Digital Forensics Lecture 3 - Reverse Engineering

Similar documents
Digital Forensics Lecture 4 - Reverse Engineering

Assembly Language: Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Practical Malware Analysis

Program Exploitation Intro

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Memory Models. Registers

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

The x86 Architecture

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

x86 assembly CS449 Fall 2017

Lecture 4 CIS 341: COMPILERS

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

CS61 Section Solutions 3

An Introduction to x86 ASM

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

CS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri

CSC 8400: Computer Systems. Machine-Level Representation of Programs

Microprocessors ( ) Fall 2010/2011 Lecture Notes # 15. Stack Operations. 10 top

Complex Instruction Set Computer (CISC)

Towards the Hardware"

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Assignment 11: functions, calling conventions, and the stack

Second Part of the Course

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

x86 Assembly Tutorial COS 318: Fall 2017

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures

Compiler construction. x86 architecture. This lecture. Lecture 6: Code generation for x86. x86: assembly for a real machine.

W4118: PC Hardware and x86. Junfeng Yang

Assembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

Module 3 Instruction Set Architecture (ISA)

Representation of Information

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

Introduction to IA-32. Jo, Heeseung

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

INTRODUCTION TO IA-32. Jo, Heeseung

x86 architecture et similia

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

MICROPROCESSOR TECHNOLOGY

Hardware and Software Architecture. Chapter 2

CS241 Computer Organization Spring 2015 IA

The Instruction Set. Chapter 5

History of the Intel 80x86

Summary: Direct Code Generation

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

CSE351 Spring 2018, Midterm Exam April 27, 2018

CS429: Computer Organization and Architecture

Machine Program: Procedure. Zhaoguo Wang

Assembly Language. Lecture 2 - x86 Processor Architecture. Ahmed Sallam

Review Questions. 1 The DRAM problem [5 points] Suggest a solution. 2 Big versus Little Endian Addressing [5 points]

Subprograms: Local Variables

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 6

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Lab 3. The Art of Assembly Language (II)

For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to

CSC 2400: Computer Systems. Using the Stack for Function Calls

Lab 2: Introduction to Assembly Language Programming

Computer Organization & Assembly Language Programming

Basic Execution Environment

Computer Architecture and Assembly Language. Practical Session 3

Assembly Language. Lecture 2 x86 Processor Architecture

Assembly Language: Overview!

Assembly Language for Intel-Based Computers, 4 th Edition. Chapter 2: IA-32 Processor Architecture Included elements of the IA-64 bit

3. Process Management in xv6

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

16.317: Microprocessor Systems Design I Fall 2014

Machine and Assembly Language Principles

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012)

We can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...

CS401 - Computer Architecture and Assembly Language Programming Glossary By

Computer Systems Lecture 9

X86 Stack Calling Function POV

231 Spring Final Exam Name:

Inline Assembler. Willi-Hans Steeb and Yorick Hardy. International School for Scientific Computing

How Software Executes

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

CS61, Fall 2012 Midterm Review Section

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

SOEN228, Winter Revision 1.2 Date: October 25,

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1

16.317: Microprocessor Systems Design I Fall 2015

Chapter 3: Addressing Modes

COMP 303 Computer Architecture Lecture 3. Comp 303 Computer Architecture

Chapter 11. Addressing Modes

Chapter 2. lw $s1,100($s2) $s1 = Memory[$s2+100] sw $s1,100($s2) Memory[$s2+100] = $s1

x86 assembly CS449 Spring 2016

Computer System Architecture

CSC 2400: Computer Systems. Using the Stack for Function Calls

Transcription:

Digital Forensics Lecture 3 - Reverse Engineering Low-Level Software Akbar S. Namin Texas Tech University Spring 2017

Reverse Engineering High-Level Software Low-level aspects of software are often the only ones visible for RE High-Level Perspectives Modules The largest building block for a program Binary files that contain isolated areas of a program s executable Two basic types of modules Static libraries» Represent a feature or an area of functionalities in the program» An external, third-party library that adds certain functionality Dynamic libraries» Dynamic Link Libraries (DLLs)» Similar to static libraries, except that they are not embedded into the program» They remain in a separate file» It allows for upgrading individual components in a program without updating the entire program

Reverse Engineering High-Level Software Low-level aspects of software are often the only ones visible for RE High-Level Perspectives Common Code Constructs Two basic code-level constructs: Procedures» A piece of well-defined code that can be invoked by other areas in the program Objects» Dividing a program into objects

Reverse Engineering High-Level Software Low-level aspects of software are often the only ones visible for RE High-Level Perspectives Data Management Variables The key to managing and storing data User-Defined Data Structures Simple constructs to represent a group of data fields, each with its own type Related fields Lists: a group of data items that share the same data type Arrays Linked lists Trees

Low-level aspects of software are often the only ones visible for RE Low-level data management High-level programming languages hide details of data management Even ANSI C (a relatively low-level language) hides significant data management details

Example: The Multiply program A low-level representation should: Store machine state prior to executing code Allocate memory for z Load parameters x and y from memory into internal processor memory (registers) Multiply x by y and store the result in a register Optionally copy the multiplication result back into the memory area previously allocated for z Restore machine state stored earlier Return to called and send back z as the return value

Registers (internal memory) Used by microprocessors to avoid having to access the RAM for every instruction Small chunks of internal memory that resides within the processor Can be accessed very easily with no performance penalty Assembly language code usually uses them (complexity) In the example: x and y cannot be directly multiplied from memory The code must first load one of them into a register and then multiply that register by the value that exist in RAM Compilers also use them for storing (caching) frequently used values When reversing, the values loaded into each register must be detected

The stack An area in program memory is used for short-term storage of information by the CPU and the program Registers are used for storing the most immediate data; stack is used for storing slightly longer-term data Stacks reside in RAM Memory for stacks is allocated from the top down Stack grows backward towards the lower addresses

The stack: Push

The stack: Pop

Stack can be used for: Translating saved register values Used when a procedure is called that needs to make use of certain registers The procedure might need to preserve the values of registers to ensure it does not corrupt any registers by its callers Local variables Used for storing local variables that must be stored in RAM E.g., when we want to call a function and have it write a value into a local variable defined in the current function Function parameters and return addresses Used for implementing function calls The caller passes parameters to the callee Stack is used for storing both parameters and the instruction pointer for each procedure call

Heaps Allows the dynamic allocation of variable-sized blocks of memory in runtime A program requests a block of a certain size and receives a pointer to the newly allocated block The variable-sized objects are used by the program for objects that are too big to be placed on the stack For reversing: locating heaps in memory and properly identifying heap allocation and freeing routines can be helpful Eg. A call to a heap allocation routine, we can follow the flow of the procedure s return value throughout the program and see what is done with the allocated block

Executable Data Sections Used for storing application data In high-level languages, this area contains either global variables ot preinitialized data Pre-initialized data: Any kind of constant, hard-coded information included with the program Any kind of hard-coded string inside a program E.g., char szwelcome = This string will be stored in the executable s pre-initialized data section ; Causing the compiler to store the string in the executable s pre-initialized data section, regardless of where in the code szwelcome is declared To access this string, the compiler emits a hard-coded address that points to the string When reversing, it is identifiable, because hard-coded memory addresses are rarely used for anything other than pointing to the executable s data section

Based on Intel s 32-bit architecture (x86 CPUs) Registers Eight generic registers: EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP E stands for Extended TTU-CS5374-Fall2013

General purpose registers

Flags Special register called EFLAGS Contains all kinds of status and system flags System Flags: Used for managing the various processor modes and states Status Flags: Used by the processor for recording its current logical state updated by many logical and integer instructions in order to record the outcome of their actions A basic tool for creating conditional code There are arithmetic instructions to test operands for certain conditions There are instructions that read these flags and perform different operations depending on their values E.g., Jcc (Conditional Jump) instructions (like GOTO)

Flags, Example of conditional jump Consider a variable bsuccess And a code that test whether it is false or not if (bsuccess == FALSE) return 0; Its assemble language version? We must test the value of bsuccess Loaded into a register first Set some flags that record whtether it is zero ot not Invoke a conditional branch instruction that tests the necessary flags Branch if they indicate that the operand handled in the most recent instruction was zero (using the Zero Flag (ZF)) Otherwise, the processor will proceed to execute the instruction that follows the branch instruction

Arithmetic instructions E.g., TTU-CS5374-Fall2013

Comparing operands CMP operand1, Operand2 The result of the comparison is recorded in the processor s flags In fact: CMP subtracts Operand2 from Operand1 and discards the result, while setting all of the relevant flags If the result of the subtraction is zero, the Zero Flag (ZF) is set.

Conditional branches Jcc TargetCodeAddress Conditionally branch to a specific address, based on certain conditions Function calls CALL FunctionAddress Call a function and the RET instruction returns to the caller The CALL instruction pushes the current instruction pointer onto the stack When a function completes, it invokes the RET instruction RET pops the instruction pointer pushed to the stack by CALL and resumes execution from that address

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback