T Reverse Engineering Malware: Static Analysis I
|
|
- Marvin McLaughlin
- 6 years ago
- Views:
Transcription
1 T Reverse Engineering Malware: Static Analysis I Antti Tikkanen, F-Secure Corporation Protecting the irreplaceable f-secure.com
2 Representing Data 2
3 Binary Numbers Nibble B Byte B D Word B D 3 9 3
4 Endianness aka. Byte Order c Actual bytes 0x034133c9 Little Endian 0xc Big Endian Intel x86 Intel 8051 PowerPC (exc. G5) Sparc (exc. v9) 4
5 Strings ASCII Unicode (UCS-2) H e l l o C 6C 6F (BOM) H e l l o (ff fe) C 00 6C 00 6F 00 5
6 How do you know when the string ends? ASCIIZ H e l l o C 6C 6F 00 Null-terminated Unicode Pascal Delphi H e l l o C 00 6C 00 6F H e l l o C 6C 6F H e l l o C 6C 6F 6
7 Representing Code 7
8 CPU Architectures CISC Complex Instruction Set Computing Emphasis on hardware and assembly programming Complex multi-clock instructions High code density Examples: x86, m68k, IBM z/architecture RISC Reduced Instruction Set Computing Emphasis on software and high-level languages Simple, reduced instruction set Low code density Examples: ARM, PowerPC, MIPS 8
9 Introduction to Intel x86 Started with 8086 in 1978 Continued with 8088, 80186, 80286, 386, 486, Pentium, CISC architecture 32-bit is called x86-32 or IA bit is called x86-64, IA-32e, AMD64, EM64T, x64 or Intel 64 IA-64 is Itanium, which is different 9
10 Intel Introduced in 1986 Has a 32-bit word length Has 8 general-purpose registers Supports paging and virtual memory Addresses up to 4GiB of memory 10
11 Data Register Layout 11
12 Data Registers AL / AH / AX EAX BL / BH / BX EBX CL / CH / CX ECX DL / DH / DX EDX Accumulator Data index Loop counter Data register Arithmetic operations General data storage, index Loop constructs Arithmetics 12
13 Address Registers IP / EIP Instruction Pointer Program execution SP / ESP Stack Pointer Stack operation BP / EBP Base Pointer Stack frame SI / ESI DI / EDI Source Index Destination Index String operation String operation 13
14 Segment Registers CS Code Segment Program code DS Data Segment Program data ES / FS / GS Other Segments Other uses 14
15 EFLAGS 15
16 Examples of Mnemonics MOV EAX, 1 Move 1 to EAX ADD EDX, 5 Add 5 to EDX SUB EBX, 2 Subtract 2 from EBX AND ECX, 0 Bit-wise AND 0 to ECX XOR EDX, 4 Bit-wise exclusive OR 4 to EDX SHL ECX, 6 Shift ECX left by six ROR EBX, 3 Bit-wise rotate EBX right by 3 INC ECX Increment ECX 16
17 Examples of Mnemonics (contd) JNZ label JMP label CALL func RET LOOP label PUSH EAX POP EDI Jump if not zero (equal) Unconditional jump to label Call function Return from function ECX--, Jump to label if not zero Push EAX to stack Pop EDI from stack 17
18 Intel x86 Instruction Format (32-bit) Variable-size complex instruction format (CISC) Instruction format: OPERATION, [OPERAND 1, OPERAND 2, [OPERAND 3]] Operands can operate on register, memory address or immediate data Single instruction can be of any size from 1 byte up to 15 bytes (compare to RISC, where instruction size is constant, for example 4 bytes)!! 18
19 Instruction Format (64-bit) 64-bit mode is backward-compatible extension to 32-bit mode Adds optional REX prefix to 32-bit format Image Copyright Intel Corporation 19
20 Instruction Prefix Bytes Group 1: lock and repeat prefixes Lock ensures exclusive use of memory in multiple-processor environments Repeat is used in string operations (sort of a loop) Group 2: Segment overrides or branch hint Segment in memory access is implied by the instruction, but can be overridden using Group 2 prefix. Some bytes in this group indicates a branch hint, if the instruction is conditional jump Group 3: Operand size override Switch between 16 and 32-bit operand size Group 4: Address size override Switch between 16 and 32-bit addressing 20
21 REX Prefix Semantics for accessing extra registers in 64-bit mode Additional 64-bit operand size overrides 21
22 Opcode Bytes Byte(s) that presents the actual operation (MOV, INC, PUSH, etc.) Originally only single byte, but later specifications define 1-3 bytes (or 4, depending on definition) First byte can be any opcode in range 0-255, or escape byte (0F) indicating that another opcode byte follows Second opcode byte defines an opcode after escape byte Third opcode byte is a prefix (66, F2 or F3) to multimedia (SSE) instructions Latest instruction sets define escape bytes in the second opcode table (38 and 3A) Some opcodes imply the registers used, others need more information (MODRM/SIB) About 1200 different opcodes (!!!!) 22
23 MODRM and SIB These bytes define the registers and other data used by the instruction MODRM defines the registers used for addressing the memory or register Sometimes addressing is more complex than a simple register can offer SIB byte is used for complex memory addressing: indexing and scaling Example of complex addressing: MOV EBX, [EBP + EAX*2 + 4] Destination Register Base register Index register Scale factor Displacement offset 23
24 Displacement and Immediate Data Some complex addressing forms require offset within the memory reference, called displacement Displacement follows immediately the MODRM/SIB bytes (1, 2 or 4 bytes) Some instructions use immediate data as operand value (1, 2 or 4 bytes) Some instructions can use 64-bit (8 bytes) displacement and immediate values in 64-bit mode 24
25 Monster Instruction Assembly presentation: REP MOV [SS:EAX + EBX*8 + 0x ], 0x Data in hex: F3 36 C7 84 D F3 repetition prefix (REP) 36 segment override (SS) C7 opcode (MOV) 84, D8 MORDM, SIB (base register EAX, index register EBX, scale factor 8) displacement data (0x ) immediate data (0x ) 25
26 Example of RISC: ARM Fixed instruction size: 4 bytes (2 bytes in Thumb mode) Load/store architecture: operations only on registers But including fancy things like embedded shifting a += (j << 2) in one operation! Almost all instructions are conditional (mov, moveq, movne,..) Limited (but quite expressive) instruction set 26
27 Disassemblers x50 PUSH EAX Bits in memory Hexadecimal presentation Human-readable disassembly 8B 5C MOV EBX, [EBP+EAX*2+4] 27
28 Disassemblers: Linear Sweep Linear sweep disassembler: Take first byte of code, decode instruction, use length of instruction to skip to next instruction Example of problem with data embedded in code: 0042ABFE: EB 01 jmp 0042AC AC00: F3 BB rep mov ebx, h 0042AC06: 5F pop edi 28
29 Disassemblers: Recursive Traversal Recursive traversal disassembler: Starting from entry point and follow each branch (depth or breadth-first) to locate new starting points Still problems, e.g. with dynamically calculated branch targets: 29
30 Reversing C 30
31 Reversing C 31
32 Basic Data Types char short int long float double - 1 byte - 2 bytes - 4 bytes (platform word) - 4 bytes - 4 bytes floating point - 8 bytes floating point 32
33 Arrays One-dimensional arrays: char a[4] A[0] A[1] A[2] A[3] Multidimensional arrays char a[2][3]; A[0][0] A[0][1] A[0][2] A[1][0] A[1][1] A[1][2] 33
34 Example of multidimensional arrays char val[2][3][2] = {{{'0','1'},{'2','3'},{'4','5'}}, {{'6','7'},{'8','9'},{'a','b'}}}; 34
35 Structures and Unions struct { unsigned int id; unsigned short age; char name[16]; } record; Memory allocated for all members combined: sizeof(record) = 24 union foo { int one; char two; }; Memory allocated for largest member only: sizeof(record) = 4 35
36 Structure Alignment Data structures are aligned to word size #pragma pack() directive can change it unsigned int id (4 bytes) short age (2 bytes) 2 bytes pad name (16 bytes) #pragma pack(1) unsigned int id (4 bytes) short age (2 bytes) name (16 bytes) 36
37 Calling Conventions: stdcall int stdcall foobar(int x, int y, char *foo, char *bar); 37
38 Calling Conventions: cdecl int cdecl foobar(int x, int y, char *foo, char *bar); 38
39 Calling Conventions: fastcall int fastcall foobar(int x, int y, char *foo, char *bar); 39
40 Calling Conventions: thiscall class Foo { public: int Bar(int x, int y, char *foo, char *bar); }; 40
41 PE/COFF 41
42 Introduction to PE/COFF PE stands for Portable Executable Microsoft introduced PE in Windows NT 3.1 It originates from Unix COFF Features dynamic linking, symbol exporting/importing Can contain Intel, Alpha, MIPS and even.net MSIL binary code 64-bit version is called PE32+ 42
43 Complete Structure of PE 43
44 MZ Header MZ Header PE Header.text.data Imports Resources 44
45 PE Header MZ Header File Header Optional Header Section Header[] 45
46 PE Header (continued) MZ Header File Header Optional Header Section Header[] 46
47 PE Header (continued) MZ Header File Header Optional Header Section Header[] 47
48 PE Header (continued) MZ Header File Header Optional Header Section Header[] 48
49 PE Loading File on disk MZ/PE Header Section Table Image in memory MZ/PE Header Section Table.text.data.text RVA = Relative Virtual Address = Offset from image base in memory.data 49
50 Importing Symbols Symbols (functions/data) can be imported from external DLLs The loader will load external DLLs automatically All the dependencies are loaded as well DLLs will be loaded only once External addresses are written to the Import Address Table (IAT) 50
51 Importing Symbols Each DLL has one IMAGE_IMPORT_DESCRIPTOR The descriptor points to two parallel lists of symbols to import Import Address Table (IAT) Import Name Table (INT) The primary list is overwritten by the loader, the second one is not Executables can be pre-bound to DLLs to speed up loading Symbols can be imported by ASCII name or ordinal 51
52 Import Descriptors 52
53 Exports Symbols can be exported with ordinals, names or both Ordinals are simple index numbers of symbols Name is a full ASCII name of the exported symbol Exports can be forwarded to another DLL Forwarded symbol s address points to a name in the exports section 53
54 Resources Resources in PE are similar to an archive Resource files can be organised into directory trees The data structure is quite complex but there are tools to handle it Most common resources: Icons Version information GUI resources 54
55 Base Relocation Preferred image base MZ/PE Header Section Table.text.data Relocation offset Actual image base MZ/PE Header Section Table.text.data 55
56 Base Relocation Sometimes a DLL can not be loaded to its preferred address When rebasing, the loader has to adjust all hardcoded addresses Relocations are done in 4KiB blocks (page size on x86) Each relocation entry gives a type and points to a location The loader calculates the base address difference The offsets are adjusted according to the difference 56
57 ELF ELF = Executable and Linkable Format Used on many platforms Linux, Solaris, FreeBSD, NetBSD, OpenBSD Native executables for Android We ll talk more about Android applications on later lectures We won t go into ELF details during this lecture 57
58
Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION
Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION Representing Data Binary numbers 1 0 1 1 NIBBLE 0xB 1 0 1 1 1 1 0 1 0xBD 1 0 1 1 1 1 0 1 0 0 1 1 1 0 0 1 BYTE WORD 0xBD 0x39 Endianness c9 33 41 03
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics Gergely Erdélyi Senior Manager, Anti-malware Research Protecting the irreplaceable f-secure.com Binary Numbers 1 0 1 1 - Nibble B 1 0 1 1 1 1 0 1 - Byte B D 1 0 1 1 1
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationReverse Engineering II: The Basics
Reverse Engineering II: The Basics This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationReverse Engineering III: PE Format
Reverse Engineering III: PE Format This document is only to be distributed to teachers and students of the Malware Analysis and Antivirus Technologies course and should only be used in accordance with
More informationIntroduction to IA-32. Jo, Heeseung
Introduction to IA-32 Jo, Heeseung IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationINTRODUCTION TO IA-32. Jo, Heeseung
INTRODUCTION TO IA-32 Jo, Heeseung IA-32 PROCESSORS Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer
More informationCS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017
CS 31: Intro to Systems ISAs and Assembly Martin Gagné Swarthmore College February 7, 2017 ANNOUNCEMENT All labs will meet in SCI 252 (the robot lab) tomorrow. Overview How to directly interact with hardware
More informationComplex Instruction Set Computer (CISC)
Introduction ti to IA-32 IA-32 Processors Evolutionary design Starting in 1978 with 886 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market
More informationModule 3 Instruction Set Architecture (ISA)
Module 3 Instruction Set Architecture (ISA) I S A L E V E L E L E M E N T S O F I N S T R U C T I O N S I N S T R U C T I O N S T Y P E S N U M B E R O F A D D R E S S E S R E G I S T E R S T Y P E S O
More informationAdvanced Microprocessors
Advanced Microprocessors Notes #2 Software Architecture & Instruction Set Architecture Part 1 EE 467/567 Winter 2012 by Avinash Kodi SWA.1 Background Materials Textbook: 2.1, 2.2, 3.1 Other: IA-32 Intel
More informationLecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86
Lecture 15 Intel Manual, Vol. 1, Chapter 3 Hampden-Sydney College Fri, Mar 6, 2009 Outline 1 2 Overview See the reference IA-32 Intel Software Developer s Manual Volume 1: Basic, Chapter 3. Instructions
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationEXPERIMENT WRITE UP. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM
EXPERIMENT WRITE UP AIM: Assembly language program for 16 bit BCD addition LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM TOOLS/SOFTWARE
More informationInstruction Set Architectures
Instruction Set Architectures ISAs Brief history of processors and architectures C, assembly, machine code Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface contain?
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College September 25, 2018 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer
More informationComputer Processors. Part 2. Components of a Processor. Execution Unit The ALU. Execution Unit. The Brains of the Box. Processors. Execution Unit (EU)
Part 2 Computer Processors Processors The Brains of the Box Computer Processors Components of a Processor The Central Processing Unit (CPU) is the most complex part of a computer In fact, it is the computer
More informationAddressing Modes on the x86
Addressing Modes on the x86 register addressing mode mov ax, ax, mov ax, bx mov ax, cx mov ax, dx constant addressing mode mov ax, 25 mov bx, 195 mov cx, 2056 mov dx, 1000 accessing data in memory There
More informationCS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016
CS 31: Intro to Systems ISAs and Assembly Kevin Webb Swarthmore College February 9, 2016 Reading Quiz Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between
More informationx86 Assembly Tutorial COS 318: Fall 2017
x86 Assembly Tutorial COS 318: Fall 2017 Project 1 Schedule Design Review: Monday 9/25 Sign up for 10-min slot from 3:00pm to 7:00pm Complete set up and answer posted questions (Official) Precept: Monday
More informationWe can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...
COMPUTER ARCHITECTURE II: MICROPROCESSOR PROGRAMMING We can study computer architectures by starting with the basic building blocks Transistors and logic gates To build more complex circuits Adders, decoders,
More informationThe x86 Architecture
The x86 Architecture Lecture 24 Intel Manual, Vol. 1, Chapter 3 Robb T. Koether Hampden-Sydney College Fri, Mar 20, 2015 Robb T. Koether (Hampden-Sydney College) The x86 Architecture Fri, Mar 20, 2015
More informationSystems Architecture I
Systems Architecture I Topics Assemblers, Linkers, and Loaders * Alternative Instruction Sets ** *This lecture was derived from material in the text (sec. 3.8-3.9). **This lecture was derived from material
More informationX86 Addressing Modes Chapter 3" Review: Instructions to Recognize"
X86 Addressing Modes Chapter 3" Review: Instructions to Recognize" 1 Arithmetic Instructions (1)! Two Operand Instructions" ADD Dest, Src Dest = Dest + Src SUB Dest, Src Dest = Dest - Src MUL Dest, Src
More informationMODE (mod) FIELD CODES. mod MEMORY MODE: 8-BIT DISPLACEMENT MEMORY MODE: 16- OR 32- BIT DISPLACEMENT REGISTER MODE
EXERCISE 9. Determine the mod bits from Figure 7-24 and write them in Table 7-7. MODE (mod) FIELD CODES mod 00 01 10 DESCRIPTION MEMORY MODE: NO DISPLACEMENT FOLLOWS MEMORY MODE: 8-BIT DISPLACEMENT MEMORY
More informationScott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998
Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998 Assembler Syntax Everything looks like this: label: instruction dest,src instruction label Comments: comment $ This is a comment
More informationThe Microprocessor and its Architecture
The Microprocessor and its Architecture Contents Internal architecture of the Microprocessor: The programmer s model, i.e. The registers model The processor model (organization) Real mode memory addressing
More informationInstruction Set Architectures
Instruction Set Architectures! ISAs! Brief history of processors and architectures! C, assembly, machine code! Assembly basics: registers, operands, move instructions 1 What should the HW/SW interface
More informationBasic Execution Environment
Basic Execution Environment 3 CHAPTER 3 BASIC EXECUTION ENVIRONMENT This chapter describes the basic execution environment of an Intel Architecture processor as seen by assembly-language programmers.
More informationHardware and Software Architecture. Chapter 2
Hardware and Software Architecture Chapter 2 1 Basic Components The x86 processor communicates with main memory and I/O devices via buses Data bus for transferring data Address bus for the address of a
More informationInstruction Set Architectures
Instruction Set Architectures Computer Systems: Section 4.1 Suppose you built a computer What Building Blocks would you use? Arithmetic Logic Unit (ALU) OP1 OP2 OPERATION ALU RES ALU + Registers R0: 0x0000
More informationW4118: PC Hardware and x86. Junfeng Yang
W4118: PC Hardware and x86 Junfeng Yang A PC How to make it do something useful? 2 Outline PC organization x86 instruction set gcc calling conventions PC emulation 3 PC board 4 PC organization One or more
More informationChapter 11. Addressing Modes
Chapter 11 Addressing Modes 1 2 Chapter 11 11 1 Register addressing mode is the most efficient addressing mode because the operands are in the processor itself (there is no need to access memory). Chapter
More informationCS241 Computer Organization Spring 2015 IA
CS241 Computer Organization Spring 2015 IA-32 2-10 2015 Outline! Review HW#3 and Quiz#1! More on Assembly (IA32) move instruction (mov) memory address computation arithmetic & logic instructions (add,
More informationCMSC Lecture 03. UMBC, CMSC313, Richard Chang
CMSC Lecture 03 Moore s Law Evolution of the Pentium Chip IA-32 Basic Execution Environment IA-32 General Purpose Registers Hello World in Linux Assembly Language Addressing Modes UMBC, CMSC313, Richard
More informationCSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature
CSE2421 FINAL EXAM SPRING 2013 Name KEY Instructions: This is a closed-book, closed-notes, closed-neighbor exam. Only a writing utensil is needed for this exam. No calculators allowed. If you need to go
More informationMachine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어
More informationUMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.
Intel Assembly Format of an assembly instruction: LABEL OPCODE OPERANDS COMMENT DATA1 db 00001000b ;Define DATA1 as decimal 8 START: mov eax, ebx ;Copy ebx to eax LABEL: Stores a symbolic name for the
More informationCS241 Computer Organization Spring Introduction to Assembly
CS241 Computer Organization Spring 2015 Introduction to Assembly 2-05 2015 Outline! Rounding floats: round-to-even! Introduction to Assembly (IA32) move instruction (mov) memory address computation arithmetic
More informationAssembler Programming. Lecture 2
Assembler Programming Lecture 2 Lecture 2 8086 family architecture. From 8086 to Pentium4. Registers, flags, memory organization. Logical, physical, effective address. Addressing modes. Processor Processor
More informationAssembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam
Assembly Language Lecture 2 - x86 Processor Architecture Ahmed Sallam Introduction to the course Outcomes of Lecture 1 Always check the course website Don t forget the deadline rule!! Motivations for studying
More informationThe x86 Architecture. ICS312 - Spring 2018 Machine-Level and Systems Programming. Henri Casanova
The x86 Architecture ICS312 - Spring 2018 Machine-Level and Systems Programming Henri Casanova (henric@hawaii.edu) The 80x86 Architecture! To learn assembly programming we need to pick a processor family
More informationAssembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit
Assembly Language for Intel-Based Computers, 4 th Edition Kip R. Irvine Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit Slides prepared by Kip R. Irvine Revision date: 09/25/2002
More informationLecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee
Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee ١ INTERNAL MICROPROCESSOR ARCHITECTURE Before a program is written or instruction investigated, internal configuration of the
More informationEthical Hacking. Assembly Language Tutorial
Ethical Hacking Assembly Language Tutorial Number Systems Memory in a computer consists of numbers Computer memory does not store these numbers in decimal (base 10) Because it greatly simplifies the hardware,
More informationSPRING TERM BM 310E MICROPROCESSORS LABORATORY PRELIMINARY STUDY
BACKGROUND 8086 CPU has 8 general purpose registers listed below: AX - the accumulator register (divided into AH / AL): 1. Generates shortest machine code 2. Arithmetic, logic and data transfer 3. One
More informationADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-11: 80x86 Architecture
ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-11: 80x86 Architecture 1 The 80x86 architecture processors popular since its application in IBM PC (personal computer). 2 First Four generations
More information6/20/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:
Introduction Efficient software development for the microprocessor requires a complete familiarity with the addressing modes employed by each instruction. This chapter explains the operation of the stack
More informationEEM336 Microprocessors I. The Microprocessor and Its Architecture
EEM336 Microprocessors I The Microprocessor and Its Architecture Introduction This chapter presents the microprocessor as a programmable device by first looking at its internal programming model and then
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationAssembly Language Each statement in an assembly language program consists of four parts or fields.
Chapter 3: Addressing Modes Assembly Language Each statement in an assembly language program consists of four parts or fields. The leftmost field is called the label. - used to identify the name of a memory
More informationAssembly Language. Lecture 2 x86 Processor Architecture
Assembly Language Lecture 2 x86 Processor Architecture Ahmed Sallam Slides based on original lecture slides by Dr. Mahmoud Elgayyar Introduction to the course Outcomes of Lecture 1 Always check the course
More information6/17/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
More informationHistory of the Intel 80x86
Intel s IA-32 Architecture Cptr280 Dr Curtis Nelson History of the Intel 80x86 1971 - Intel invents the microprocessor, the 4004 1975-8080 introduced 8-bit microprocessor 1978-8086 introduced 16 bit microprocessor
More informationSystem calls and assembler
System calls and assembler Michal Sojka sojkam1@fel.cvut.cz ČVUT, FEL License: CC-BY-SA 4.0 System calls (repetition from lectures) A way for normal applications to invoke operating system (OS) kernel's
More informationChapter 2: The Microprocessor and its Architecture
Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Chapter 2: The Microprocessor and its Architecture Introduction This chapter presents the microprocessor
More informationChapter 2. lw $s1,100($s2) $s1 = Memory[$s2+100] sw $s1,100($s2) Memory[$s2+100] = $s1
Chapter 2 1 MIPS Instructions Instruction Meaning add $s1,$s2,$s3 $s1 = $s2 + $s3 sub $s1,$s2,$s3 $s1 = $s2 $s3 addi $s1,$s2,4 $s1 = $s2 + 4 ori $s1,$s2,4 $s2 = $s2 4 lw $s1,100($s2) $s1 = Memory[$s2+100]
More informationChapter 3: Addressing Modes
Chapter 3: Addressing Modes Chapter 3 Addressing Modes Note: Adapted from (Author Slides) Instructor: Prof. Dr. Khalid A. Darabkh 2 Introduction Efficient software development for the microprocessor requires
More informationMACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION
MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION Today: Machine Programming I: Basics History of Intel processors and architectures C, assembly, machine code Assembly Basics:
More informationEC-333 Microprocessor and Interfacing Techniques
EC-333 Microprocessor and Interfacing Techniques Lecture 3 The Microprocessor and its Architecture Dr Hashim Ali Fall - 2018 Department of Computer Science and Engineering HITEC University Taxila Slides
More informationIA32 Intel 32-bit Architecture
1 2 IA32 Intel 32-bit Architecture Intel 32-bit Architecture (IA32) 32-bit machine CISC: 32-bit internal and external data bus 32-bit external address bus 8086 general registers extended to 32 bit width
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationIA-32 Architecture. CS 4440/7440 Malware Analysis and Defense
IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code
More informationCS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08
CS412/CS413 Introduction to Compilers Tim Teitelbaum Lecture 21: Generating Pentium Code 10 March 08 CS 412/413 Spring 2008 Introduction to Compilers 1 Simple Code Generation Three-address code makes it
More informationIA-32 Architecture COE 205. Computer Organization and Assembly Language. Computer Engineering Department
IA-32 Architecture COE 205 Computer Organization and Assembly Language Computer Engineering Department King Fahd University of Petroleum and Minerals Presentation Outline Basic Computer Organization Intel
More informationAssembly I: Basic Operations. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Assembly I: Basic Operations Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Basic Execution Environment RAX RBX RCX RDX RSI RDI RBP RSP R8 R9 R10
More informationMachine Language, Assemblers and Linkers"
Machine Language, Assemblers and Linkers 1 Goals for this Lecture Help you to learn about: IA-32 machine language The assembly and linking processes 2 1 Why Learn Machine Language Last stop on the language
More informationBinghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections
x86 Assembler Computer Systems: Sections 3.1-3.5 Disclaimer I am not an x86 assembler expert. I have never written an x86 assembler program. (I am proficient in IBM S/360 Assembler and LC3 Assembler.)
More informationSYSC3601 Microprocessor Systems. Unit 2: The Intel 8086 Architecture and Programming Model
SYSC3601 Microprocessor Systems Unit 2: The Intel 8086 Architecture and Programming Model Topics/Reading SYSC3601 2 Microprocessor Systems 1. Registers and internal architecture (Ch 2) 2. Address generation
More informationLecture 2 Assembly Language
Lecture 2 Assembly Language Computer and Network Security 9th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 2, Assembly Language 1/37 Recap: Explorations Tools assembly
More informationCSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs
CSC 2400: Computer Systems Towards the Hardware: Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32)
More informationThe von Neumann Machine
The von Neumann Machine 1 1945: John von Neumann Wrote a report on the stored program concept, known as the First Draft of a Report on EDVAC also Alan Turing Konrad Zuse Eckert & Mauchly The basic structure
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 03, SPRING 2013
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 03, SPRING 2013 TOPICS TODAY Moore s Law Evolution of Intel CPUs IA-32 Basic Execution Environment IA-32 General Purpose Registers
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationCS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4
CS24: INTRODUCTION TO COMPUTING SYSTEMS Spring 2018 Lecture 4 LAST TIME Enhanced our processor design in several ways Added branching support Allows programs where work is proportional to the input values
More informationLab 2: Introduction to Assembly Language Programming
COE 205 Lab Manual Lab 2: Introduction to Assembly Language Programming - page 16 Lab 2: Introduction to Assembly Language Programming Contents 2.1. Intel IA-32 Processor Architecture 2.2. Basic Program
More informationInterfacing Compiler and Hardware. Computer Systems Architecture. Processor Types And Instruction Sets. What Instructions Should A Processor Offer?
Interfacing Compiler and Hardware Computer Systems Architecture FORTRAN 90 program C++ program Processor Types And Sets FORTRAN 90 Compiler C++ Compiler set level Hardware 1 2 What s Should A Processor
More informationHLA v2.0 Intermediate Code Design Documentation
HLA v2.0 Intermediate Code Design Documentation This document describes the internal format of HLA v2.0s intermediate code that the code generator uses. This document assumes that the reader is familiar
More informationx86 architecture et similia
x86 architecture et similia 1 FREELY INSPIRED FROM CLASS 6.828, MIT A full PC has: PC architecture 2 an x86 CPU with registers, execution unit, and memory management CPU chip pins include address and data
More informationAssembly Language Lab # 9
Faculty of Engineering Computer Engineering Department Islamic University of Gaza 2011 Assembly Language Lab # 9 Stacks and Subroutines Eng. Doaa Abu Jabal Assembly Language Lab # 9 Stacks and Subroutines
More information1. Introduction to Assembly Language
www.vchowk.com 1. Introduction to Assembly Language Solved EXERCISE 1 Note: Dear fellows I tried my best to solve this exercise questions if there s any mistake or doubt in any question correct it and
More informationThe Instruction Set. Chapter 5
The Instruction Set Architecture Level(ISA) Chapter 5 1 ISA Level The ISA level l is the interface between the compilers and the hardware. (ISA level code is what a compiler outputs) 2 Memory Models An
More informationCOS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University
COS 318: Operating Systems Overview Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Announcements Precepts: Tue (Tonight)!
More informationReview Questions. 1 The DRAM problem [5 points] Suggest a solution. 2 Big versus Little Endian Addressing [5 points]
Review Questions 1 The DRAM problem [5 points] Suggest a solution 2 Big versus Little Endian Addressing [5 points] Consider the 32-bit hexadecimal number 0x21d3ea7d. 1. What is the binary representation
More informationLow Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź
Low Level Programming Lecture 2 Intel processors' architecture reminder Fig. 1. IA32 Registers IA general purpose registers EAX- accumulator, usually used to store results of integer arithmetical or binary
More informationCSC 8400: Computer Systems. Machine-Level Representation of Programs
CSC 8400: Computer Systems Machine-Level Representation of Programs Towards the Hardware High-level language (Java) High-level language (C) assembly language machine language (IA-32) 1 Compilation Stages
More informationCS499. Intel Architecture
CS499 Intel Architecture Intel Architecture References IA-32 Intel Architecture Software Developer s Manual, Volume 1: Basic Architecture Volume 2: Instruction Set Reference www.intel.com/design/pentiumii/manuals/
More informationThe von Neumann Machine
The von Neumann Machine 1 1945: John von Neumann Wrote a report on the stored program concept, known as the First Draft of a Report on EDVAC also Alan Turing Konrad Zuse Eckert & Mauchly The basic structure
More informationAddressing Modes. Outline
Addressing Modes Chapter 11 S. Dandamudi Outline Addressing modes Simple addressing modes Register addressing mode Immediate addressing mode Memory addressing modes 16-bit and 32-bit addressing» Operand
More informationCSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM
CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM February 7, 2008 1 Overview The purpose of this assignment is to introduce you to the assembly language
More informationMachine and Assembly Language Principles
Machine and Assembly Language Principles Assembly language instruction is synonymous with a machine instruction. Therefore, need to understand machine instructions and on what they operate - the architecture.
More informationEEM336 Microprocessors I. Addressing Modes
EEM336 Microprocessors I Addressing Modes Introduction Efficient software development for the microprocessor requires a complete familiarity with the addressing modes employed by each instruction. This
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationRegisters. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth
Registers Ray Seyfarth September 8, 2011 Outline 1 Register basics 2 Moving a constant into a register 3 Moving a value from memory into a register 4 Moving values from a register into memory 5 Moving
More informationWinter Compiler Construction T11 Activation records + Introduction to x86 assembly. Today. Tips for PA4. Today:
Winter 2006-2007 Compiler Construction T11 Activation records + Introduction to x86 assembly Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University Today ic IC Language Lexical Analysis
More informationDr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1
Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD 21252 rkarne@towson.edu 11/12/2014 Slide 1 Intel x86 Aseembly Language Assembly Language Assembly Language
More informationAssembly Language: IA-32 Instructions
Assembly Language: IA-32 Instructions 1 Goals of this Lecture Help you learn how to: Manipulate data of various sizes Leverage more sophisticated addressing modes Use condition codes and jumps to change
More information2.7 Supporting Procedures in hardware. Why procedures or functions? Procedure calls
2.7 Supporting Procedures in hardware Why procedures or functions? Procedure calls Caller: Callee: Proc save registers save more registers set up parameters do function call procedure set up results get
More informationAssembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012
19:211 Computer Architecture Lecture 10 Fall 20 Topics:Chapter 3 Assembly Language 3.2 Register Transfer 3. ALU 3.5 Assembly level Programming We are now familiar with high level programming languages
More information