Hello ASM World: A Painless and Contextual Introduction to x86 Assembly
description
Transcript of Hello ASM World: A Painless and Contextual Introduction to x86 Assembly
![Page 1: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/1.jpg)
Hello ASM World:A Painless and Contextual
Introduction to x86 Assembly
rogueclownDerbyCon 3.0
September 28, 2013
![Page 2: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/2.jpg)
who?• security consultant by vocation
• mess around with computers, code, CTFs by avocation
• frustrated when things feel like a black box
![Page 3: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/3.jpg)
what is assembly language?• not exactly machine language…but
close– instructions: mnemonics for machine
operations– normally a one-to-one correlation
between ASM instruction and machine instruction
• varies by processor– today, we will be discussing 32-bit x86
![Page 4: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/4.jpg)
why learn assembly language?
• some infosec disciplines require it
• curious about lower-level details of memory or interfacing with an operating system
• it’s fun and challenging!
![Page 5: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/5.jpg)
how does assemblylanguage work?
![Page 6: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/6.jpg)
hello memory
• what parts of computer memory does assembly language commonly access?
• how does assembly language access those parts of computer memory?
![Page 7: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/7.jpg)
where is this memory?
• what one “normally” thinks of as memory– RAM– virtual memory
• CPU– registers
![Page 8: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/8.jpg)
computer memory layout• heap– global variables, usually allocated at
compile-time– envision a bookshelf…that won’t let you
push books together when you take one out• stack– local, contextual variables– envision a card game discard pile– you will use this when coding ASM. a lot.
![Page 9: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/9.jpg)
registers• memory located on the CPU
• registers are awesome because they are fast.
• registers are a pain because they are tiny.
![Page 10: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/10.jpg)
registers• general purpose registers– alphabet soup• eax, ebx, ecx, edx• can address in parts: ax, ah, al
– stack and base pointers• esp• ebp
– index registers• esi, edi
![Page 11: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/11.jpg)
registers
• instruction pointer– eip – records the next instruction for the
program to follow
• other registers– eflags– segment registers
![Page 12: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/12.jpg)
instructions• mov–moves a value to a register– can either specify a value, or specify a
register where a value resides
• syntax in assembly– Intel syntax: mov ebx, 0xfee1dead– AT&T syntax: mov $0xfee1dead, %eax
![Page 13: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/13.jpg)
instructions• interrupt– int 0x80– int 0x3
• system calls– how a program
interacts with the kernel of the OS
![Page 14: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/14.jpg)
instructions• mathematical instructions– add, sub, mul, div
mov eax, 10cdq ; edx is now 0div 3 ; eax is now 3, edx is now 1
– dec, inc – useful for loopingmov ecx, 3dec ecx ; ecx is now 2
![Page 15: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/15.jpg)
jumps
• jge, jg, jle, jl– work with a compare (cmp) instruction
• jz, jnz, js, jns– check zero flag or sign flag for jump
![Page 16: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/16.jpg)
instructions• stack operations: push and pop
mov eax, 10push eax ; 10 on top of stackinc eax ; eax is now 11push eax ; 11 on top of stackpop ebx ; ebx is now 11pop ecx ; ecx is now 10
![Page 17: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/17.jpg)
instructions• function access instructions– call
• places the address of the next instruction on top of the stack
• moves execution to identified function
– ret• returns to the memory address on top of the
stack• designed to work in tandem with the “call”
instruction…but we’re hackers, yes?
![Page 18: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/18.jpg)
sections of ASM code• .data– constant variables initialized at compile
time• .bss– declaration of variables that may are set
of changed during runtime• .text– executable instructions
![Page 19: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/19.jpg)
$%&#@%^ instructions: how do they work?
![Page 20: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/20.jpg)
putting it together
• time to take a bit of C code, and reimplement it in assembly language!
![Page 21: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/21.jpg)
where does shellcodecome in?
![Page 22: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/22.jpg)
what is shellcode?• instructions injected into a running
process
• lacks some of the luxuries of writing a stand-alone program– no laying out nice memory segments in
a .bss or .data section– basically, just one big .text section
![Page 23: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/23.jpg)
a first stab at shellcode…
• this is going to look mostly familiar, except for how data is handled.
![Page 24: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/24.jpg)
why did it fail?
• bad characters– shellcode is often passed to an
application as a string.– if a character makes a string act funny,
you may not want it in your shellcode• 0x00, 0x0a, 0x0d, etc.
– use an encoder, or do it yourself
![Page 25: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/25.jpg)
try that shellcode again…
![Page 26: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/26.jpg)
where can i learn more about assembly
language?
![Page 27: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/27.jpg)
suggested resources
• dead trees– “Hacking: The Art of Exploitation” by Jon
Erickson– “Practical Malware Analysis” by Michael
Sikorski and Andrew Honig– “Gray Hat Python” by Justin Seitz
![Page 28: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/28.jpg)
suggested resources• the series of tubes
– http://ref.x86asm.net – quick and dirty opcode reference
– http://www.nasm.us/doc – Netwide Assembler documentation
• system calls– Linux:
• /usr/include/asm/unistd.h• man 2 $syscall
– Windows: • http://msdn.microsoft.com/library/windows/desktop/
hh920508%28vs.85%29 – Windows API reference
![Page 29: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.fdocuments.us/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/29.jpg)
how to find me
• Twitter: @rogueclown
• email: [email protected]
• IRC: #derbycon, #misec, or #burbsec on Freenode
• or, just wave me down at the con