@K415

Contents
Intel-x86 architecture ................................................................................................................. 2
what’ll be covered : ................................................................................................................ 2
Source code to machine code ................................................................................................. 2
Registers and flags ................................................................................................................. 3
Instruction pointer Register................................................................................................ 4
Flags Register..................................................................................................................... 4
Segment Registers .............................................................................................................. 5
Stack ................................................................................................................................... 5
Assembly instructions ............................................................................................................ 6
Basic instructions ............................................................................................................... 6
Assembly Fundamentals ............................................................................................................ 7
what’ll be covered : ................................................................................................................ 7
Assembly instructions ............................................................................................................ 7
Basic instructions ............................................................................................................... 7
Control Flow Instructions .................................................................................................. 8
PE File Format ......................................................................................................................... 11
what’ll be covered : .............................................................................................................. 11
PE File Format: .................................................................................................................... 11
Dos MZ Header & Dos Stub:........................................................................................... 12
PE File Header: ................................................................................................................ 12
Optional Header: .............................................................................................................. 14
Section Table: .................................................................................................................. 15
Sections: ........................................................................................................................... 16
 Intel-x86 architecture

what’ll be covered :
• Source code to machine code
• Registers and flags.
• Assembly (intel syntax).

Source code to machine code

 1- In most cases in your analysis you will be dealing with executables not just
a source code ,So let’s assume for now that the executable we will analysis
contains only machine code and we can disassemble the machine code and
convert it to assembly instructions which is basically the instructions that will
be executed by the processor .
2- We will work with low level instructions for specific architecture ,So if we
don’t have a good knowledge on the architecture we will work on it will be
impossible to follow and understand what is actually executed by the
processor.

Registers and flags

The x86 architecture has 8 General-Purpose Registers (GPR), 6 Segment

Registers, 1 Flags Register and an Instruction Pointer.
1- EAX: The accumulator register where all major calculations take
place in and also used to store the return value of a function .
2- EBX: The base register It has no specific uses.
3- ECX: The counter register which is usually used as a loop counter.
4- EDX: The data register which is occasionally used as a function
parameter or storing short-term variables within a function
5- EDI: The destination index register which is often used as a pointer.
6- ESI: The source index register and often stores data that is used
throughout a function because it doesn't change.
7- EBP: The base pointer register which holds the base address of the
stack.
8- ESP: The stack pointer register which holds the top address of the
stack.
Instruction pointer Register
The EIP register contains the address of the next instruction to be
executed.

Flags Register
The flags register is the status register in Intel x86 microprocessors
that contains the current state of the processor.
In the x86 architecture the register size is 32 bit each bit will represent
a flag or will have reserved value.
Segment Registers
Stack Segment (SS): Pointer to the stack.
Code Segment (CS): Pointer to the code.
Data Segment (DS): Pointer to the data.
Extra Segment (ES): Pointer to extra data.
F Segment (FS): Pointer to more extra data.
G Segment (GS): Pointer to still more extra data.

Stack
Stacks in computing architectures are regions of memory where data is
added or removed in a last-in-first-out (LIFO) manner.

In most modern computer systems, each thread has a reserved region

of memory referred to as its stack. When a function executes, it may
add some of its local state data to the top of the stack; when the
function exits it is responsible for removing that data from the stack.
Assembly instructions

Basic instructions
mov : The mov instruction copies the item referred to by its second
operand into the location referred to by its first operand.
Examples:

1- mov eax,ebx Move the EBX register value to the EAX Register.

2- mov eax, [ebx] Move the 4 bytes in memory at the address

contained in EBX into EAX

3- mov ecx,BYTE PTR [ebx] Move one byte at the address contained
in EBX into EAX
 Assembly Fundamentals
what’ll be covered :
• Assembly (intel syntax).

Assembly instructions
Basic instructions

mov : The mov instruction copies the item referred to by its second
operand into the location referred to by its first operand.
Examples:

1- mov eax,ebx Move the EBX register value to the EAX Register.

2- mov eax, [ebx] Move the 4 bytes in memory at the address

contained in EBX into EAX

3- mov ecx,BYTE PTR [ebx] Move one byte at the address contained
in EBX into EAX

lea : loads a pointer to the item you're addressing whereas mov loads the
actual value at that address.
push: The push instruction places its operand onto the top of the stack.

Example:
push eax , will make the value in eax in the top of the stack.
 pop: The pop instruction removes the top of the stack and moves the
value into its operand.

Example:
pop ebx ,Will remove the top of the stack and move the value into the ebx
register.

cmp: The cmp instruction compares the values of the two specified
operands and depends on the result there will be changes in the flag
register.

Example:
cmp eax,ebx ,Now let’s assume that eax and ebx are equal so the zero
flag will be set to 1.

Control Flow Instructions

Unconditional jump instructions:

jmp: Transfers program control flow to the instruction at the memory

location indicated by the operand.

call: The call instruction first pushes the current code location into the
stack then jumps the code location indicated by the label operand.

ret: The ret instruction first pop the top of the stack then jumps to the
retrieved code location.
Conditional jump instructions:

The conditional jump usually follows the cmp instruction.

je: Jump when equal which will jump if zero flag is set to 1.

jne: Jump when not equal which will jump if zero flag is set to 0.

jz: Jump when zero flag is set to 1.

jg: Jump if greater which depends on three flags OF, SF, ZF.

jl: Jump if less which depends on two flags OF, ZF.

Arithmetic Instructions

add: The add instruction adds together the two operands and store the
result in its first operand.

sub : The sub instruction subtract the second operand from the first
operand and store the result in its first operand.

imul : The imul instruction multiplies together the two operands and stores
the result in its first operand.
 inc: The inc instruction adds one to the operand value.

dec: The dec instruction subtract one from the operand value.

sal : Multiply the first operand by 2 power the second operand .

sar : Divide the first operand by 2 power the second operand .

Logical Instructions

and: The and instruction perform logical and between the two operands
and store the result in its first operand.

or: The or instruction performs logical or between the two operands and
stores the result in its first operand.

xor: The xor instruction performs logical exclusive or between the two
operands and stores the result in its first operand.

not: The not instruction negates the operand contents by performing logical
not.

shl: The shl instruction is used to shift the bits of the first operand to the
left, by the value of the second operand.

shr: The shr instruction is used to shift the bits of the first operand to the
right, by the value of the second operand.
 PE File Format

what’ll be covered :
o Portable Executable File Format

PE File Format:

The Portable Executable (PE) format is a file format for executables, object code, DLLs
and others used in 32-bit and 64-bit versions of Windows operating systems. The PE
format is a data structure that encapsulates the information necessary for the Windows
OS loader to manage the wrapped executable code.

So simply the different parts of the pe file will determine how the executable is loaded
into memory and how all the data is stored.
 The main problem now is why we should understand the PE file format. The answer is
quite simple to know and understand all the tricks that can malware authors use to hide
and evade detection.

Dos MZ Header & Dos Stub:

Dos MZ Header: Contain the PE file magic numbers (MZ which in hex
equal 4D 5A) .
Dos Stub: Usually contains the message “this program cannot be run in
dos mode” and this is usually used for compatibility.

This is the only information here we care about.

PE File Header:
PE Signature: After the MS-DOS stub, at the file offset specified at offset
0x3c, is a 4-byte signature that identifies the file as a PE format image file.
This signature is "PE\0\0" (the letters "P" and "E" followed by two null
bytes).
This will be used by the pe loader to check if it is a valid PE file.

COFF Header : After the signature of an image file, is a standard COFF file
header which contains a lot of useful information like TimeDataStamp,
SizeOfOpetionalHeader and machine type.

Let’s take a look on some useful entries in the COFF Header:

o Machine: Represent the machine type x86,x64 or Intel Itanium.

o NumberOfSection: The number of sections. This indicates the size of
the section table, which immediately follows the headers.
o SizeOfOptioanlHeader: The size of the optional header, which is
required for executable files but not for object files.
o TimeDataStamp: The low 32 bits of the number of seconds since
00:00 January 1, 1970 (a C run-time time_t value), which indicates
when the file was created.
o Characteristics: The Characteristics field contains flags that indicate
attributes of the object or image file.
Optional Header:

Every image file has an optional header that provides information to the
loader. This header is optional in the sense that some files (specifically,
object files) do not have it.
Note that the size of the optional header is not fixed. The
SizeOfOptionalHeader field in the COFF header must be used to validate.
As we can see there a lot of entries here so we will focus on the most
important ones here:

▪ AddressOfEntryPoint: The address of the entry point relative

to the image base when the executable file is loaded into
memory.
▪ BaseOfCode: The address that is relative to the image base of
the beginning-of-code section when it is loaded into memory.
 ▪ ImageBase: The preferred address of the first byte of image
when loaded into memory; must be a multiple of 64 K.
▪ SectionAlignment: The alignment (in bytes) of sections when
they are loaded into memory.
▪ Subsystem: The subsystem that is required to run this image.
▪ DllCharacteristics: Determine the protection used in the
executable like ASLR ...etc.

And finally Image Optional Header Data Directories , Each data directory
gives the address and size of a table or string that Windows uses. These
data directory entries are all loaded into memory so that the system can use
them at run time.

Section Table:

Each row of the section table is, in effect, a section header.

This table immediately follows the optional header, if any.
This positioning is required because the file header does not contain a direct
pointer to the section table.
Instead, the location of the section table is determined by calculating the
location of the first byte after the headers. Make sure to use the size of the
optional header as specified in the file header.
The number of entries in the section table is given by the NumberOfSections
field in the file header. Entries in the section table are numbered starting from
one .
 The code and data memory section entries are in the order chosen by the
linker.
It contains all the information about the sections in the PE file.

Sections:
o .text or CODE : Contains executable code.
o .data or DATA : Typically Contains read/write data and global
variables.
o .rdata : Contains read-only data. Sometimes it also contains import
and export information.
o .idata : If present, contains the import table. If not present, then the
import information is stored in .rdata section.
o .edata : If present, contains export information. If not present, then the
export information is found in .rdata section.
o .rsrc : This section contains the resources used by the executable
such as icons, dialogs, menus, strings, and so on.