Professional Documents
Culture Documents
Learn CyberTalents
Learn CyberTalents
Contents
Intel-x86 architecture ................................................................................................................. 2
what’ll be covered : ................................................................................................................ 2
Source code to machine code ................................................................................................. 2
Registers and flags ................................................................................................................. 3
Instruction pointer Register................................................................................................ 4
Flags Register..................................................................................................................... 4
Segment Registers .............................................................................................................. 5
Stack ................................................................................................................................... 5
Assembly instructions ............................................................................................................ 6
Basic instructions ............................................................................................................... 6
Assembly Fundamentals ............................................................................................................ 7
what’ll be covered : ................................................................................................................ 7
Assembly instructions ............................................................................................................ 7
Basic instructions ............................................................................................................... 7
Control Flow Instructions .................................................................................................. 8
PE File Format ......................................................................................................................... 11
what’ll be covered : .............................................................................................................. 11
PE File Format: .................................................................................................................... 11
Dos MZ Header & Dos Stub:........................................................................................... 12
PE File Header: ................................................................................................................ 12
Optional Header: .............................................................................................................. 14
Section Table: .................................................................................................................. 15
Sections: ........................................................................................................................... 16
Intel-x86 architecture
what’ll be covered :
• Source code to machine code
• Registers and flags.
• Assembly (intel syntax).
Flags Register
The flags register is the status register in Intel x86 microprocessors
that contains the current state of the processor.
In the x86 architecture the register size is 32 bit each bit will represent
a flag or will have reserved value.
Segment Registers
Stack Segment (SS): Pointer to the stack.
Code Segment (CS): Pointer to the code.
Data Segment (DS): Pointer to the data.
Extra Segment (ES): Pointer to extra data.
F Segment (FS): Pointer to more extra data.
G Segment (GS): Pointer to still more extra data.
Stack
Stacks in computing architectures are regions of memory where data is
added or removed in a last-in-first-out (LIFO) manner.
Basic instructions
mov : The mov instruction copies the item referred to by its second
operand into the location referred to by its first operand.
Examples:
1- mov eax,ebx Move the EBX register value to the EAX Register.
3- mov ecx,BYTE PTR [ebx] Move one byte at the address contained
in EBX into EAX
Assembly Fundamentals
what’ll be covered :
• Assembly (intel syntax).
Assembly instructions
Basic instructions
mov : The mov instruction copies the item referred to by its second
operand into the location referred to by its first operand.
Examples:
1- mov eax,ebx Move the EBX register value to the EAX Register.
3- mov ecx,BYTE PTR [ebx] Move one byte at the address contained
in EBX into EAX
lea : loads a pointer to the item you're addressing whereas mov loads the
actual value at that address.
push: The push instruction places its operand onto the top of the stack.
Example:
push eax , will make the value in eax in the top of the stack.
pop: The pop instruction removes the top of the stack and moves the
value into its operand.
Example:
pop ebx ,Will remove the top of the stack and move the value into the ebx
register.
cmp: The cmp instruction compares the values of the two specified
operands and depends on the result there will be changes in the flag
register.
Example:
cmp eax,ebx ,Now let’s assume that eax and ebx are equal so the zero
flag will be set to 1.
call: The call instruction first pushes the current code location into the
stack then jumps the code location indicated by the label operand.
ret: The ret instruction first pop the top of the stack then jumps to the
retrieved code location.
Conditional jump instructions:
je: Jump when equal which will jump if zero flag is set to 1.
jne: Jump when not equal which will jump if zero flag is set to 0.
jg: Jump if greater which depends on three flags OF, SF, ZF.
Arithmetic Instructions
add: The add instruction adds together the two operands and store the
result in its first operand.
sub : The sub instruction subtract the second operand from the first
operand and store the result in its first operand.
imul : The imul instruction multiplies together the two operands and stores
the result in its first operand.
inc: The inc instruction adds one to the operand value.
dec: The dec instruction subtract one from the operand value.
Logical Instructions
and: The and instruction perform logical and between the two operands
and store the result in its first operand.
or: The or instruction performs logical or between the two operands and
stores the result in its first operand.
xor: The xor instruction performs logical exclusive or between the two
operands and stores the result in its first operand.
not: The not instruction negates the operand contents by performing logical
not.
shl: The shl instruction is used to shift the bits of the first operand to the
left, by the value of the second operand.
shr: The shr instruction is used to shift the bits of the first operand to the
right, by the value of the second operand.
PE File Format
what’ll be covered :
o Portable Executable File Format
PE File Format:
The Portable Executable (PE) format is a file format for executables, object code, DLLs
and others used in 32-bit and 64-bit versions of Windows operating systems. The PE
format is a data structure that encapsulates the information necessary for the Windows
OS loader to manage the wrapped executable code.
So simply the different parts of the pe file will determine how the executable is loaded
into memory and how all the data is stored.
The main problem now is why we should understand the PE file format. The answer is
quite simple to know and understand all the tricks that can malware authors use to hide
and evade detection.
Dos MZ Header: Contain the PE file magic numbers (MZ which in hex
equal 4D 5A) .
Dos Stub: Usually contains the message “this program cannot be run in
dos mode” and this is usually used for compatibility.
PE File Header:
PE Signature: After the MS-DOS stub, at the file offset specified at offset
0x3c, is a 4-byte signature that identifies the file as a PE format image file.
This signature is "PE\0\0" (the letters "P" and "E" followed by two null
bytes).
This will be used by the pe loader to check if it is a valid PE file.
COFF Header : After the signature of an image file, is a standard COFF file
header which contains a lot of useful information like TimeDataStamp,
SizeOfOpetionalHeader and machine type.
Every image file has an optional header that provides information to the
loader. This header is optional in the sense that some files (specifically,
object files) do not have it.
Note that the size of the optional header is not fixed. The
SizeOfOptionalHeader field in the COFF header must be used to validate.
As we can see there a lot of entries here so we will focus on the most
important ones here:
And finally Image Optional Header Data Directories , Each data directory
gives the address and size of a table or string that Windows uses. These
data directory entries are all loaded into memory so that the system can use
them at run time.
Section Table:
Sections:
o .text or CODE : Contains executable code.
o .data or DATA : Typically Contains read/write data and global
variables.
o .rdata : Contains read-only data. Sometimes it also contains import
and export information.
o .idata : If present, contains the import table. If not present, then the
import information is stored in .rdata section.
o .edata : If present, contains export information. If not present, then the
export information is found in .rdata section.
o .rsrc : This section contains the resources used by the executable
such as icons, dialogs, menus, strings, and so on.