ia 32 architecture
play

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel - PowerPoint PPT Presentation

Apr 11, 2024 •505 likes •1.1k views

IA-32 Architecture CS 4440/7440 Malware Analysis and Defense Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not

  1. IA-32 Architecture CS 4440/7440 Malware Analysis and Defense

  2. Intel x86 Architecture } Security professionals constantly analyze assembly language code } Many exploits are written in assembly } Source code for applications and malware is not available in most cases } We cover only the modern 32-bit view of the x86 architecture 2

  3. x86 Primer } CISC architecture } Lots of instructions and addressing modes } Operands can be taken from memory } Instructions are variable length } Depends on operation } Depends on addressing modes } Architecture manuals at: http://www.intel.com/products/processor/manuals/index.htm 3

  4. x86 Registers } Eight 32-bit general registers: } EAX, EBX, ECX, EDX, ESI, EDI, } ESP (stack pointer), } EBP (base pointer, a.k.a. frame pointer) } Names are not case-sensitive and are usually lower-case in assembly code (e.g. eax, ecx) 4

  5. x86 Registers } 8 general-purpose 32-bit registers AX EAX AH AL } ESP is the stack pointer; EBP is EDX DX DH DL the frame pointer ECX CX CH CL } Not all registers can be used EBX BX for all operations BL BH EBP BP } Multiplication, division, shifting use specific registers ESI SI EDI DI ESP SP 5

  6. x86 Floating-point Registers } Floating-point unit uses a stack 79 78 64 63 0 } Each register is 80-bits SIGN EXPONENT SIGNIFICAND R0 R1 wide (doesn’t use IEEE FP R2 standard) R3 R4 R5 R6 R7 6

  7. x86 Instructions } In MASM (Microsoft Assembler), the first operand is usually a destination, and the second operand is a source: mov eax,ebx ; eax := ebx } Two-operand instructions are most common, in which first operand is both source and destination: add eax,ecx ; eax := eax + ecx } Semicolon begins a comment 7

  8. x86 Data Declarations } Must be in a data section } Give name, type, optional initialization: .DATA count DW 0 ; 16-bit, initialized to 0 answer DD ? ; 32-bit, uninitialized } Can declare arrays: array1 DD 100 DUP(0) ; 100 32-bit values, ; initialized to zero 8

  9. x86 Memory Operations } “lea” instruction means “load effective address: lea eax,[count] ; eax := address of count } Can move through an address pointer lea ebx,[count] ; ebx := address of count mov [ebx],edx ; count := edx ; ebx is a pointer ; [ebx] dereferences it } We also will see the stack used as memory 9

  10. x86 Stack Operations The x86 stack is managed using the ESP (stack pointer) } register, and specific stack instructions: push ecx ; push ecx onto stack 1. pop ebx ; pop top of stack into register ebx 2. call foo ; push address of next instruction on 3. ; stack, then jump to label foo ret ; pop return address off stack, then 4. ; jump to it 10

  11. x86 Hardware Stack The x86 stack grows downward in memory addresses } Decrementing ESP increases stack size; } incrementing ESP reduces it } 11

  12. x86 Hardware Stack Higher addresses Memory Lower addresses Stack top ESP garbage 12

  13. x86 Stack after “push ESI” Higher addresses Memory Lower addresses Old stack top ESI ESP garbage 13

  14. x86 Stack after call Higher addresses Memory Lower addresses Old stack top ESI Return addr ESP garbage 14

  15. x86 Stack after ret Higher addresses Memory Lower addresses Old stack top ESI ESP Old return addr. garbage 15

  16. x86 C Calling Convention A calling convention is an agreement } among software designers (e.g. of compilers, compiler libraries, assembly } language programmers) on how to use registers and memory in subroutines NOT enforced by hardware! } Allows software pieces to interact } compatibly, e.g. a C function can call an ASM } function, and vice versa 16

  17. C Calling Convention cont. § Questions answered by a calling convention: 1. How are parameters passed? 2. How are values returned? 3. Where are local variables stored? 4. Which registers must the caller save before a call, and which registers must the callee save if it uses them? 17

  18. How Are Parameters Passed? § Most machines use registers, because they are faster than memory § x86 has too few registers to do this § Therefore, the stack must be used to pass parameters § Parameters are pushed onto the stack in reverse order 18

  19. Why Pass Parameters in Reverse Order? § Some C functions have a variable number of parameters § First parameter determines the number of remaining parameters! § Example: printf("%d %d %s\n", …); § printf() library function § reads first parameter, then § determines that the number of remaining parameters is 3 19

  20. Reverse Order Parameters cont. string § printf() will always find the integer first parameter integer EBP + 12 at [EBP + 8] Format string pointer EBP + 8 EBP + 4 Return address EBP 20

  21. What if Parameter Order was NOT Reversed? § printf() will always find the LAST parameter at [EBP + 8]; not helpful Format string pointer EBP + ??? How many parameters are in this region ???? Last parameter EBP + 8 EBP + 4 Return address EBP 21

  22. C Calling Convention cont. § Questions answered by a calling convention: 1. How are parameters passed? 2. How are values returned? 3. Where are local variables stored? 4. Which registers must the caller save before a call, and which registers must the callee save if it uses them? 22

  23. How are Values Returned? § Register eax contains the return value § This means x86 can only return a 32-bit value from a function § Smaller values are zero extended or sign extended to fill register eax § If a programming language permits return of larger values (structures, objects, arrays, etc.), § a pointer to the object is returned in register eax 23

  24. C Calling Convention cont. § Questions answered by a calling convention: 1. How are parameters passed? 2. How are values returned? 3. Where are local variables stored? 4. Which registers must the caller save before a call, and which registers must the callee save if it uses them? 24

  25. Where are Local Variables Stored? § Stack frame for the currently executing function is between where EBP and ESP point in the stack Last parameter First parameter Return address Saved EBP EBP Local var 1 EBP - 4 Local var 2 EBP - 8 Local var 3 ESP 25

  26. C Calling Convention cont. § Questions answered by a calling convention: 1. How are parameters passed? 2. How are values returned? 3. Where are local variables stored? 4. Which registers must the caller save before a call, and which registers must the callee save if it uses them? 26

  27. Who Saves Which Registers? § It is efficient to have the caller save some registers before the call, leaving others for the callee to save § x86 only has 8 general registers; 2 are used for the stack frame (ESP and EBP) § The other 6 are split between callee-saved (ESI, EDI) and caller-saved § Remember: Just a convention , or agreement, among software designers 27

  28. What Does the Caller Do? § Example: Call a function and pass 3 integer parameters to it push edx ; caller-saved register push [foo] ; Var foo is last parameter push ebx ; ebx is second parameter push eax ; eax is first parameter call baz ; push return address, jump add esp,12 ; toss old parameters pop edx ; restore caller-saved edx ; eax holds return value § eax, ebx did not need to be saved here 28

  29. Stack after Call § x86 stack immediately after call baz Caller locals EBP edx Caller-saved reg. [foo] Last parameter ebx Second parameter eax First parameter inst. after call Return address ESP baz 29

  30. Callee Stack Frame Setup § The standard subroutine prologue code sets up the new stack frame: ; Prologue code at top of function push ebp ; save old base pointer move ebp,esp ; Set new base pointer sub esp,12 ; Make room for locals push esi ; Func uses ESI, so save : : This code sets up the stack frame of the callee 30

  31. Stack After Prologue Code edx Caller-saved reg. § After the [foo] Last parameter prologue code sets ebx Second parameter up the new stack eax First parameter frame: inst. after call Return address baz For caller Saved EBP EBP stack frame k Local var 1 EBP - 4 j Local var 2 EBP - 8 i Local var 3 EBP - 12 esi Callee-saved reg. ESP 31

  32. Callee Stack Frame Cleanup } Epilogue code at end cleans up frame (mirror image of prologue): ; Epilogue code at bottom of function pop esi ; Restore callee-saved ESI move esp,ebp ; Deallocate stack frame pop ebp ; Restore caller’s EBP ret ; return 32

  33. Stack After Return } After epilogue code and return: Caller locals EBP edx Caller-saved reg. [foo] Last parameter ebx Second parameter eax First parameter ESP inst. after call Return address baz 33

  34. Caller Stack Cleanup } After the return, caller has a little cleanup code: add esp,12 ; deallocate parameter space pop edx ; restore caller-saved register 34

  35. Today } Finish covering x86 background } Reading Assignment } Szor, Chapter 2 (if you haven’t already) } “Smashing the Stack for Fun and Profit” } We will cover some details of the PE file format } Szor, pp. 160-172, section 4.3.2.1, describes PE format } Pay special attention to pp. 163-165, where the fields of interest to virus creators are discussed 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Where does architecture come from? What order? Use an architecture youve seen before

1 Where does architecture come from? What order? Use an architecture youve seen before

Architecture 2 1 Announcements What is Architecture? Final project hand-in and documentation Big picture Structure or structures that support the system Early design decisions Architecture is the design decisions you

275 views • 5 slides
Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

# These slides should give an overview of the sofware architecture, and what its role is. # Why and when is sofware architecture important. # In other words: sofware architecture in a nutshell ! Overview of Sofware Architecture Sofware

207 views • 7 slides
SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

SE2: Introduction to Software Architecture Mei Nagappan What is Architecture? Encyclopedia

Material and some slide content from: - Emerson Murphy-Hill - Reid Holmes - Mehdi Mirakhorli - Software Architecture: Foundations, Theory, and Practice - Essential Software Architecture SE2: Introduction to Software Architecture Mei Nagappan

341 views • 31 slides
Instruction Set Architecture ( ISA ) 1 / 28 instructions 2 / 28 Instruction Set Architecture

Instruction Set Architecture ( ISA ) 1 / 28 instructions 2 / 28 Instruction Set Architecture

Instruction Set Architecture ( ISA ) 1 / 28 instructions 2 / 28 Instruction Set Architecture Also called (computer) architecture Implementation --> actual realisation of ISA ISA can have multiple implementations ISA allows

825 views • 28 slides
A lthough architecture has be- Five core concepts and relationships metaphor for the design of

A lthough architecture has be- Five core concepts and relationships metaphor for the design of

S T A N D A R D S Software product lines, and product families in which software plays a substantial role in development, operation, or evolution. Architecture: WHAT IS AN ARCHITECTURE? Although defining architecture in the context of

314 views • 3 slides
HAMPTON MILLENNIAL VILLAGE . Who we are Architecture: Hampton University is a private

HAMPTON MILLENNIAL VILLAGE . Who we are Architecture: Hampton University is a private

The Millennial Village Team is made up of 5 architecture students and one electrical 4 th year Architecture 5 th year Architecture 4 th year Architecture Lead-advisor: engineering Prof. Laura Battaglia (Lead) Kobi Henson Ty Champion Amir

640 views • 35 slides
Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of

Wonders of Modern Architecture Oh, the wonders of modern architecture! The geniuses of architecture today continue to create design masterpieces that could make one proud of being a citizen of the 21st Century! Enjoy the beauty of these modern

832 views • 52 slides
Instruction Set Architecture Assembly Language View Computer Architecture: Instruction Set

Instruction Set Architecture Assembly Language View Computer Architecture: Instruction Set

Instruction Set Architecture Assembly Language View Computer Architecture: Instruction Set Processor state Application Program Registers, memory, Architecture Instructions Compiler OS addq , pushq , ret , How

239 views • 7 slides
Introduction to Software Architecture Reid Holmes Architecture Architecture is: All

Introduction to Software Architecture Reid Holmes Architecture Architecture is: All

Introduction to Software Architecture Reid Holmes Architecture Architecture is: All about communication. What parts are there? How do the parts fit together? Architecture is not: About development. About

392 views • 18 slides
From Requirements to Architecture Ana Moreira Software Architecture - Basics 1 Goals

From Requirements to Architecture Ana Moreira Software Architecture - Basics 1 Goals

From Requirements to Architecture Ana Moreira Software Architecture - Basics 1 Goals Understanding the importance of software architecture what is software architecture Discussing emerging issues in the transition from requirements to

521 views • 24 slides
CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and

CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day1: January 3, 2000 Architecture and overview Caltech CS184b Winter2001 -- DeHon 1 Today This Quarter What is

341 views • 15 slides
A New Golden Age for 1. Software advances can inspire architecture Computer Architecture:

A New Golden Age for 1. Software advances can inspire architecture Computer Architecture:

8/28/19 Lessons of last 50 years of Computer Architecture A New Golden Age for 1. Software advances can inspire architecture Computer Architecture: innovations 2. Raising the hardware/software interface creates History, Challenges, and

1.08k views • 14 slides
CMS Strip Readout Architecture for SLHC OUTLINE brief review of LHC strip readout architecture p

CMS Strip Readout Architecture for SLHC OUTLINE brief review of LHC strip readout architecture p

CMS Strip Readout Architecture for SLHC OUTLINE brief review of LHC strip readout architecture p proposed architecture for SLHC front end amplifier design in 130nm system architecture ideas system architecture ideas triggering possibilities

369 views • 24 slides
IMS based NGN IMS based NGN Architecture Architecture and its application and its application

IMS based NGN IMS based NGN Architecture Architecture and its application and its application

I nternational Telecom m unication Union ITU-T IMS based NGN IMS based NGN Architecture Architecture and its application and its application Dick Knight BT Group plc I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1

218 views • 17 slides
CE419 Session 11: Web Application Architecture Web Programming 1 What is architecture ? There

CE419 Session 11: Web Application Architecture Web Programming 1 What is architecture ? There

CE419 Session 11: Web Application Architecture Web Programming 1 What is architecture ? There are two common elements: One is the highest-level breakdown of a system into its parts; the other, decisions that are hard to change. 2

503 views • 26 slides
Wooden Architecture. Traditional Karelian Timber Architecture and Landscape Seventh Framework

Wooden Architecture. Traditional Karelian Timber Architecture and Landscape Seventh Framework

Wooden Architecture. Traditional Karelian Timber Architecture and Landscape Seventh Framework Programme Marie Curie Actions People International Research Staff Exchange Scheme Annex I Acronym: Wooden Architecture Proposal number:269185

361 views • 35 slides
BURNABY BOARD OF TRADE WARMING CENTRES YOUR VOICE. YOUR HOME. HOUSING & WORK FORCE SUPPLY

BURNABY BOARD OF TRADE WARMING CENTRES YOUR VOICE. YOUR HOME. HOUSING & WORK FORCE SUPPLY

HOUSING DEVELOPMENT BURNABY BOARD OF TRADE WARMING CENTRES YOUR VOICE. YOUR HOME. HOUSING & WORK FORCE SUPPLY PARKLAND REFINERY HEALTH CARE FINANCIAL RESERVES YOUR VOICE AT CITY HALL NEW RECREATION INFRASTRUCTURE South Burnaby

293 views • 18 slides
Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee

Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee

Small ReLU networks are powerful memorizers: a tight analysis of memorization capacity Chulhee Yun, Suvrit Sra, Ali Jadbabaie Laboratory for Information and Decision Systems, MIT Given a ReLU fully-connected network, how many hidden nodes

670 views • 19 slides
Suggestions in British and American English: A corpus- linguistic study Ilka Flck

Suggestions in British and American English: A corpus- linguistic study Ilka Flck

Suggestions in British and American English: A corpus- linguistic study Ilka Flck University of Oldenburg 33 rd DGfS Annual Meeting (Workshop 1 Beyond Semantics) February 23-25, Gttingen Structure of the talk Corpora in

501 views • 14 slides
1 Plan for today Computer Graphics as Virtual Photography Small change in plans real

1 Plan for today Computer Graphics as Virtual Photography Small change in plans real

Paper Summaries Any takers? Ray Tracing Optimizations Assignments Projects Checkpoint 1 Proposals due tonight All graded Didnt get a grade? See me! Checkpoint 2 Due Thursday(?) Logistics One more

246 views • 8 slides
IAB Report IETF 83 Paris, France March 26, 2012 Where is the IAB? Source: Jari Arkko Slide 2

IAB Report IETF 83 Paris, France March 26, 2012 Where is the IAB? Source: Jari Arkko Slide 2

IAB Report IETF 83 Paris, France March 26, 2012 Where is the IAB? Source: Jari Arkko Slide 2 About the IAB l Charter (RFC 2850) http://tools.ietf.org/html/rfc2850 l l Website http://www.iab.org/ l l Programs and Initiatives

698 views • 34 slides
AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1

AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1

AI Planner Applications Practical Applications of AI Planners Overview Deep Space 1 Other Practical Applications of AI Planners Common Themes AI Planner Applications 2 1 Literature Deep Space 1 Papers Ghallab, M., Nau,

172 views • 15 slides
A classification of spherical symmetric CR manifolds Giulia Dileo joint work with Antonio Lotta

A classification of spherical symmetric CR manifolds Giulia Dileo joint work with Antonio Lotta

Workshop on CR and Sasakian Geometry University of Luxembourg, 24-26 March 2009 A classification of spherical symmetric CR manifolds Giulia Dileo joint work with Antonio Lotta University of Bari Giulia Dileo (University of Bari) A

867 views • 24 slides
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

814 views • 53 slides

More recommend