From Collaborative RCE Knowledge Library

Jump to: navigation, search

X86 Internals Tutorials


Item name: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
Rating: 5.0 (1 vote)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: June 27, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntroX86.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis.

This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

The instructor-led lab work will include:

* Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return), mov)
* Stepping through a slightly more complicated program (adds lea(load effective address), add, sub)
* Understanding the correspondence between C and assembly control transfer mechanisms (e.g. goto in C == jmp in ams)
* Understanding conditional control flow and how loops are translated from C to asm(conditional jumps, jge(jump greater than or equal), jle(jump less than or equal), ja(jump above), cmp (compare), test, etc)
* Boolean logic (and, or, xor, not)
* Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical shift right), sal (arithmetic shift left), sar(arithmetic shift right))
* Signed and unsigned multiplication and division
* Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup (rep stos (repeat store to string), rep mov (repeat mov)
* Misc instructions like leave and nop (no operation)
* Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux
* The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it “blowing up”. This will be an independent activity.


Knowledge of this material is a prerequisite for future classes such as Intermediate x86, Rootkits, Exploits, and Introduction to Reverse Engineering (all offered at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Articles, Generic Reversing Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: July 15, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntermediateX86.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Building upon the Introductory Intel x86 class, this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work.

Topics include, but are not limited to:

•Physical and virtual memory and how a limited amount of physical memory is represented as much more virtual memory through a multilevel paging system. We will also talk about memory segmentation.
•The hardware basis for kernel versus userspace separation and how software transitions between the two. This portion answers the question of why does x86 have 4 “rings”, with ring 0 being the most privileged, and ring 3 being the least.
•Hardware and software interrupts, and how they are the basis for debugging.
•Input/Output instructions and how these allow the CPU to talk to peripherals.

Example applications include showing how hardware and memory mechanisms are used for software exploits, anti-debug techniques, rootkit hiding, and direct hardware access for keystroke logging.

This material includes labs on:
•Using WinDbg to perform kernel debugging on a virtual machine (which is equally applicable for debugging a real machine.)
•Using a custom WinDbg plugin to examine the Local (memory segment) Descriptor Table (LDT), and Global (memory segment) Descriptor Table (GDT) in order to understand how Windows sets memory segment ranges and permissions for userspace and kernel space.
•Using WinDbg and the !pte command to understand how Windows organizes its paging structures which map physical memory to virtual memory.
•Investigating where exactly the XD/NX bit is set in order to make memory as non-executable (which Microsoft calls Data Execution Prevention (DEP)), to prevent some types of exploits from succeeding.
•Using the Read Timestamp Counter (RDTSC) instruction to profile code execution time. Also, using a profile of code execution time to change a program’s behavior in the presence of a debugger (e.g. executing different code if the code appears to have been stopped at a breakpoint.)
•Printing information about task state segments, which hold information that is used to find the kernel stack when an interrupt occurs.
•Watching what does and doesn’t change when a software interrupt is used to transfer control from userspace to kernel.
•Reading the Interrupt Descriptor Table (IDT) and understanding the security implications of changes to it.
•Understanding how RedPill uses the IDT in order to detect that a system is virtualized.
•Having a process read its own memory when a software breakpoint is set, in order to see how a debugger will change memory to set the breakpoint but hide the change from the user.
•Watch how hardware-based breakpoints manipulate dedicated debug registers.
•Using port input/output to access the backdoor communications channel that VMWare uses in order to send copy/paste, mouse movement, and other events in and out of a VM.
•Using port I/O in order to talk directly to the PS2 keyboard controller in order to sniff keystrokes or flash keyboard LEDs.

Knowledge of this material is strongly encouraged for future classes such as Rootkits. (offered at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Reversing Technique Tutorials, Windows Internals Tutorials, Windows Malware Analysis Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Tools