CIS 4615 meeting -*- Outline -*-

* x86 disassembly

  Based on chapter 4 of the book Practical Malware Analysis: The
  Hands-On Guide to Dissecting Malicious Software by Michael Sikorski
  and Andrew Honig, No Starch Press, 2012.

  Also course notes from Golden Richard

  Also Intel architecture manuals, see
  http://www.intel.com/content/www/us/en/processors/
         architectures-software-developer-manuals.html

** x86 architecture
   Each assembly language is specific to a particular processor
   and is in a 1-1 correspondence with the machine code of that
   processor

   We concentrate on the Intel x86 or IA-32 architecture
      this is the architecture of the Intel 80286 and 80386
      used in Windows XP
   We will say some things about the more modern x64 architecture

------------------------------------------
          ARCHITECTURAL OVERVIEW

   +--------------------+     +---------+
   |      CPU           |     |         |
   | +----------------+ |     |         |
   | |  Registers     | |     |         |
   | +----^-----------+ |     |   RAM   |
   |      |             |     |         |
   |  +---v--+  +-----+ |     |         |
   |  | ALU  <-->Control<----->         |
   |  +---^--+  +-----+ |     |         |
   +------|-------------+     |         |
          |                   |         |
  +-------v--------------+    |         |
  |     I/O Devices      |    |         |
  |                      |    +---------+
  +----------------------+
------------------------------------------

        Q: What does the RAM do?
        stores all data and code

        Q: What does the ALU do?
        arithmetic and logical operations on data

        Q: What does the control unit do?
        fetches instructions and executes them,
        and tracks the instruction pointer (IP)

*** memory
**** real mode memory addressing
------------------------------------------
       REAL MODE MEMORY ADDRESSING

For 16 bit 8086 and 8088 (from 1978!) also
80286 and above, for compatibility
   with older programs

Address is sum of:
     Segment address + offset

  FFFFFH +----------------+
         |                |
         |                |
         +----------------+
  1F000H |                |<-+ offset=F000
         +----------------+  |
         |   64K segment  |  |
         |                |  | Seg. Reg.
  10000H |                |<\| +---------+
         +----------------+  +-+   1000  |
         |                |    +---------+
         |                |
         |                |
         |                |
  00000H +----------------
------------------------------------------
        Note that the address in the segment register is only 1000H,
        this is extended to 10000H (shifted by 4 bits)
        so that the whole address is 20 bits (=16+4) long

        Q: Why use this segment register + offset scheme?
        This allows using up to 1M of RAM with 16 bit addresses
        Also allows relocation

------------------------------------------
        MEMORY LAYOUT FOR A PROCESS

Approximate, the sections may be
  - in different orders
  - not contiguous

high addresses
           +----------------------------+
           |       environment ptr      |
           |    cmd line arguments      |
      BP ->+----------------------------+
           |          stack             |
           |             |              |
           |             |              |
      SP ->|             v              |
           +----------------------------+
           |                            |
      SS ->|                            |
           +----------------------------+
           +----------------------------+
           |             ^              |
           |             |              |
           |             |              |
      ES ->|           heap             |
           +----------------------------+
           |                            |
           |       .data or .bss        |
      DS ->|                            |
           +----------------------------+
           |           .text            |
      CS ->|                            |
           +----------------------------+
low        |     shared libraries       |
addresses  +----------------------------+

------------------------------------------
        Q: What's in the .text section?
        Code

**** Protected mode addressing
------------------------------------------
          PROTECTED MODE ADDRESSING

80286 (16 bit, from 1982) and above

Doesn't use segment + offset to directly
  form address

Segment register contains a selector
   into a global descriptor table,
   the descriptor has a base address,
   address is base address + offset

So instructions are the same!
                              memory
                            +------------+ FFFFFF
                            |            |
                            |            |
                            |            |
                            |            |
             global         |            |
             descriptor     |            |
             table          |            |
             +-----------+  |            |
             |           |  |            |
             |           |  |            |
             |           |  |            |
             |           |  +------------+ 1000FF
    DS       +-----------+  |   data     |
  +-------+  |      ...  | />  segment   | 100000
  | 0008  |->|    100000 +- +------------+
  +-------+  |      00FF |  |            |
             +-----------+  |            |
             |           |  |            |
             +-----------+  +------------+ 000000
------------------------------------------
    80286 has a descriptor with
                a 24 bit base address,
                and a limit that is 16 bits
    80386 and above have a 32 bit base address
                and a 20 bit limit
    In the descriptor are also seom permissions

**** virtual memory
------------------------------------------
           VIRTUAL MEMORY

80386 (32 bit, from 1985) and above

Program generates a "linear address"
Memory paging unit translates it to a
   "physical address"

------------------------------------------

**** x64, flat memory addressing + virtual memory
------------------------------------------
             X64 ARCHITECTURE

64 bit architecture, introduced with the
  Intel Pentium 4 (2000)

linear addressing + virtual memory
 only sensible to use FS and GS 
                  segment registers

------------------------------------------


*** instructions, opcodes, endianness
------------------------------------------
             ASSEMBLY INSTRUCTIONS

Intel assembler (NASM) conventions:

     mov    ecx,         0x42
     |      |            |
Mnemonic  destination    source

        B9               42 00 00 00
        |
     opcode              constant in bytes

Little-endian = least significant bytes first (left)

Big-endian = most significant bytes first (left)
------------------------------------------
        Q: Which is Intel: big or little endian?
        It's little-endian.

*** operands
------------------------------------------
              TYPES OF OPERANDS

Immediate:

Register:

Memory address:


------------------------------------------
        ... a fixed value (like 0x42)
        ... a register, like ecx
        ... the value in a memory cell, like [eax]
*** registers
------------------------------------------
            REGISTERS

General:
  64 bit:  RAX,     RBX,     RCX,      RDX
  32 bit:  EAX,     EBX,     ECX,      EDX
  16 bit:   AX,     BX,      CX,        DX
   8 bit   AH & AL, BH & BL, CH & CL, DH & DL

64 bit mode also has registers r8-r15
  64 bit: r8
  32 bit: r8d
  16 bit: r8w
   8 bit: r8b

ECX is used as a

Source/Destination registers:
  64 bit:  RSI      RDI
  32 bit:  ESI      EDI
  16 bit    SI       DI

Stack-manipulation registers
  64 bit:  RBP      RSP
  32 bit:  EBP      ESP
  16 bit:   BP       SP

Flags:
  EFLAGS

Instruction Pointer:
  RIP (64 bit)
  EIP (32 bit)
   IP (16 bit)

------------------------------------------
        ... counter by some instructions

        The segment registers are only used in old (286,386) software,
        such as DOS programs, and they are
        not used in protected mode (with virtual memory paging)

        For r8-r15, there is no "h" part, no direct access to bits 8-15
        For 64 bit mode, can access lower order bits of rbp, rsi, rdi
         using bpl, sil, dil (bits 0-7 of rbp/ebp, rsi/esi, rdi/edi)

        There are other registers, e.g., for floating point,
        debugging, etc.

------------------------------------------
     BACKWARDS COMPATIBILITY REGISTERS

                     +--------+---------+
                     |   AH   |   AL    |
                     |        |         |
                     +--------+---------+
                       8 bits    8 bits

                     +------------------+
                     |       AX         |
                     |                  |
                     +------------------+
                           16 bits

    +-----------------------------------+
    |             EAX                   |
    |                                   |
    +-----------------------------------+
                32 bits

+-//------------------------------------+
|                 RAX                   |
|                                       |
+-//------------------------------------+
              64 bits
------------------------------------------
        The different names for parts of registers are mostly for
        backwards compatibility, but they give one the ability to
        manipulate specific bytes in the registers.

        The high byte registers (AH, BH, ...) are not available in 64
        bit mode

------------------------------------------
            DATA TYPES AND BITS
                                    7   0
                                   +-----+
                          byte     |     |
                                   +-----+

                              15  8 7   0
                             +-----+-----+
                      word   | high| low |
                             | byte| byte|
                             +-----+-----+
                                N+1     N

                     31    16 15        0
                    +--------+-----------+
        doubleword  |        |           |
                    |        |           |
                    +--------+-----------+
                           N+2          N
  63              32 31                 0
 +------------------+--------------------+
 |      high        |       low          |
 |   doubleword     |     doubleword     |
 +------------------+--------------------+
                 N+4                    N
------------------------------------------

        N is an address (or array index) in bytes

------------------------------------------
            SEGMENTATION

For protected mode (32 bit)in x86, 
 3 kinds of address:

 1. segmentation-based: segment + offset
 2. linear/virtual address (32/64 bit address)
 3. physical address (32/64 bit address

Segment registers (16 bit)
  CS ~ code
  SS ~ stack
  DS ~ data
  ES ~ extra
  FS ~ exception handling chain
  GS

Segmentation is disabled in 64 bit mode
  - uses flat 64 bit address space

------------------------------------------
        Q: How much memory can be addressed with a 16 bit address?
           65 KB
           this is why there are segments
           Segment register value (16 bits) + 16 bit offset allowed 20
           bit addressing, so up to 1 MB of RAM
        Q: How much memory can be addressed with a 32 bit address?
           4 GB

    The following is from
    http://www.eecg.toronto.edu/~amza/www.mindsec.com/files/x86regs.html
------------------------------------------
            EFLAGS REGISTER

Bit    Name    Description
====================================
0      CF      Carry flag
2      PF      Parity flag
4      AF      Auxiliary carry flag
6      ZF      Zero flag
7      SF      Sign flag
8      TF      Trap flag
9      IF      Interrupt enable flag
10     DF      Direction flag
11     OF      Overflow flag
12-13  IOPL    I/O Privilege level
14     NT      Nested task flag
16     RF      Resume flag
17     VM      Virtual 8086 mode flag
18     AC      Alignment check flag (486+)
19     VIF     Virtual interrupt flag
20     VIP     Virtual interrupt pending flag
21     ID      ID flag

------------------------------------------

*** instructions
**** overview
------------------------------------------
            INSTRUCTION FORMAT

NASM syntax (Intel variant)

Instruction format

  LABEL: OPCODE destop [, sourceop]  [; comment]

Example:

  HERE: cmp ebx, BEEFh   ; does ebx have secret?
        push ebx
        push eax
        xor ebx, ebx     ; ebx == 0
        xor eax, eax     ; eax == 0

------------------------------------------
        instructions are on single lines (unless continued by \<newline>)

        The comment is from the semicolon (;) to the end of the line

------------------------------------------
       ACCESSING MEMORY CONTENTS

  mov eax, 0xBEEF   ; eax gets

  mov eax, [0xBEEF] ; eax gets
------------------------------------------
      ... the hex value BEEF
      ... the value stored at address BEEF

------------------------------------------
       ACCESSING VIA REGISTERS

  mov eax, ebx   ; eax gets

  mov eax, [ebx] ; eax gets


------------------------------------------
      ... the value in ebx
      ... the value stored at the address in ebx (indirect)

**** details
------------------------------------------
            GRAMMAR CONVENTIONS

  ::=      means "can be" or "produces"
  |        means "or"
  <x>      is the nonterminal named "x",
              a syntactic category
  other    literal characters
  [<x>]    is an optional <x>
  [<x>]... means 0 or more <x>s
  '['      is a left square bracket (char)
  ']'      is a right square bracket (char)

------------------------------------------
        These are a type extended BNF (context-free) grammar
        You may have seen ::= as an arrow (-->) in other books

------------------------------------------
          MASM SYNTAX DETAILS

<instr> ::= [<label> :] <opcode> <args> [<comment>]
        | [<label> :] <pseudo-instr> [<comment>]
        | [<label> :] [<opcode-prefix>]... [<comment>]

<opcode> ::= [<opcode-prefix>] <opcode>
         | <letter>[<letter>]...
<opcode-prefix> ::= lock | rep | repe | repz
         | repne | repnz | xacquire | xrelease
         | bnd | nobnd | times <num-exp>
         | <seg-register>
<seg-register> ::= cs | ds | es | ss | fs |gs
<pseudo-instr> ::= <symbol> equ <exp>
         | <symbol> = <exp>

<size> ::= b | w | d | q | t | o | y | z

<args> ::=
          | <operand>
          | <operand>, <operand>
          | <operand>, <operand>, <operand>
<operand> ::= <prim-operand>
          | <effective-address>
          | <exp>
<prim-operand> ::= <number>
          | <register-name>

<exp> ::= <prim-operand>
          | ( <exp> ) | <exp> '[' <exp> ']'
          | <length-op> <exp>
          | <exp> . <exp>
          | <exp> : <exp> | ptr <exp>
          | <offset-op> <exp>
          | <part-op> <exp>
          | - <exp> | + <exp>
          | <exp> <mul-op> <exp>
          | <exp> + <exp> | <exp> - <exp>
          | <exp> <comp-op> <exp>
          | not <exp>
          | <exp> and <exp>
          | <exp> or <exp> | <exp> xor <exp>

<number> ::= <decimal-literal>
          | <hex-literal>
          | <binary-literal>
<length-op> ::= length | size | width | mask | lengthof | sizeof
<offset-op> ::= lroffset | offset | seg | this | type
<part-op> ::= high | highword | low | lowword
<mul-op> ::= * | / | mod | shl | shr
<comp-op> ::= eq | ne | lt | le | gt | ge


<bin-digit> ::= 0 | 1 | _
<binary-literal> ::= <bin-digits>y
          | <bin-digits>b
<bin-digits> ::= <bin-digit>[<bin-digit>]...

<dec-digit> ::= 0|1|2|3|4|5|6|7|8|9 | _
<decimal-digits> ::= <dec-digit>[<dec-digit>]...
<decimal-literal> ::= <decimal-digits>
          | <decimal-digits>t | <decimal-digits>d

<hex-digit> ::= <dec-digit>|A|B|C|D|E|F
<hex-digits> ::= <dec-digit>[<hex-digit>]...
<hex-literal> ::= <hex-number>h

<label> ::= <symbol>
<symbol> ::= <letter>[<label-char>]... 

<letter> ::= a|...|z|A|...|Z
<label-char> ::= <letter>|<dec-digit>|_|$|@|?

------------------------------------------
        This syntax is not complete
        This syntax is similar to, but not identical to, the Microsoft
        assembler syntax (MASM)

        Q: Does the case of opcodes, size letters, and B and H matter?
        No, case doesn't matter
        However, case matters for labels!

        Q: What is an effective address?
        The address of something, instead of the value in that address

        Expressions are generally like those in C

        The difference between / and // is that // is signed division
        and %% is signed modulo

        The $ means the address of the beginning of the line containing the
        expression.

        The <exp>s are arranged in decreasing order of precedence

**** AT&T Syntax
------------------------------------------
         INTEL VS. AT&T SYNTAX

We'll generally use Intel style syntax
   - found in NASM, MASM
   - available in gcc with the option
       -masm=intel
     as in
       gcc -S -masm=intel file.c

AT&T syntax used in gcc (for inlining)

Comparison:

  Intel (NASM)         AT&T (gas)
  ===================================
  push 4               pushl $4
  add eax, 4           addl $4, %eax
  mov al, byte foo     movb foo, %al
  call                 lcall
  jmp                  ljmp
  ret                  lret

  mov eax, byte[ebp-4] movb -4(%ebp), %eax
  mov ebx, \           movb foo(,%eax,4), \
      byte[foo+eax*4]       %ebx

General memory reference translation

 disp[base+idx*scale]  disp(base,idx,scale)
------------------------------------------
        Show hailstone.s and hailstone.as in this directory

*** simple instructions
------------------------------------------
         SIMPLE INSTRUCTIONS

mov - copies data

  mov eax, ebx
  mov eax, 0x42
  mov eax, [0x4037C4]
  mov eax, [ebx]
  mov eax, [ebx+esi*4]

xchg - swaps data

  xchg eax, ebx

lea - load effective address

  lea eax, [ebx+esi*4]

arithmetic

  sub eax, 0x10
  add eax, ebx
  inc edx
  dec ecx

multiplication and division
  use the edx and eax registers

  mul value
    multiplies eax by value,
      puts result into edx:eax

    +-----------------++----------------+
    |                 ||                |
    +-----------------++----------------+
            EDX              EAX
     most significant   least significant
        32 bits             32 bits

  div value
    divides the 64 bits in edx:eax
     by the value:
         EDX holds remainder
         EAX holds result

logical operations:

   xor eax, eax
   or eax, 0x7575
   and eax, ebx

shift operations

 logical:
   shl eax, 2
   shr ebx, 1
 arithmetic
   sal eax, 2
   sar ebx, 1
 rotation:
   rol ebx, 3
   ror eax, 2

No-operation

   nop

------------------------------------------
        explain the examples

        Q: What do the shifts do?
           the first multiplies by 4 and the second divides by 2


*** stack
------------------------------------------
              THE STACK
high addresses
   EBP --> +--------------------------+
           |                          |
           |                          |
           |           |              |
           |           |              |
           |           v              |
           |                          |
           |                          |
           |                          |
           |                          |
   ESP --> |                          |
           +--------------------------+
low addresses

     push 0xC
     pop [eax+4]

------------------------------------------
        Q: Does push increment or decrement ESP?
        decrements it
        Q: Where does the top of the stack go when pop is executed?
        Into the specified destination address

        Q: What happens if there is no space for the push?
        An exception happens

*** functions
------------------------------------------
           FUNCTION CALL AND RETURN

Using the ccdecl calling convention in x86

  CALLER                CALLEE
  ========================================
  push arg1
  ...
  push argn
  call fun  ; sets EIP to fun, saves AFTER

                       push dword [ebp] ; or enter
                       ; work of fun
                       pop ebp          ; or leave
                       ret  ; jump to AFTER

  AFTER: times n pop

------------------------------------------
           This is for x86,
           for x64, arguments are typically in registers
                    and use RBP and RIP

           In x86 one can also use pusha and popa (or pushad and
           popad) to push all the general registers and pop them
           Often used by shell code but not by compilers

------------------------------------------
            STACK FRAME IN X86

high address
        +--------------------------------+
        |          arg n                 |
        +--------------------------------+
        |           ...                  |
        +--------------------------------+
        |          arg 1                 |
        +--------------------------------+
        |          return address        |
        +================================+
  EBP ->|         old EBP                |
        +--------------------------------+
        |          local 1               |
        +--------------------------------+
        |            ...                 |
        +--------------------------------+
  ESP ->|          local M               |
        +--------------------------------+
low address

------------------------------------------
        visualize this over time.

*** conditionals
------------------------------------------
                CONDITIONALS

Performing comparisons

   test eax, ebx   ; like and but

   cmp eax, [ebx]  ; like sub but


   cmp dst, src       ZF      CF
   =============================
   dst == src         1       0
   dst < src          0       1
   dst > src          0       0

------------------------------------------
        ... doesn't change eax (only sets flags)
   
        Q: Which flag do we care about after test?
        The ZF

        ... doesn't change eax (only sets flags)
        Q: Which flag do we care about after test?
        The ZF and CF

*** branching
     table 4-9 in Practical Malware Analysis
------------------------------------------
          BRANCHING INSTRUCTIONS

 OPCODE   MEANING
 =======================================
 jz loc   if ZF = 1, jump to loc 
 jnz loc  if ZF = 0, jump to loc 
 je loc   if ZF = 1, jump to loc, used after cmp
 jne loc  if ZF = 0, jump to loc, used after cmp 
 jg loc   if ZF=0 & CF = 0, jump, used after cmp
 jge loc  if CF != 1, jump, used after cmp
 jl loc   if ZF=0 & CF = 1, jump, used after cmp
 jle loc
 jo loc   if OF = 1, jump to loc
 js loc   if SF = 1, jump to loc
 jecxz loc if ECX=0, jump to loc
------------------------------------------
      ... if ZF != CF, jump, i.e., if in cmp dst,src, dst was <= src

*** rep instructions
------------------------------------------
           REP PREFIX INSTRUCTIONS

Manipulate data buffers 
   (i.e., strings = arrays of bytes)

  Used with registers:
    ESI (source index)
    EDI (destination index)
    ECX (count)

  PREFIX    MEANING
  ======================================
  REP       repeat until ECX == 0
  REPE      repeat until ECX==0 or ZF==0
  REPZ      repeat until ECX==0 or ZF==0
  REPNE     repeat until ECX==0 or ZF==1
  REPNZ     repeat until ECX==0 or ZF==1

Examples (MASM syntax),
   assuming EDI and ESI are buffer addresses,
     and ECX is length of both buffers:

   repe cmpsb ; compare until ECX == 0 or buffers differ

   rep stosb  ; puts AL's value into buffer 
              ; starting at EDI

   rep movsb  ; copies buffer of bytes

   repne scasb ; searches buffer for a byte

------------------------------------------

*** C translation

**** main function
     Consider hmain.c in this directory
------------------------------------------
            HMAIN.C FILE

#include <stdio.h>
extern long hailstone(long);
int main(int argc, char *argv[]) {
  long x = 1;
  long res = 0;
  if (argc != 1) {
    fprintf(stderr, "requires 1 argument");
    return 1;
  }

  sscanf(argv[1], "%li", &x);
  res = hailstone(x);
  printf("%li\n", res);
  return 0;
}
------------------------------------------

------------------------------------------
      TRANSLATION TO ASM (MASM SYNTAX)

using gcc -S -masm=intel -m32

	.file	"hmain.c"
	.intel_syntax noprefix
	.def	___main;	.scl	2;	.type	32;	.endef
	.section .rdata,"dr"
LC0:
	.ascii "requires 1 argument\0"
LC1:
	.ascii "%li\0"
LC2:
	.ascii "%li\12\0"
	.text
	.globl	_main
	.def	_main;	.scl	2;	.type	32;	.endef
_main:
	push	ebp
	mov	ebp, esp
	and	esp, -16
	sub	esp, 32
	call	___main
	mov	DWORD PTR [esp+24], 1
	mov	DWORD PTR [esp+28], 0
	cmp	DWORD PTR [ebp+8], 1
	je	L2
	call	___getreent
	mov	eax, DWORD PTR [eax+12]
	mov	DWORD PTR [esp+12], eax
	mov	DWORD PTR [esp+8], 19
	mov	DWORD PTR [esp+4], 1
	mov	DWORD PTR [esp], OFFSET FLAT:LC0
	call	_fwrite
	mov	eax, 1
	jmp	L4
L2:
	mov	eax, DWORD PTR [ebp+12]
	add	eax, 4
	mov	eax, DWORD PTR [eax]
	lea	edx, [esp+24]
	mov	DWORD PTR [esp+8], edx
	mov	DWORD PTR [esp+4], OFFSET FLAT:LC1
	mov	DWORD PTR [esp], eax
	call	_sscanf
	mov	eax, DWORD PTR [esp+24]
	mov	DWORD PTR [esp], eax
	call	_hailstone
	mov	DWORD PTR [esp+28], eax
	mov	eax, DWORD PTR [esp+28]
	mov	DWORD PTR [esp+4], eax
	mov	DWORD PTR [esp], OFFSET FLAT:LC2
	call	_printf
	mov	eax, 0
L4:
	leave
	ret
	.ident	"GCC: (GNU) 4.9.3"
	.def	___getreent;	.scl	2;	.type	32;	.endef
	.def	_fwrite;	.scl	2;	.type	32;	.endef
	.def	_sscanf;	.scl	2;	.type	32;	.endef
	.def	_hailstone;	.scl	2;	.type	32;	.endef
	.def	_printf;	.scl	2;	.type	32;	.endef

------------------------------------------
        annotate the code with comments to answer these questions:
        Q: What is right after the label "main"?
        the prologue of the function, pushing ebp to save it
        and saving the stack register into ebp to start the stack frame
        Q: What does and esp, -16 do?
        clears the lower 4 bits of the esp register
        Q: What does sub esp, 32 do?
        Allocates space for the local variables
        Q: What does call ___main do?
        runs the macro named ___main, a prologue for main
        Q: What is at esp+24?
        x, it's initialized to 1
        Q: What is at esp+28?
        res
        Q: What is at ebp+8?
        argc. How can we tell? it's compared to 1
        Q: What does the je L2 do?
        jumps around the return block (the true part of the if)
        Q: What happens at L2?
        after the return block, loads argv[1] into eax
        ebp+12 is argv, adding 4 for the index 1
        Q: What is the lea edx, [esp+24] doing?
        Putting the value of x's address into edx
        Q: Then what happens with mov DWORD PTR [esp+8], edx?
        Pushing x's address onto the stack, as argument to sscanf
        Q: Then what happens with mov DWORD PTR [esp+4], OFFSET FLAT:LC1?
        Then it pushes the address of "%li\0" onto the stack

        Then it pushes eax at the top of the stack
        Then a call to sscanf

      If time permits try another one, or show in AT&T syntax