-
Notifications
You must be signed in to change notification settings - Fork 169
/
Copy patharchitecture_and_os.tex
259 lines (245 loc) · 12.7 KB
/
architecture_and_os.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
\subsection{x86 Architecture}
\begin{frame}
\frametitle{A 50,000ft View of the x86 Architecture}
\begin{block}{}
The main components of the x86 include the CPU, memory, disk and registers. The CPU operates on a fetch, decode and execute cycle.
\end{block}
\begin{itemize}
\item Applications are implemented with individual \alert{assembly} instructions
\item Individual instructions can:
\pedbullet{Reference / manipulate memory}
\pedbullet{Perform calculations}
\pedbullet{Determine the \alert{next} instruction to execute}
\item A \textit{single} line of high level code usually translates to \textit{multiple} instructions
\item The x86 platform is considered \alert{CISC} vs RISC
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Introduction to Registers}
\begin{itemize}
\item There are 8 general purpose registers on 32-bit x86 platforms
\item Each register is 32 bits long
\item Register access is lowest latency (vs. memory or disk)
\item As registers are valuable, compilers try to be intelligent with their usage
\pedbullet{This factor comes into play during reversing}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{x86 General Purpose Registers}
\begin{itemize}
\item EAX
\pedbullet{Volatile, accumulator, return value of functions}
\item EBX
\pedbullet{Non-volatile, base (indirect addressing)}
\item ECX
\pedbullet{Volatile, Counter, loop instructions}
\item EDX
\pedbullet{Volatile}
\end{itemize}
\begin{center}
\begin{tabular}{|c|c|c|c|c|c|c|c|} \hline
8bits & 8bits & 8bits & 8bits & 8bits & 8bits & 8bits & 8bits \\ \hline
\multicolumn{8}{|c|}{\cellcolor{lightblue}RAX} \\ \hline
& & & & \multicolumn{4}{|c|}{\cellcolor{red}EAX} \\ \hline
& & & & & & \multicolumn{2}{|c|}{\cellcolor{green}AX} \\ \hline
& & & & & & \cellcolor{orange}AH & \cellcolor{yellow}AL \\ \hline
\end{tabular}
\end{center}
\end{frame}
\begin{frame}
\frametitle{General Purpose Registers Continued}
\begin{itemize}
\item ESI
\pedbullet{Non-volatile, string source}
\item EDI
\pedbullet{Non-volatile, string destination}
\item ESP / EBP
\pedbullet{Stack pointer (volatile) / frame pointer (non-volatile)}
\item EIP
\pedbullet{Instruction pointer}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The Stack}
\begin{definition}
The stack is an abstract data structure supported by a combination of hardware and software features.
\end{definition}
\begin{itemize}
\item Stack operations are \alert{L}ast \alert{I}n \alert{F}irst \alert{O}ut (\alert{LIFO})
\item Think of it as a stack of dishes
\item The \alert{\texttt{PUSH}} instruction places a 32-bit value on the stack
\item The \alert{\texttt{POP}} instruction removes a 32-bit value from the stack
\item The stack is used to pass parameters to functions
\item The stack is used to maintain call chain state
\item In Windows, the stack is used to store the \alert{S}tructured \alert{E}xception \alert{H}andling (\alert{SEH}) chain
\end{itemize}
\end{frame}
\begin{frame}[fragile, label=debug]
\frametitle{The Stack: Illustrated}
\begin{columns}[T]
\column{.5\textwidth}
\begin{tiny}
\begin{semiverbatim}
0x43ce83b8: "pedram"
0x43ce83bf: "amini"
main:
\alert<2>{0x01 push 0xdeadbeef}
\alert<3>{0x02 pop eax}
\alert<4>{0x03 push 27}
\alert<5>{0x04 push 0x43ce83b8}
\alert<6>{0x05 push 0x43ce83bf}
\alert<7>{0x06 call copy_name}
\alert<17>{0x07 add esp, 0xc}
...
copy_name:
\alert<8>{0x20 push ebp}
\alert<9>{0x21 mov ebp, esp}
\alert<10>{0x22 sub esp, 0x100}
\alert<11>{0x23 lea eax, [ebp+0xc]}
\alert<12>{0x24 push eax}
\alert<13>{0x25 lea eax, [ebp-0x20]}
\alert<14>{0x26 push eax}
\alert<15>{0x27 call strcpy}
...
\alert<16>{ret}
\end{semiverbatim}
\end{tiny}
\column{.5\textwidth}
\begin{tiny}
\texttt{
\begin{tabular}{r|c|l}
0x12FFFFFC & \cellcolor{gray} 0x00000000 & top of stack \\
0x12FFFF00 & \cellcolor{gray} 0x00000000 & end of SEH chain \\
0x12FFFF04 & \cellcolor{gray} 0x12345678 & SEH handler \\
\only<2> {0x12FFEFF8 & \cellcolor{yellow} 0xDEADBEEF & \\}
\only<4-16> {0x12FFEFF8 & \cellcolor{yellow} 0x00000019 & 27 \\}
\only<5-16> {0x12FFEFF0 & \cellcolor{yellow} 0x43CE83B8 & \emph{pedram} \\}
\only<6-16> {0x12FFEFEC & \cellcolor{yellow} 0x43CE83BF & \emph{amini} \\}
\only<7-15> {0x12FFEFE8 & \cellcolor{red} 0x00000007 & return addr. \\}
\only<8-15> {0x12FFEFE4 & \cellcolor{orange} 0x12FFEFF8 & saved frame \\}
\only<10-15> {0x12FFEFE0 & \cellcolor{lightblue}\only<10-14>{ ....}\only<15-16>{ ..MA} & local vars \\}
\only<10-15> {0x12FFEFC0 & \cellcolor{lightblue}\only<10-14>{ ....}\only<15-16>{ RDEP} & \only<14-15>{\alert{$\leftarrow$}} \\}
\only<10-15> {0x12FFEEE0 & \cellcolor{lightblue} .... & \\}
\only<12-15> {0x12FFEEDC & \cellcolor{yellow} 0x43CE83B8 & \emph{pedram} \\}
\only<14-15> {0x12FFEED8 & \cellcolor{yellow} 0x12FFEFC0 & dst buff \\}
\end{tabular}
}
\end{tiny}
\end{columns}
\end{frame}
\subsection{Microsoft Windows OS}
\begin{frame}
\frametitle{Microsoft Windows Memory Layout}
\begin{columns}[T]
\column{.5\textwidth}
\begin{block}{Memory Space}
\pause
\uncover<+->{$2^{32}$}
\uncover<+->{$= 4,294,967,296$ bytes} \\
\uncover<+->{$ / 1024^3$}
\uncover<+->{$= \alert<+->{4}$ \alert<.->{gigabytes}}
\end{block}
\column{.5\textwidth}
\uncover<.->{\begin{block}{Memory Separation}
The NT based platforms typically split the available 4 gigabytes of addressable memory into two halves; kernel and user.
\end{block}}
\end{columns}
\uncover<+->{
\begin{itemize}
\item Each process "sees" it's own 2 gigabytes of virtual memory
\pedbullet{This is possible thanks to \alert{memory paging}}
\pedbullet{Processes can not "break out" of their memory space}
\item The virtual address space is broken in \alert{pages}
\pedbullet{Pages are typically \alert{4,096} bytes in size}
\pedbullet{Memory permissions are applied at the page level}
\end{itemize}
}
\end{frame}
\begin{frame}
\frametitle{Typical Memory Layout Diagram}
\begin{columns}[T]
\column{.5\textwidth}
\begin{center}
\begin{tiny}
\texttt{
\begin{tabular}{r|c|}
0x00000000 & \cellcolor{gray}USER SPACE \\
& \\
\uncover<5->{0x00010000 & \cellcolor{yellow}Environment Variables \\}
& \\
\uncover<6->{0x00030000 & \cellcolor{orange}Heap \\}
& \\
\uncover<7->{0x0012f000 & \cellcolor{red}Stack of Main Thread \\}
\uncover<6->{0x00150000 & \cellcolor{orange}Heap \\}
& \\
\uncover<2->{0x00400000 & \cellcolor{green}Main Executable \\}
\uncover<2->{& \cellcolor{green} \\}
& \\
\uncover<8->{0x00d8d000 & \cellcolor{red}Stack of Thread 2 \\}
& \\
\uncover<4->{0x71ab0000 & \cellcolor{green}WS2\_32.DLL \\}
& \\
\uncover<3->{0x7c800000 & \cellcolor{green}KERNEL32.DLL \\}
& \\
\uncover<3->{0x7c900000 & \cellcolor{green}NTDLL.DLL \\}
& \\
\uncover<1->{0x7f000000 &
\\}
0x80000000 & \cellcolor{gray}KERNEL SPACE \\
\end{tabular}
}
\end{tiny}
\end{center}
\column{.5\textwidth}
\begin{block}{On Process Launch}
\begin{itemize}
\item<2-> Main image loaded into memory
\item<3-> Required DLLs loaded into memory
\item<5-> Environment variables mapped into memory
\item<6-> Process heaps initialized
\item<7-> Process stacks initialized
\end{itemize}
\end{block}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{The Memory Layout Diagram}
\begin{center}
\pgfimage[height=7cm]{images/architecture_and_os/memory_layout}
\end{center}
\end{frame}
\begin{frame}
\frametitle{The Heap}
\begin{itemize}
\item Static allocations mostly originate from the stack
\item The heap is the source of dynamic memory allocation
\item There are multiple heap implementations
\item Memory for the heap is allocated from user space
\item The heap is essentially a number of doubly linked lists, organized by size
\item Allocated blocks are removed from the free lists
\item De-allocated blocks are placed back into the free lists
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{SEH: Structured Exception Handling}
\begin{itemize}
\item Exception handlers are simply a registered function to refer to when "something bad happens"
\item You can for example register an exception handler to handle attempts to divide by zero
\item You can register more then one exception handler
\item The \alert{chain} of exception handlers are stored on the stack
\item When an exception occurs, the chain is walked to find an appropriate handler
\item There is a catch-all handler, that's what generates the "Windows has detected a general protection fault" dialog
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Exercise}
\begin{itemize}
\item OllyDbg
\pedbullet{Attach to or load calc.exe or notepad.exe}
\pedbullet{Hit 'M' and verify memory layout}
\item LordPE
\pedbullet{Load calc.exe or notepad.exe}
\pedbullet{Explore the various PE fields and directories}
\pedbullet{We'll walk through the PE file format in depth in a minute}
\end{itemize}
\end{frame}