instructions for Entry/Exit Entering NOVA Leaving NOVA 2
More information