0% found this document useful (0 votes)

274 views

SLAE Student Slides PDF

Uploaded by

camldt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

274 views

SLAE Student Slides PDF

Uploaded by

camldt

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 263

SecurityTube

Linux Assembly Expert

(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
SecurityTube Linux Assembly Expert

Course Introduc4on

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert

hLp://securitytube-‐training.com/online-‐courses/securitytube-‐linux-‐assembly-‐expert/

©SecurityTube.net
Course Syllabus – Assembly Basics

©SecurityTube.net
ApplicaSon to Infosec

©SecurityTube.net
Registered Students Beneﬁt

©SecurityTube.net
Future Courses

•  64-‐bit Assembly on Linux

•  32/64-‐bit Assembly on Windows

•  ARM Assembly

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE)

hLp://www.securitytube.net

Vivek Ramachandran
Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

Assembly Expert course. A limited number of
videos in this course will be released on
SecurityTube.net

For full access to all theory and exercise videos,
PDF slides, Code snippets etc. Please register as a
student by visi4ng:

hLp://securitytube-‐training.com

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

1. What is Assembly Language?

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
What is Assembly Language?

•  Low-‐level programming language

•  Communicate with microprocessor

•  Speciﬁc to the processor family

•  An almost one-‐one correspondence with

machine code

©SecurityTube.net
I only speak binary!

010101010111110101101010101010101
111010101101011010101010101011010
010101010111101000011110101010101

©SecurityTube.net
Humans cannot speak binary

010101010111110101101010101010101
111010101101011010101010101011010
010101010111101000011110101010101

©SecurityTube.net
Assembly Language

Assembly Language Machine Language

mov eax, ebx Assembler + Linker 010110100101

xor eax, eax 111010101010
add eax, 0xﬀ 101010101010
Translator

©SecurityTube.net
CorrelaSon with HLLs

hLp://www.tenouk.com/ModuleW_files/ccompilerlinker001.png
©SecurityTube.net
Different Processors – Different Assembly
Language
•  Intel

•  ARM

•  MIPS

©SecurityTube.net
Intel Architecture

•  IA-‐32

•  IA-‐64

©SecurityTube.net
SecurityTube Linux Assembly Expert32

•  IA-‐32 Assembly on the Linux OS

•  Future courses:
–  IA-‐64 on Linux
–  IA-‐32 on Windows
–  IA-‐64 on Windows
–  ARM Assembly

©SecurityTube.net
Why IA-‐32?

•  Large number of machines out there sSll

running IA-‐32

•  Logical progression to IA-‐64

•  Shellcoding, Encoders, Decoders, Packers etc.

implementaSon diﬀerence

©SecurityTube.net
Exercise 1.1: Lab Setup

•  Ubuntu 12.04 LTS 32-‐bit EdiSon

•  Installed in Virtualbox

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
Exercise 1.2: Understanding your CPU
•  Find CPU details on the Ubuntu System

•  How do you know if you are on a 32/64 bit
CPU?

•  How do you know your CPUs addiSonal

capabiliSes such as FPU, MMX, SSE, SSE2 etc.

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com
©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

Exercise 1.1
Topic: What is Assembly Language?
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Exercise 1.1: Lab Setup

•  Ubuntu 12.04 LTS 32-‐bit EdiSon

•  Installed in Virtualbox

©SecurityTube.net
Ubuntu

•  32-‐bit Ubuntu Desktop EdiSon 12.10 used for

the course

hLp://www.ubuntu.com/download/desktop

•  Install Virtualbox

hLps://www.virtualbox.org/

©SecurityTube.net
InstallaSon

•  Nasm

•  Code ﬁles:
–  SLAE-‐Code.zip

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

Exercise 1.2
Topic: What is Assembly Language?
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Exercise 1.2: Understanding your CPU
•  Find CPU details on the Ubuntu System

•  How do you know if you are on a 32/64 bit
CPU?

•  How do you know your CPUs addiSonal

capabiliSes such as FPU, MMX, SSE, SSE2 etc.

©SecurityTube.net
Find CPU Details

©SecurityTube.net
/proc/cpuinfo

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

2. IA-‐32 Architecture
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
System OrganizaSon Basics

CPU

System Bus Memory

I/O Devices

©SecurityTube.net
CPU

Registers

Control Unit CPU

Execu4on Unit
Flags

• Control Unit – Retrieve / Decode instrucSons, Retrieve / Store data in

memory

• Execu4on Unit – Actual execuSon of instrucSon happens here

• Registers -‐ Internal memory locaSons used as “variables”

• Flags – Used to indicate various “event” when execuSon is happening

©SecurityTube.net
IA-‐32 Registers (Logical Diagram)

General Purpose Segment Registers Flags, EIP

Registers

FloaSng Point Unit MMX XMM

Registers Registers Registers

©SecurityTube.net
General Purpose Registers
AX

EAX AH AL
31 15 7 0

EBX BH BL
31 15 7 0
CX

ECX CH CL
31 15 7 0
DX

EDX DH DL
31 15 7 0
©SecurityTube.net
General Purpose Registers
SP

ESP
31 15 0
BP

EBP
31 15 0
SI

ESI
31 15 0
DI

EDI
31 15 0
©SecurityTube.net
GPR Common FuncSonality
EAX Accumulator Register – used for storing operands and result data

EBX Base Register – Pointer to Data

ECX Counter Register – Loop operaSons

EDX Data Register – I/O Pointer

ESI EDI Data Pointer Registers for memory operaSons

ESP Stack Pointer Register

EBP Stack Data Pointer Register

©SecurityTube.net
Segment Registers

CS Code

DS Data

SS Stack

ES Data

FS Data

GS Data

15 0

Usage Depends on memory model – Flat or Segmented?

©SecurityTube.net
EFLAGS Register

Ref: Intel manual for IA-‐32 ©SecurityTube.net

EIP

EIP
31 0

•  InstrucSon Pointer
•  Holy grail for Shellcoding, Exploit Research
etc.

©SecurityTube.net
FloaSng Point Unit (FPU) or x87

ST(0) to ST(7)

Reference: Intel Manual

©SecurityTube.net
SIMD

•  Single InstrucSon MulSple Data

•  Extensions
–  MMX
–  SSE
–  SSE2
–  SSE3

•  Uses MMX and XMM Registers

©SecurityTube.net
MMX
ST(0) MM0

ST(1) MM1

ST(2) MM2

ST(3) MM3

ST(4) MM4

ST(5) MM5

ST(6) MM6

ST(7) MM7

79 63 0
©SecurityTube.net
XMM
XMM0

XMM1

XMM2

XMM3

XMM4

XMM5

XMM6

XMM7

127 0
©SecurityTube.net
Exercise 1.2.1: Lab Setup

•  Inspect the General Purpose, Segment,
EFLAGS, FPU, MMX, XMM etc. registers on
your Ubuntu system

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
Exercise 1.2.1: Lab Setup

•  Inspect the General Purpose, Segment,
EFLAGS, FPU, MMX, XMM etc. registers on
your Ubuntu system

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

3. CPU Modes and Memory Management

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
CPU Modes for IA-‐32
•  Real Mode
–  At power up or reset
–  Can only access 1 MB memory
–  No memory protecSon
–  Privilege Levels (Kernel vs User space) not possible

•  Protected Mode
–  Up to 4GB memory
–  memory protecSon / privilege level / mulS-‐tasking
–  Supports Virtual-‐8086 mode

•  System Management Mode

–  Used for power management tasks

©SecurityTube.net
Memory Models

Source: Intel manuals ©SecurityTube.net

Linux: CPU Mode and Memory Model

•  32-‐Bit Linux uses:

–  Protected Mode
–  Flat Memory model
–  4GB Addressable space => 232
–  Memory ProtecSon
–  Privilege Levels of Code
–  Segment registers point to segment descriptors
•  GDT / LDT / IDT (Global / Local / Interrupt )

©SecurityTube.net
Virtual Memory Model

Kernel Space
(1 GB)

User Space
(3 GB)

©SecurityTube.net
0XFFFFFFFF
Kernel Space
0xC0000000

Stack FuncSon Args + Local Vars

Shared Libs + Mappings

Heap Dynamic Memory

BSS UniniSalized Data

Data IniSalized Data

Text Program Code

0x08048000
0x00000000

©SecurityTube.net
View Process OrganizaSon

•  /Proc
–  /proc/pid/maps

•  pmap

•  ALach and view using GDB

©SecurityTube.net
cat /proc/pid/maps

©SecurityTube.net
What does all this mean?

Start and End Address Offset in file Inode number File Path
of the secSon for memory mapped
files. 0 otherwise.

Major – Minor device number

of device from where the ﬁle
was loaded

Permissions on the secSon:

•  r = readable
•  w = writable
•  x = executable
•  p = private not shared
•  s = shared
©SecurityTube.net
Process Map within GDB

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

4. Hello World
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
IA-‐32 InstrucSon Set

•  General Purpose InstrucSons

•  x87 FPU InstrucSons

•  MMX / SSE / SSE2/ SSE3 / SSE4 InstrucSons

•  Other InstrucSon Set extensions

©SecurityTube.net
Programming in Assembly

•  NASM + LD for assembling and linking

•  Executable in ELF format

NASM DocumentaSon:

hLp://nasm.us/

©SecurityTube.net
Hello World!
Entry Point of Program? _start:

Print to Screen

TEXT SecSon

Exit Gracefully!

Hello World! DATA SecSon

©SecurityTube.net
Why System Calls?

•  Leverage OS for tasks

•  Imagine if you had to write code from scratch to:
–  write to disk
–  print on screen
–  …

•  System Calls provide a simple interface for user

space programs to the Kernel

©SecurityTube.net
How do System calls work?

User Space Program

Interrupt Handlers Table
….
….
….
int 0x80 System Call RouSnes
System Call
Handler

©SecurityTube.net
IA-‐32 Mechanism to invoke System Call

•  int 0x80

•  SYSENTER

Modern implementaSons using VDSO

[Virtual Dynamic Shared Object]

hLp://arScles.manugarg.com/systemcallinlinux2_6.html

©SecurityTube.net
Where are these system calls deﬁned?

©SecurityTube.net
write()

©SecurityTube.net
exit

©SecurityTube.net
Invoking System Call with 0x80
EAX System Call Number Return Value in EAX

EBX 1st Argument

ECX 2nd Argument

EDX 3rd Argument

ESI 4th Argument

EDI 5th Argument

©SecurityTube.net
Calling Write

EAX = system call number ECX = Pointer to “Hello World”

EDX = Length of “Hello World”

EBX = STDOUT

©SecurityTube.net
Calling Exit

EBX = Status Code

EAX = system call number

©SecurityTube.net
Exercise 1.4.1: GDB

•  Use GDB to step through the Hello World
program and observe:
–  CPU Registers
–  Memory LocaSon
–  …

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
Exercise 1.4.1: GDB

•  Use GDB to step through the Hello World
program and observe:
–  CPU Registers
–  Memory LocaSon
–  …

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

5. Data Types
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Fundamental Data Types

•  Byte – 8 bits

•  Word – 16 bits

•  Double Word – 32 bits

•  Quad Word – 64 bits

•  Double Quad Word – 128 bits

Source: IA-‐32 Manual

©SecurityTube.net
Signed and Unsigned
Unsigned Double Word

31 0

Signed Double Word

Sign Bit

31 30 0
Source: IA-‐32 Manual

©SecurityTube.net
NASM …

•  Case SensiSve syntax

•  Accessing memory reference with []

–  message db 0xAA, 0xBB, 0xCC, 0xDD
–  mov eax, message ß moves address into eax
–  move eax, [message] ß moves value into eax

©SecurityTube.net
Deﬁning IniSalized Data in NASM

Source: NASM Manual Pg. 30

©SecurityTube.net
Declare UniniSalized Data

Source: NASM Manual Pg. 30

©SecurityTube.net
Special Tokens

•  $ -‐ evaluates to the current line

•  $$ -‐ evaluates to the beginning of current

secSon

Source: NASM Manual Pg. 37

©SecurityTube.net
EQU and TIMES

Data:

InstrucSon:

©SecurityTube.net
IA-‐32 uses LiLle Endian format

Low Memory

High Memory

Source:
30 Wikipedia hLp://en.wikipedia.org/wiki/Endianness

©SecurityTube.net
GDB

hLp://www.securitytube.net/tags/sgde

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

6. Moving Data
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
InstrucSon

Label InstrucSon Operand

•  Register
•  Memory
•  Immediate

©SecurityTube.net
MOV

•  Most common instrucSon in ASM

•  Allowed DirecSons
–  Between Registers
–  Memory to Register and Register to Memory
–  Immediate Data to Register
–  Immediate Data to Memory

©SecurityTube.net
LEA

•  Load EﬀecSve Address – load pointer values

•  LEA EAX, [label]

©SecurityTube.net
XCHG

•  Exchanges (swaps) Values

•  XCHG Register, Register

•  XCHG Register, Memory

©SecurityTube.net
Stack

•  Used by processes and threads to store

temporary data
–  local variables
–  return addresses

•  Stack is a Last-‐in-‐First-‐out (LIFO) data

structure

©SecurityTube.net
Stack is a LIFO
High Memory

0xAAAAAAAA
PUSH – Pushes a value onto
the Stack
0x10203040
POP – Removes the topmost
ESP value from the Stack
0xA0203040
ESP – Should point to top of
Stack

Low Memory

©SecurityTube.net
Exercise 1.6.1

•  Use the PUSH / POP / … stack instrucSons in

your program

•  Use GDB to examine the stack using ESP and

track the changes as the instrucSons run

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Exercise 1.6.1

•  Use the PUSH / POP / … stack instrucSons in

your program

•  Use GDB to examine the stack using ESP and

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

7. Arithme4c Instruc4ons
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
EFLAGS Register

Ref: Intel manual for IA-‐32 ©SecurityTube.net

ArithmeSc InstrucSons

•  ADD desSnaSon, source

•  ADC desSnaSon, source (plus carry ﬂag)

•  SUB and SBB

•  INC and DEC

©SecurityTube.net
Exercise 1.7.1

•  MulSply and Divide InstrucSons

•  GDB to trace execuSon and register values

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Exercise 1.7.1

•  MulSply and Divide InstrucSons

•  GDB to trace execuSon and register values

©SecurityTube.net
Unsigned MulSply (MUL)

AL AX EAX

* * *
r/m8 r/m16 r/m32

AX DX AX EDX EAX

OF = 1 and CF = 1 if upper half of result is non-‐zero

©SecurityTube.net
Unsigned Divide (DIV)

AX DX AX EDX EAX

÷ ÷ ÷
r/m8 r/m16 r/m32

Q AL Q AX Q EAX

R AH R DX R EDX

©SecurityTube.net
Signed ArithmeSc

•  IMUL

•  IDIV

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

8. Logical Instruc4ons
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Logical OperaSons

•  AND r/m , r/m/imm (8, 16, 32 bits)

•  OR

•  XOR

•  NOT

©SecurityTube.net
Bitwise OperaSon

1 1

AND

1 0

| |

1 0

©SecurityTube.net
Other InstrucSons

•  SAR – Shiy ArithmeSc Right

•  SHR -‐ Shiy Logical Right

•  ROR

•  ROL

•  …

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

9. Control Instruc4ons
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Control InstrucSons

•  Controls the ﬂow of the program

•  Based on “events” e.g. calculaSon led to 0

•  Uses ﬂags to determine decision

•  Branching
–  UncondiSonal – JMP
–  CondiSonal -‐ Jxx

©SecurityTube.net
JMP

•  UncondiSonal
–  compare it with the GOTO statement in C

•  Types:
–  Near Jump: Current Code Segment
•  Short: -‐128 to +127 from current posiSon
–  Far Jump: In another Segment

©SecurityTube.net
Jxx

•  Jxx – CondiSonal
–  JZ, JNZ, JA, JAE, JC, JNC etc.
–  uses ﬂags

•  Cannot be used for Far Jumps

–  JNZ label1
–  JMP Far_Label
–  lable1:

•  Intel Manual is the best reference

©SecurityTube.net
Exercise 1.9.1

•  InvesSgate the use of the following

instrucSons – LOOP, LOOPZ, LOOPNZ etc.

•  Use GDB to trace through the execuSon

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Exercise 1.9.1

•  InvesSgate the use of the following

instrucSons – LOOP, LOOPE, LOOPNE etc.

•  Use GDB to trace through the execuSon

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

10. Procedures
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Procedure

•  Set of operaSons grouped together

•  Called oyen from diﬀerent places in the code

•  CALL Procedure_Name

•  In NASM procedures are deﬁned using Labels

©SecurityTube.net
Format of a Procedure

ProcedureName:

… code…
… code …
… code …
RET

©SecurityTube.net
Arguments to a Procedure

•  Passed via Registers

•  Passed on the stack

•  Passed as data structures in memory

referenced by registers / or on stack

©SecurityTube.net
Saving and Restoring State

•  Saving / Restoring Registers

–  PUSHAD / POPAD

•  Saving / Restoring Flags

–  PUSHFD / POPFD

•  Saving / Restoring
–  ENTER / LEAVE + RET

©SecurityTube.net
Exercise 1.10.1

•  Write a program which saves registers and

ﬂags before calling a procedure
–  it should also save / restore the frame pointer

Please Register for this course to receive the soluSon video for
this exercise.
hLp://SecurityTube-‐Training.com

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Exercise 1.10.1

•  Write a program which saves registers and

ﬂags before calling a procedure
–  it should also save / restore the frame pointer

©SecurityTube.net
Prologue and Epilogue

•  Wikipedia:

hLps://en.wikipedia.org/wiki/
FuncSon_prologue

•  Space is reserved for storing local variables

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

11. Strings
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
String InstrucSons

•  MOVS ( MOVS / MOVSW / MOVSD )

•  CMPS -‐ Compares

•  SCAS -‐ Subtracts

•  LODS -‐ Loads

ESI and EDI registers are typically used with DF

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 1: 32-‐Bit ASM on Linux

11. Libc and NASM

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Syscalls are good but …

•  Too low level at Smes

•  Standard C Library – libc has tons of useful

funcSons

•  Calling Libc funcSons from Assembly

©SecurityTube.net
Things to Remember

•  Deﬁne all libc funcSons you want use with extern

•  All arguments in reverse order on stack

–  CALL funcSon(a,b,c,d)
–  push d, push c, push b, push a

•  Adjust the stack ayer calling libc funcSons

•  Link with GCC rather than LD – use main instead

of _start

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

1. Shellcoding Basics
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
What is Shellcode?

•  Machine code with a speciﬁc purpose

–  spawn a local shell
–  Bind to port and spawn shell
–  create a new account

•  Can be executed by the CPU directly – no

further assembling / linking or separate
compiling required

©SecurityTube.net
How is Shellcode delivered?

•  Part of an exploit

–  Size of shellcode important (smaller size = beLer)
–  Bad characters a concern
•  0x00 most common one

•  Added into an executable

–  run as separate thread
–  replace executable funcSonality
–  Size of shellcode not a concern

©SecurityTube.net
Shellcode Resources

•  hLp://www.shell-‐storm.org/

•  hLp://exploit-‐db.com

•  hLp://www.projectshellcode.com/

©SecurityTube.net
TesSng Shellcode

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

2. Exit Shellcode
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Exit Shellcode

•  Use of EAX and EBX registers with the syscall

number and exit code leads to 0x00 in
shellcode

•  Change instrucSons to avoid 0x00

•  Change instrucSon to make shellcode more

compact

©SecurityTube.net
Objdump to Shellcode

•  Command line FU

•  hLp://www.commandlinefu.com/commands/
view/6051/get-‐all-‐shellcode-‐on-‐binary-‐ﬁle-‐
from-‐objdump

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

3. HelloWorld Shellcode using JMP-‐CALL-‐POP

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Modifying Hello World

•  Replace all 0x00 opcode instrucSons

•  No hardcoded addresses
–  dynamically ﬁgure out address of “Hello World”
string

©SecurityTube.net
JMP-‐CALL-‐POP
JMP short Call_shellcode:

shellcode:
pop ecx
….
…
…

Call_shellcode:

call shellcode:
HelloWorld db “Hello World!”

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

4. HelloWorld Shellcode using Stack

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Using the Stack

•  PUSH the value of the “Hello World” string on

the stack

•  Get a reference using ESP

•  String needs to be pushed in reverse as stack

grows from High to Low memory

©SecurityTube.net
Stack grows from High memory to Low
memory

High Memory

H E L L O W O R L D \n 0x00

Low Memory

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

5. Execve Shellcode JMP-‐CALL-‐POP Method

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Execute a new program

•  execute a new program from within the

shellcode

•  “/bin/bash” to get a shell

•  common technique to get a command prompt

from an exploited process

©SecurityTube.net
Execve

/bin/bash, 0x0 0x00000000 Address of /bin/bash, 0x00000000

EBX EDX ECX

We cannot have NULLs in the Shellcode

©SecurityTube.net
Approach
IniSal String

/bin/bash A BBBB CCCC

1 Use JMP-‐CALL-‐POP to ﬁnd the address of the string

2 Convert “A” to 0x0

3 Convert “BBBB” to address of “/bin/bash”

4 Convert “CCCC” to 0x00000000

ESI /bin/bash 0x0 Addr 0x00000000

©SecurityTube.net
Loading the Registers
ESI /bin/bash 0x0 Addr 0x00000000

©SecurityTube.net
Is there a need for exit()

•  execve does not return if successful

•  there is no need for exit() to be called

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

6. Execve Shellcode Stack Method

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

©SecurityTube.net
Stack Push
Low Memory High Memory

ADDR 0x00000000 ////bin/bash 0x00000000

ECX EDX EBX

©SecurityTube.net
SecurityTube Linux Assembly Expert
(SLAE32)

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor
©SecurityTube.net
NoSce

This video is part of the SecurityTube Linux

©SecurityTube.net
Module 2: IntroducSon to Shellcoding

7. XOR Encoder and Decoder

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

InteresSng: ( A xor B ) xor B = A

•  Select an encoder byte e.g. 0xAA

•  XOR every byte of Shellcode with 0xAA

•  Write a decoder stub which will XOR the encoded

shellcode bytes with 0xAA and recover original
shellcode

•  Stub then passes control to decoded shellcode

0x12 0xab 0xac 0x01 ………

XOR

0xaa 0xaa 0xaa 0xaa ………

||
Decode Shellcode
XOR Decoder Stub 0xb8 0x01 0x06 0xab ………

Original Shellcode
XOR Decoder Stub 0x12 0xab 0xac 0x01 ………

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

8. Using Metasploit’s Encoders

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  Create our own Shellcode

•  Use Msfencode to encode it

–  use encoded shellcode
–  dump into binary and execute

•  Almost all Encoders in Metasploit are well

known and documented

•  Might not be useful to create evasion

–  Shikata_ga_nai works at Smes

•  Need for custom encoders

•  Easy to write a custom encoder and bypass AV

etc. Sll the Sme the technique is not disclosed

•  Very diﬃcult to write an encoder which has a

public technique and evade AV

•  Encoder Stub is the one which is generally

ﬁngerprinted

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

9. Simple NOT encoder

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  Transform every byte in your shellcode using

NOT

•  Decoder will NOT the encoded byte to get the

original shellcode byte

•  Pass control to shellcode ayer all bytes

decoded

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

10. Inser4on Encoder

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

Original Shellcode 0x12 0xab 0xac 0x01 ………

Ayer InserSon 0x12 0xaa 0xab 0xaa 0xac 0xaa 0x01 0xaa ………

Inser4on Decoder Stub 0x12 0xaa 0xab 0xaa 0xac 0xaa 0x01 0xaa ………

Original Shellcode
Inser4on Decoder Stub 0x12 0xab 0xac 0x01 ………

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

11. XOR Decoder using MMX

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  FPU

•  MMX

•  SSE

•  SSE2

•  ExisSng “popular” shellcodes hardly use them

•  Probably detecSon rates lesser by AV and

other analysis tools

•  Easy to replicate exisSng funcSonality using

these extensions

•  Registers MM0 to MM7

•  Can load 8 bytes qword

•  Moving Data – movq

•  XOR’ing Data – pxor

•  Key Diﬀerence from the previous XOR decoder

–  Operates over 8 bytes at the same Sme

Source: hLp://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC

FSTENV stores control, status and tag word, instruc4on pointer, data pointer and last opcode

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

12. Polymorphism
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  AV and IDS can use the shellcode as a paLern

to search

•  Easy to ﬁngerprint

•  DetecSon simple

•  Original shellcode protected

•  Decoder / Decryptor Stub however small, is
prone to ﬁngerprinSng

•  Back to square 1 J

•  We could make our shellcode look diﬀerent

everySme we create it

•  FuncSonality remains the same

•  SemanScally equivalent instrucSons

DetecSon is now MUCH, MUCH Diﬃcult

Enter Polymorphism

Source: hLp://www.phrack.org/issues.html?issue=61&id=9#arScle

©SecurityTube.net
Basic Principle of Create Polymorphic
Shellcode
•  Replace instrucSons with equivalent
funcSonality ones

•  Add garbage instrucSons which don’t change

funcSonality in any way “NOP Equivalents”

•  ADMutate:
–  hLp://www.ktwo.ca/readme.html
–  hLp://www.youtube.com/watch?v=XMt9ExL9I00

•  CLET
–  hLp://www.phrack.org/issues.html?
issue=61&id=9#arScle

•  VX Heavens Mirror
–  hLp://download.adamas.ai/dlbase/Stuﬀ/VX
%20Heavens%20Library/staSc/vdat/mainmenu.htm

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

13. Analyzing 3rd Party Shellcode

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  Use GDB

•  Use Ndisasm

•  Libemu – Shellcode emulaSon

hLp://libemu.carnivore.it/

•  Divided into 2 stages:

–  First stage is small and loads the second stage

•  from input
•  from a ﬁle / over a network

–  First stage passes control to the second stage

•  Useful when very less space to run shellcode in

an exploit

Source: hLp://www.shell-‐storm.org/shellcode/ﬁles/shellcode-‐824.php

•  Bind TCP (staged)

•  Reverse TCP (staged)

•  Meterpreter is staged J

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

14. Analyzing Shell_Bind_TCP

and Shell_Reverse_TCP with Libemu
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  Binding a Shell is the most common way to get

command line access to a compromised
system

•  Bind Shell (Listening on vicSm’s port)

•  Reverse Shell (Connects back to ALacker’s

port)

hLp://libemu.carnivore.it/

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

14. Crypters
Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  Encrypt Executable / Shellcode

•  Decrypt at runSme and run

•  For powerful crypto techniques like RC4, AES

etc. a lot of assembly code

•  Shellcode size too large to be useful

•  Symmetric Stream Cipher

•  2 Step process:
–  Key Scheduling Algorithm

–  Pseudo Random Number GeneraSon

•  Full Details: hLp://en.wikipedia.org/wiki/RC4

•  EncrypSon Phase:
–  For a given key, encrypts shellcode

•  DecrypSon Phase:
–  For the same key, decrypts shellcode
–  Executes it

•  Create Shellcode

•  Encode with XOR

•  Encrypt with Crypter (needs to be the last)

•  hLps://thunked.org/programming/rc4-‐in-‐
assembly-‐t23.html

•  hLp://youritguy.wordpress.com/2010/06/13/
adler-‐32-‐and-‐rc4-‐in-‐inline-‐assembly/

•  hLp://nayuki.eigenstate.org/page/rc4-‐cipher-‐
in-‐x86-‐assembly

•  PE Cryptor

•  hLp://www.exploit-‐db.com/wp-‐content/
themes/exploit/docs/18849.pdf

•  Encrypted (AES) with weak key

•  Key bruteforced at runSme

Training: hLp://www.SecurityTube-‐Training.com

Community: hLp://www.SecurityTube.net

This video is part of the SecurityTube Linux

The Grand Finale

Vivek Ramachandran
SWSE, SMFE, SPSE, SGDE, SISE, SLAE32 Course Instructor

hLp://SecurityTube-‐Training.com

•  7 Assignments of varying diﬃculty

•  Post soluSons to your personal blog

–  wordpress.com, Blogger or your own domain

•  Store code in a Github account

•  Create a Shell_Bind_TCP shellcode

–  Binds to a port
–  Execs Shell on incoming connecSon

•  Port number should be easily conﬁgurable

•  Create a Shell_Reverse_TCP shellcode

–  Reverse connects to conﬁgured IP and Port
–  Execs shell on successful connecSon

•  IP and Port should be easily conﬁgurable

•  Study about the Egg Hunter shellcode

•  Create a working demo of the Egghunter

•  Should be conﬁgurable for diﬀerent payloads

•  Create a custom encoding scheme like the

“InserSon Encoder” we showed you

•  PoC with using execve-‐stack as the shellcode

to encode with your schema and execute

•  Take up at least 3 shellcode samples created

using Msfpayload for linux/x86

•  Use GDB/Ndisasm/Libemu to dissect the

funcSonality of the shellcode

•  Present your analysis

•  Take up 3 shellcodes from Shell-‐Storm and

create polymorphic versions of them to beat
paLern matching

•  The polymorphic versions cannot be larger

150% of the exisSng shellcode

•  Bonus points for making it shorter in length

than original

•  Create a custom crypter like the one shown in

the “crypters” video

•  Free to use any exisSng encrypSon schema

•  Can use any programming language

This blog post has been created for compleSng

the requirements of the SecurityTube Linux
Assembly Expert cerSﬁcaSon:

hLp://securitytube-‐training.com/online-‐
courses/securitytube-‐linux-‐assembly-‐expert/

Student ID: SLAE-‐XXXXX

•  Originality of Shellcode

•  Quality of ExplanaSon – detailed and insighƒul

•  Each Assignment carries 10 marks

•  CerSﬁcaSon Criteria: > 50 out of 70 marks

•  Shellcode submiLed to and accepted by:

–  Shell-‐Storm.org
–  Exploit-‐db.com

(10 points)

•  Community InteracSon (5 points)
–  ChaLer on TwiLer, Facebook
–  Comments on Blog posts
©SecurityTube.net
Submission Format

•  Email to [email protected]

•  Subject: SLAE Exam Blog Posts

•  Email contains:
–  Links to all 7 blog posts
–  Link to Gitgub account where code is stored
–  Link to Shell-‐Storm / Exploit-‐db submissions
–  Link to TwiLer / Facebook if posted there

•  Around 5 working days for result

Armadillo 4.20: Removing The Armour: A Naked Animal
No ratings yet
Armadillo 4.20: Removing The Armour: A Naked Animal
45 pages
Cub3D: My First Raycaster With Minilibx
No ratings yet
Cub3D: My First Raycaster With Minilibx
13 pages
Waverly Family Health EHR Implementation Project Plan: University of San Diego © 2016. All Rights Reserved
100% (1)
Waverly Family Health EHR Implementation Project Plan: University of San Diego © 2016. All Rights Reserved
29 pages
PowerPC Assembly Overview
No ratings yet
PowerPC Assembly Overview
9 pages
Smashing the Stack in 2010 Report for Th
No ratings yet
Smashing the Stack in 2010 Report for Th
94 pages
Function Hooking and Windows DLL Injection PDF
No ratings yet
Function Hooking and Windows DLL Injection PDF
15 pages
Safedisc
No ratings yet
Safedisc
35 pages
Hashicorp Terraform Associate Certification (Exam 003)
From Everand
Hashicorp Terraform Associate Certification (Exam 003)
Kimiko Lee
No ratings yet
Joyner Python-Notes PDF
No ratings yet
Joyner Python-Notes PDF
115 pages
DevOps in the Enterprise Complete Self-Assessment Guide
From Everand
DevOps in the Enterprise Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Bypass Av Dynamics (NEW)
No ratings yet
Bypass Av Dynamics (NEW)
21 pages
Slot17 18 CH12 InstructionSetAndFunctions 40 Slides
No ratings yet
Slot17 18 CH12 InstructionSetAndFunctions 40 Slides
35 pages
WIndows Kernel
No ratings yet
WIndows Kernel
22 pages
C Optimization Techniques
No ratings yet
C Optimization Techniques
79 pages
NetBatch Tutorial
50% (2)
NetBatch Tutorial
4 pages
Windows Kernel Internals: David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation
No ratings yet
Windows Kernel Internals: David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation
20 pages
(Ebook) Practical Svelte: Create Performant Applications with the Svelte Component Framework by Alex Libby ISBN 9781484273739, 1484273737 - The latest ebook edition with all chapters is now available
100% (2)
(Ebook) Practical Svelte: Create Performant Applications with the Svelte Component Framework by Alex Libby ISBN 9781484273739, 1484273737 - The latest ebook edition with all chapters is now available
77 pages
Windows Kernel Internals Advance Virtual Memory PDF
No ratings yet
Windows Kernel Internals Advance Virtual Memory PDF
21 pages
EMU8086 Tutorial
60% (5)
EMU8086 Tutorial
81 pages
The Mac Terminal Commands Cheat Sheet
No ratings yet
The Mac Terminal Commands Cheat Sheet
5 pages
Linux
No ratings yet
Linux
4 pages
Learning SaltStack - Second Edition
From Everand
Learning SaltStack - Second Edition
Colton Myers
No ratings yet
LabManual_Sliver
No ratings yet
LabManual_Sliver
241 pages
Mips Instruction Format
No ratings yet
Mips Instruction Format
41 pages
Embedded Systems Interview Questions and Answers: What Is The Need For An Infinite Loop in Embedded Systems?
No ratings yet
Embedded Systems Interview Questions and Answers: What Is The Need For An Infinite Loop in Embedded Systems?
13 pages
x86-64 Intel Cheat Sheet Summary
100% (1)
x86-64 Intel Cheat Sheet Summary
10 pages
Programming The Basic Computer
50% (2)
Programming The Basic Computer
34 pages
Linux Web Filtering
No ratings yet
Linux Web Filtering
13 pages
CS 378 (Spring 2003) : Linux Kernel Programming
No ratings yet
CS 378 (Spring 2003) : Linux Kernel Programming
32 pages
Mips
No ratings yet
Mips
46 pages
SP Unit 3
No ratings yet
SP Unit 3
63 pages
Reverse Engineering For Beginners: Dennis Yurichev
No ratings yet
Reverse Engineering For Beginners: Dennis Yurichev
6 pages
Blue Team Crash Course
No ratings yet
Blue Team Crash Course
41 pages
Unix Commandnfds 25
No ratings yet
Unix Commandnfds 25
8 pages
Instant Download Windows Kernel Programming Second Edition Pavel Yosifovich PDF All Chapters
100% (1)
Instant Download Windows Kernel Programming Second Edition Pavel Yosifovich PDF All Chapters
67 pages
IDA Pro Shortcuts
100% (2)
IDA Pro Shortcuts
1 page
Syadmin Bash Scripting 1471376912
No ratings yet
Syadmin Bash Scripting 1471376912
30 pages
Linear Algebra and Gaming
No ratings yet
Linear Algebra and Gaming
8 pages
What Is Linux?: A Brief History of Linux
No ratings yet
What Is Linux?: A Brief History of Linux
7 pages
Entrust IdentityGuard 8.1 Directory Configuration Guide
100% (1)
Entrust IdentityGuard 8.1 Directory Configuration Guide
62 pages
Agile The Good the Hype and the Ugly 1st Edition Bertrand Meyer (Auth.) 2024 scribd download
100% (4)
Agile The Good the Hype and the Ugly 1st Edition Bertrand Meyer (Auth.) 2024 scribd download
65 pages
Intro To Reverse Engineering: Intropy
No ratings yet
Intro To Reverse Engineering: Intropy
63 pages
Ubuntu Notes
No ratings yet
Ubuntu Notes
11 pages
Javascript Cheatsheet: Musa Al-Hassy
No ratings yet
Javascript Cheatsheet: Musa Al-Hassy
9 pages
RHEL 8 Cheat Sheet Red Hat Developer
No ratings yet
RHEL 8 Cheat Sheet Red Hat Developer
20 pages
Linux Notes
No ratings yet
Linux Notes
17 pages
Most Important Kali Linux Commands
No ratings yet
Most Important Kali Linux Commands
4 pages
Vagrant Cheat Sheet
No ratings yet
Vagrant Cheat Sheet
7 pages
User Rights: SER Ccounts Hapter
No ratings yet
User Rights: SER Ccounts Hapter
9 pages
Compiler Design Concepts Worked Out Examples and M
100% (1)
Compiler Design Concepts Worked Out Examples and M
100 pages
x64 Cheatsheet
100% (1)
x64 Cheatsheet
9 pages
The Linux File System Structure Explained
No ratings yet
The Linux File System Structure Explained
5 pages
Java Exception
No ratings yet
Java Exception
19 pages
Instant ebooks textbook Ubuntu Linux Bible 10th Edition David Clinton Christopher Negus download all chapters
100% (1)
Instant ebooks textbook Ubuntu Linux Bible 10th Edition David Clinton Christopher Negus download all chapters
65 pages
Hackercool April 2020.@enmagazine
No ratings yet
Hackercool April 2020.@enmagazine
65 pages
Nix Manual
No ratings yet
Nix Manual
108 pages
© 2018 Caendra Inc. - Hera For Ptpv5 - Leveraging Powershell During Exploitation
No ratings yet
© 2018 Caendra Inc. - Hera For Ptpv5 - Leveraging Powershell During Exploitation
26 pages
Machine Programming Model
No ratings yet
Machine Programming Model
19 pages
HBase Administration Cookbook
From Everand
HBase Administration Cookbook
Yifeng Jiang
No ratings yet
Spring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architectures
From Everand
Spring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architectures
Badr Nasslahsen
No ratings yet
Google Cloud Platform Complete Self-Assessment Guide
From Everand
Google Cloud Platform Complete Self-Assessment Guide
Gerardus Blokdyk
1/5 (1)
03 PCS7 Project 009
No ratings yet
03 PCS7 Project 009
113 pages
A4uv Manual
100% (1)
A4uv Manual
23 pages
Generate A Random Name - Fake Name Generator
No ratings yet
Generate A Random Name - Fake Name Generator
1 page
242560023 --DC
No ratings yet
242560023 --DC
2 pages
CRM - User Manual
100% (1)
CRM - User Manual
19 pages
S7 Timer Instructions
No ratings yet
S7 Timer Instructions
16 pages
Chart Master Chart Master 11 Cvs
No ratings yet
Chart Master Chart Master 11 Cvs
89 pages
waba
No ratings yet
waba
4 pages
E5-E6 - Text - Chapter 4. Overview of Broadband Network
No ratings yet
E5-E6 - Text - Chapter 4. Overview of Broadband Network
55 pages
Owner Owner Manual Manual: Cloud Based Remote Monitoring System
No ratings yet
Owner Owner Manual Manual: Cloud Based Remote Monitoring System
90 pages
Experiment 5 PCM
No ratings yet
Experiment 5 PCM
4 pages
Mod Menu Crash 2023 04 30-12 48 52
No ratings yet
Mod Menu Crash 2023 04 30-12 48 52
3 pages
Acer AspireOne D150 Jasper Service Manual
No ratings yet
Acer AspireOne D150 Jasper Service Manual
230 pages
Beamng Dxdiag
No ratings yet
Beamng Dxdiag
32 pages
SysVlogDesVer_.lab
No ratings yet
SysVlogDesVer_.lab
57 pages
Baithuchanh HDH1
No ratings yet
Baithuchanh HDH1
18 pages
6es5 998-0ub23
No ratings yet
6es5 998-0ub23
550 pages
GATE progress tracker
No ratings yet
GATE progress tracker
2 pages
2008-08 HUB The Computer Paper To
No ratings yet
2008-08 HUB The Computer Paper To
40 pages
Naming in Distributed Systems
No ratings yet
Naming in Distributed Systems
40 pages
Acronym Generator SRS
No ratings yet
Acronym Generator SRS
17 pages
Limit Increase and Indemnity Form (1) 2 7
No ratings yet
Limit Increase and Indemnity Form (1) 2 7
1 page
Download Textplus - Google Search
No ratings yet
Download Textplus - Google Search
1 page
PAA20+ V1.8.1 English
No ratings yet
PAA20+ V1.8.1 English
147 pages
Connector For OneDrive URG
No ratings yet
Connector For OneDrive URG
16 pages
Assignment 1 Answersheet 20240224
No ratings yet
Assignment 1 Answersheet 20240224
4 pages
C Ontro LS: MIDI/Audio Control Surface With Motorized Faders
No ratings yet
C Ontro LS: MIDI/Audio Control Surface With Motorized Faders
18 pages
Manual: Tricore Debugger and Trace
No ratings yet
Manual: Tricore Debugger and Trace
139 pages
Manual Codificadora WILLETT 430
No ratings yet
Manual Codificadora WILLETT 430
207 pages

SLAE Student Slides PDF

Uploaded by

SLAE Student Slides PDF

Uploaded by

SecurityTube

Linux Assembly Expert

• 64-­‐bit Assembly on Linux

• 32/64-­‐bit Assembly on Windows

This video is part of the SecurityTube Linux

1. What is Assembly Language?

• Low-­‐level programming language

• Communicate with microprocessor

• Speciﬁc to the processor family

• An almost one-­‐one correspondence with

Assembly Language Machine Language

mov eax, ebx Assembler + Linker 010110100101

• IA-­‐32 Assembly on the Linux OS

• Large number of machines out there sSll

• Logical progression to IA-­‐64

• Shellcoding, Encoders, Decoders, Packers etc.

• Ubuntu 12.04 LTS 32-­‐bit EdiSon

• Installed in Virtualbox

• How do you know your CPUs addiSonal

• Ubuntu 12.04 LTS 32-­‐bit EdiSon

• Installed in Virtualbox

• 32-­‐bit Ubuntu Desktop EdiSon 12.10 used for

• How do you know your CPUs addiSonal

This video is part of the SecurityTube Linux

System Bus Memory

Control Unit CPU

• Control Unit – Retrieve / Decode instrucSons, Retrieve / Store data in

• Execu4on Unit – Actual execuSon of instrucSon happens here

• Registers -­‐ Internal memory locaSons used as “variables”

General Purpose Segment Registers Flags, EIP

FloaSng Point Unit MMX XMM

EBX Base Register – Pointer to Data

ECX Counter Register – Loop operaSons

EDX Data Register – I/O Pointer

ESI EDI Data Pointer Registers for memory operaSons

ESP Stack Pointer Register

EBP Stack Data Pointer Register

Usage Depends on memory model – Flat or Segmented?

Ref: Intel manual for IA-­‐32 ©SecurityTube.net

ST(0) to ST(7)

Reference: Intel Manual

• Single InstrucSon MulSple Data

• Uses MMX and XMM Registers

This video is part of the SecurityTube Linux

3. CPU Modes and Memory Management

• System Management Mode

Source: Intel manuals ©SecurityTube.net

• 32-­‐Bit Linux uses:

Stack FuncSon Args + Local Vars

Shared Libs + Mappings

Heap Dynamic Memory

BSS UniniSalized Data

Data IniSalized Data

Text Program Code

• ALach and view using GDB

Major – Minor device number

Permissions on the secSon:

This video is part of the SecurityTube Linux

• General Purpose InstrucSons

• x87 FPU InstrucSons

• MMX / SSE / SSE2/ SSE3 / SSE4 InstrucSons

• Other InstrucSon Set extensions

• NASM + LD for assembling and linking

• Executable in ELF format

Print to Screen

Hello World! DATA SecSon

• Leverage OS for tasks

• System Calls provide a simple interface for user

User Space Program

Modern implementaSons using VDSO

EBX 1st Argument

ECX 2nd Argument

EDX 3rd Argument

ESI 4th Argument

EDI 5th Argument

EAX = system call number ECX = Pointer to “Hello World”

•  64-‐bit Assembly on Linux

•  32/64-‐bit Assembly on Windows

•  Low-‐level programming language

•  Communicate with microprocessor

•  Speciﬁc to the processor family

•  An almost one-‐one correspondence with

•  IA-‐32 Assembly on the Linux OS

•  Large number of machines out there sSll

•  Logical progression to IA-‐64

•  Shellcoding, Encoders, Decoders, Packers etc.

•  Ubuntu 12.04 LTS 32-‐bit EdiSon

•  Installed in Virtualbox

•  How do you know your CPUs addiSonal

•  Ubuntu 12.04 LTS 32-‐bit EdiSon

•  Installed in Virtualbox

•  32-‐bit Ubuntu Desktop EdiSon 12.10 used for

•  How do you know your CPUs addiSonal

• Control Unit – Retrieve / Decode instrucSons, Retrieve / Store data in

• Execu4on Unit – Actual execuSon of instrucSon happens here

• Registers -‐ Internal memory locaSons used as “variables”

Ref: Intel manual for IA-‐32 ©SecurityTube.net

•  Single InstrucSon MulSple Data

•  Uses MMX and XMM Registers

•  System Management Mode

•  32-‐Bit Linux uses:

•  ALach and view using GDB

•  General Purpose InstrucSons

•  x87 FPU InstrucSons

•  MMX / SSE / SSE2/ SSE3 / SSE4 InstrucSons

•  Other InstrucSon Set extensions

•  NASM + LD for assembling and linking

•  Executable in ELF format

•  Leverage OS for tasks

•  System Calls provide a simple interface for user

•  Word – 16 bits

•  Double Word – 32 bits

•  Quad Word – 64 bits

•  Double Quad Word – 128 bits

Source: IA-‐32 Manual

•  Case SensiSve syntax

•  Accessing memory reference with []

•  $ -‐ evaluates to the current line

•  $$ -‐ evaluates to the beginning of current

•  Most common instrucSon in ASM

•  Load EﬀecSve Address – load pointer values

•  LEA EAX, [label]

•  Exchanges (swaps) Values

•  XCHG Register, Register

•  XCHG Register, Memory

•  Used by processes and threads to store

•  Stack is a Last-‐in-‐First-‐out (LIFO) data

•  Use the PUSH / POP / … stack instrucSons in

•  Use GDB to examine the stack using ESP and

•  Use the PUSH / POP / … stack instrucSons in

•  Use GDB to examine the stack using ESP and

Ref: Intel manual for IA-‐32 ©SecurityTube.net

•  ADD desSnaSon, source

•  ADC desSnaSon, source (plus carry ﬂag)

•  SUB and SBB

•  INC and DEC

•  MulSply and Divide InstrucSons

•  GDB to trace execuSon and register values

•  MulSply and Divide InstrucSons

•  GDB to trace execuSon and register values

OF = 1 and CF = 1 if upper half of result is non-‐zero

•  AND r/m , r/m/imm (8, 16, 32 bits)

•  SAR – Shiy ArithmeSc Right

•  SHR -‐ Shiy Logical Right

•  Controls the ﬂow of the program

•  Based on “events” e.g. calculaSon led to 0

•  Uses ﬂags to determine decision

•  Cannot be used for Far Jumps

•  Intel Manual is the best reference

•  InvesSgate the use of the following

•  Use GDB to trace through the execuSon

•  InvesSgate the use of the following

•  Use GDB to trace through the execuSon

•  Set of operaSons grouped together

•  Called oyen from diﬀerent places in the code

•  In NASM procedures are deﬁned using Labels