Thursday, March 6, 2014

Assembly Language Location Location Location

Assembly language is all about memory locations. There are three different ways to address memory in the x86 family of processors. Thankfully Linux only uses one of the three memory models. The three memory models are
  1. Real Mode Flat Model
  2. Real Mode Segmented Model 
  3. Protected Mode Flat Model - Used by both XP/Vista/7 and Linux
 Registers can be thought of as variables in assembly are memory locations within a CPU. Registers hold addresses of important locations in memory. One of the biggest challenges faced by assembly language programmers is where to store program values in variables.
There are 8 general purpose registers as shown below. There are used
  1. EAX -Accumulator register used for storing operands and result data.
  2. EBX - Base register - Pointer to data
  3. ECX - Counter register - Loop Operations
  4. EDX - Data register - I/O pointer
  5. ESI - Data pointer registers for string memory operations
  6. EDI - Data pointer registers for memory operations
  7. ESP - Stack pointer register. Always points to the top of the stack
  8. EBP - Stack Data Pointer register
The 4 registers (EAX, EBX, ECX and EDX) have a common property. This common property allows  the assembly programmer to gain selective access to the lower 16 bits of their registers. The lower 16 bits of the registers are divided into two 8-bit halves. The two 8-bit halves are names H for high half and L for lower half. Both high half and low half are 8 bits in length. Hence the upper and lower halves have names like AH and AL as shown below. 

There are six segment registers as shown below. Segments are specific areas defined in a program for containing data, code and stack. There are three main segments:Code Segment: it contains all the instructions to be executed. A 16-bit Code Segment register or CS register stores the starting address of the code segment. Data Segment: it contains data, constants and work areas. A 16-bit Data Segment register or DS register stores the starting address of the data segment. Stack Segment: it contains data and return addresses of procedures or subroutines. It is implemented as a 'stack' data structure. The Stack Segment register or SS register stores the starting address of the stack.
  1. CS- Pointer to the code segment
  2. DS- Pointer to the data segment
  3. SS - Pointer to the stack segment
  4. ES - Extra Segment
  5. FS –Additional segments to store data
  6. GS- Additional segments to store data

One instruction pointer register which is of much interest to hackers and malware writers.
1.      EIP – Instruction Pointer
It is a special register which contains the offset address of the next machine instruction to be executed in the current code segment. The CPU uses the EIP register to keep track of the next instruction to be executed. Hackers and Malware writers try to modify the EIP register to a malicious address of their liking which than can execute the malicious instruction in the CPU. EIP is also the only register which cannot be directly changed by the programmer as it will open numerous security issues. But there are ways to manipulate the EIP register. From an exploitation purpose, we need to control and manage the EIP register. More details on this later.

There are 5 control registers
  1. CR0
  2. CR1
  3. CR2
  4. CR3
  5. CR4

No comments:

Post a Comment