1 / 29

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly. rogueclown DerbyCon 3.0 September 28, 2013. who?. security consultant by vocation mess around with computers, code, CTFs by avocation frustrated when things feel like a black box. what is assembly language?.

shandi
Download Presentation

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hello ASM World:A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013

  2. who? • security consultant by vocation • mess around with computers, code, CTFs by avocation • frustrated when things feel like a black box

  3. what is assembly language? • not exactly machine language…but close • instructions: mnemonics for machine operations • normally a one-to-one correlation between ASM instruction and machine instruction • varies by processor • today, we will be discussing 32-bit x86

  4. why learn assembly language? • some infosec disciplines require it • curious about lower-level details of memory or interfacing with an operating system • it’s fun and challenging!

  5. how does assemblylanguage work?

  6. hello memory • what parts of computer memory does assembly language commonly access? • how does assembly language access those parts of computer memory?

  7. where is this memory? • what one “normally” thinks of as memory • RAM • virtual memory • CPU • registers

  8. computer memory layout • heap • global variables, usually allocated at compile-time • envision a bookshelf…that won’t let you push books together when you take one out • stack • local, contextual variables • envision a card game discard pile • you will use this when coding ASM. a lot.

  9. registers • memory located on the CPU • registers are awesome because they are fast. • registers are a pain because they are tiny.

  10. registers • general purpose registers • alphabet soup • eax, ebx, ecx, edx • can address in parts: ax, ah, al • stack and base pointers • esp • ebp • index registers • esi, edi

  11. registers • instruction pointer • eip • records the next instruction for the program to follow • other registers • eflags • segment registers

  12. instructions • mov • moves a value to a register • can either specify a value, or specify a register where a value resides • syntax in assembly • Intel syntax: movebx, 0xfee1dead • AT&T syntax: mov $0xfee1dead, %eax

  13. instructions • interrupt • int 0x80 • int 0x3 • system calls • how a program interacts with the kernel of the OS

  14. instructions • mathematical instructions • add, sub, mul, div moveax, 10 cdq ; edx is now 0 div 3 ; eax is now 3, edx is now 1 • dec, inc – useful for looping movecx, 3 dececx ; ecx is now 2

  15. jumps • jge, jg, jle, jl • work with a compare (cmp) instruction • jz, jnz, js, jns • check zero flag or sign flag for jump

  16. instructions • stack operations: push and pop moveax, 10 push eax ; 10 on top of stack inceax ; eax is now 11 push eax ; 11 on top of stack pop ebx ; ebx is now 11 pop ecx ; ecx is now 10

  17. instructions • function access instructions • call • places the address of the next instruction on top of the stack • moves execution to identified function • ret • returns to the memory address on top of the stack • designed to work in tandem with the “call” instruction…but we’re hackers, yes? 

  18. sections of ASM code • .data • constant variables initialized at compile time • .bss • declaration of variables that may are set of changed during runtime • .text • executable instructions

  19. $%&#@%^ instructions: how do they work?

  20. putting it together • time to take a bit of C code, and reimplement it in assembly language!

  21. where does shellcodecome in?

  22. what is shellcode? • instructions injected into a running process • lacks some of the luxuries of writing a stand-alone program • no laying out nice memory segments in a .bss or .data section • basically, just one big .text section

  23. a first stab at shellcode… • this is going to look mostly familiar, except for how data is handled.

  24. why did it fail? • bad characters • shellcode is often passed to an application as a string. • if a character makes a string act funny, you may not want it in your shellcode • 0x00, 0x0a, 0x0d, etc. • use an encoder, or do it yourself

  25. try that shellcode again…

  26. where can i learn more about assembly language?

  27. suggested resources • dead trees • “Hacking: The Art of Exploitation” by Jon Erickson • “Practical Malware Analysis” by Michael Sikorski and Andrew Honig • “Gray Hat Python” by Justin Seitz

  28. suggested resources • the series of tubes • http://ref.x86asm.net – quick and dirty opcode reference • http://www.nasm.us/doc – Netwide Assembler documentation • system calls • Linux: • /usr/include/asm/unistd.h • man 2 $syscall • Windows: • http://msdn.microsoft.com/library/windows/desktop/hh920508%28vs.85%29 – Windows API reference

  29. how to find me • Twitter: @rogueclown • email: rogueclown@rogueclown.net • IRC: #derbycon, #misec, or #burbsec on Freenode • or, just wave me down at the con 

More Related