hello asm world: a painless and contextual introduction to x86 assembly
DESCRIPTION
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly. rogueclown DerbyCon 3.0 September 28, 2013. who?. security consultant by vocation mess around with computers, code, CTFs by avocation frustrated when things feel like a black box. what is assembly language?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/1.jpg)
Hello ASM World:A Painless and Contextual
Introduction to x86 Assembly
rogueclownDerbyCon 3.0
September 28, 2013
![Page 2: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/2.jpg)
who?• security consultant by vocation
• mess around with computers, code, CTFs by avocation
• frustrated when things feel like a black box
![Page 3: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/3.jpg)
what is assembly language?• not exactly machine language…but
close– instructions: mnemonics for machine
operations– normally a one-to-one correlation
between ASM instruction and machine instruction
• varies by processor– today, we will be discussing 32-bit x86
![Page 4: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/4.jpg)
why learn assembly language?
• some infosec disciplines require it
• curious about lower-level details of memory or interfacing with an operating system
• it’s fun and challenging!
![Page 5: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/5.jpg)
how does assemblylanguage work?
![Page 6: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/6.jpg)
hello memory
• what parts of computer memory does assembly language commonly access?
• how does assembly language access those parts of computer memory?
![Page 7: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/7.jpg)
where is this memory?
• what one “normally” thinks of as memory– RAM– virtual memory
• CPU– registers
![Page 8: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/8.jpg)
computer memory layout• heap– global variables, usually allocated at
compile-time– envision a bookshelf…that won’t let you
push books together when you take one out• stack– local, contextual variables– envision a card game discard pile– you will use this when coding ASM. a lot.
![Page 9: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/9.jpg)
registers• memory located on the CPU
• registers are awesome because they are fast.
• registers are a pain because they are tiny.
![Page 10: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/10.jpg)
registers• general purpose registers– alphabet soup• eax, ebx, ecx, edx• can address in parts: ax, ah, al
– stack and base pointers• esp• ebp
– index registers• esi, edi
![Page 11: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/11.jpg)
registers
• instruction pointer– eip – records the next instruction for the
program to follow
• other registers– eflags– segment registers
![Page 12: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/12.jpg)
instructions• mov–moves a value to a register– can either specify a value, or specify a
register where a value resides
• syntax in assembly– Intel syntax: mov ebx, 0xfee1dead– AT&T syntax: mov $0xfee1dead, %eax
![Page 13: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/13.jpg)
instructions• interrupt– int 0x80– int 0x3
• system calls– how a program
interacts with the kernel of the OS
![Page 14: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/14.jpg)
instructions• mathematical instructions– add, sub, mul, div
mov eax, 10cdq ; edx is now 0div 3 ; eax is now 3, edx is now 1
– dec, inc – useful for loopingmov ecx, 3dec ecx ; ecx is now 2
![Page 15: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/15.jpg)
jumps
• jge, jg, jle, jl– work with a compare (cmp) instruction
• jz, jnz, js, jns– check zero flag or sign flag for jump
![Page 16: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/16.jpg)
instructions• stack operations: push and pop
mov eax, 10push eax ; 10 on top of stackinc eax ; eax is now 11push eax ; 11 on top of stackpop ebx ; ebx is now 11pop ecx ; ecx is now 10
![Page 17: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/17.jpg)
instructions• function access instructions– call
• places the address of the next instruction on top of the stack
• moves execution to identified function
– ret• returns to the memory address on top of the
stack• designed to work in tandem with the “call”
instruction…but we’re hackers, yes?
![Page 18: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/18.jpg)
sections of ASM code• .data– constant variables initialized at compile
time• .bss– declaration of variables that may are set
of changed during runtime• .text– executable instructions
![Page 19: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/19.jpg)
$%&#@%^ instructions: how do they work?
![Page 20: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/20.jpg)
putting it together
• time to take a bit of C code, and reimplement it in assembly language!
![Page 21: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/21.jpg)
where does shellcodecome in?
![Page 22: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/22.jpg)
what is shellcode?• instructions injected into a running
process
• lacks some of the luxuries of writing a stand-alone program– no laying out nice memory segments in
a .bss or .data section– basically, just one big .text section
![Page 23: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/23.jpg)
a first stab at shellcode…
• this is going to look mostly familiar, except for how data is handled.
![Page 24: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/24.jpg)
why did it fail?
• bad characters– shellcode is often passed to an
application as a string.– if a character makes a string act funny,
you may not want it in your shellcode• 0x00, 0x0a, 0x0d, etc.
– use an encoder, or do it yourself
![Page 25: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/25.jpg)
try that shellcode again…
![Page 26: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/26.jpg)
where can i learn more about assembly
language?
![Page 27: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/27.jpg)
suggested resources
• dead trees– “Hacking: The Art of Exploitation” by Jon
Erickson– “Practical Malware Analysis” by Michael
Sikorski and Andrew Honig– “Gray Hat Python” by Justin Seitz
![Page 28: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/28.jpg)
suggested resources• the series of tubes
– http://ref.x86asm.net – quick and dirty opcode reference
– http://www.nasm.us/doc – Netwide Assembler documentation
• system calls– Linux:
• /usr/include/asm/unistd.h• man 2 $syscall
– Windows: • http://msdn.microsoft.com/library/windows/desktop/
hh920508%28vs.85%29 – Windows API reference
![Page 29: Hello ASM World: A Painless and Contextual Introduction to x86 Assembly](https://reader035.vdocument.in/reader035/viewer/2022062410/568162d9550346895dd35e5c/html5/thumbnails/29.jpg)
how to find me
• Twitter: @rogueclown
• email: [email protected]
• IRC: #derbycon, #misec, or #burbsec on Freenode
• or, just wave me down at the con