Ki Kaspersky Academy Instructions - Examples CES ‘Major instruction groups and common examples: + Data movement: MOV, XCHG, LEA ‘Stack manipulation: PUSH, POP, PUSHA, POPA. Integer arithmetic: ADD, ADC, SUB, SBI ov. ow Comparison: CMP, TEST Logical: AND, OR, XOR, NOT Shift and rotate: SHR, SHL, ROL, ROR KASPERSKY INC, DEC, MUL, MUL, Control transter: JP, Jc (conefional), CALL, RET, LOOP ‘String manipulation: MOVS, CMPS, LODS, SCAS Flag manipulation: STC, CLC, STD, CLO Prefixes: REP, REPZ, REPNZ I Kaspersky Academy instructions - Operands Each instruction has a fixed number of operands. Operands can have the following types: * mov ecx, edx redister ll cx, edx — register operands aoe + sub eax, [1000h] "Y _][+_ 1000 memory address operand * add ebx, 20h immediate 1}. 20n immediate constant imolied |] increment adds 1 (implied) tothe value in esiI Kaspersky Academy Kaspensiya Assembly Syntax - Intel vs AT&T x86 assembly has 2 major syntax branches: = Intel syntax — dominant in Windows world + AT&T syntax ~ dominant in Unix world Intel syntax ATRT syntax mov eax, 1 movl $1, Xeax mov ebx, @Ash movl $oxab, %ebx add eax, ebx add ebx, Keax TEN Itasca ae () we are going to use inte! syntax in al examples from now ‘on, because it is common in the analysis of Windows malware. ‘The general form af an assembly instruction in Intel syntax: ‘mnemonic operand(s) Kaspersky Academy ‘nstructions - Opcodes, Mnemonics, Operands Opoode ie i aiid Mnemonic Destination Source operand operand Single instructioni Kaspersky Academy KASPERSKY Assembly — Examples - Loops ‘mov eax, dword ptr [art]; eax — arr start Harris an array of XOr 06x, e6x ; ECX is the counter “ent” sOWORDS. OF €x, eox — sels it to zero. int ent = 0; WhileLoopStart: while (ent < 100) ( mov [eaxtecx'4], eck ; multiply by 4, anrfent] = ont because arr is a DWORD (4-byte) ents array ine ecx ; increment ent 1 AfterWhileLoop ‘emp cx, 100 ; while exit condition jl WhileLoopStart oO AfterWhileLoop: 7 i Kaspersky Academy KASPERSKY Assembly — Examples — Function call Q push b push a call foo WTrueCondition cmp eax, 0 nz TrueCondition yelse ( FalseCondition: 1 FalseCondition Mf (fooVa, b)) { mp AfterCondition / Skip } “rueCorsition 1 AterCondtion TrueCondition AfterCondition:i Kaspersky Academy KASPERSKY Instructions - Memory Addressing modes ‘rect ‘add eax, [100h] add the value ofthe variable at 100h to EAX base + disp} subtract the value at the address [eax + 8] from the value in ex fesp) register indirect | [sub dvord ptr TebxI, base} subtract the value 4 (as a dword) from the value at the memory address contained in eb. ~~ based ‘sub dword ptr ecx, [eax + 8] Indexed Hindex”* scale) + dsp} ine duord ptr [edita + 1080h] Increment the value at the address 4°edl + 1000 ‘based-indexed without scale factor QO Mase + index dsp nov dword ptr [eax + esi + 40h], 2D bbased-Indexed with scale factor [base + (index * scale) + disp} nov duiord ptr [eax + esit8 + 40h], 10h KI Kaspersky Academy (var) ( fo0(); yelse { 4H ElseCondition } 11 AfterCondition KASPER)KY mov eax, [va ; place var value to EAX i test eax, eax; test EAX for z0r0 jz ElseCondtion call foo jmp AfterConaition ; Skip ise block ElseConaition: mov [var 5 ‘AfterCondition: ——IB Kaspersky Academy Stack ‘Stack is a special area of memory mainly used to: + Save stale of the calling procedure and retum address, + Pass parameters to the called procedure + Store focal variables for the currently executing procedure Usage of PUSH/POP instructions allows to access it as a LIFO + Flat memory model — anywhere in the linear address space + Sogmented memory model - in @ segment identfied by the selector in the SS register ‘A program or operating sysiem can set up multiple stacks (e.g in multitasking systems, each task can be given ts own stack). IK Kaspersky Academy Stack — Continued ESP register points to the top of the stack. Place dword on the stack: PUSH instruction = decrement ESP and save dword at address [ESP] Get dword from the stack: POP instruction = read dword from address [ESP] and increment ESP. The stack grows down towards lesser addresses. a (ETO oo pop push Lower addresses ESP Top ofstack | Higher addresses taMmoi6 yesIK Kaspersky Academy KASPERSKY Stack — Continued - PUSH Place dword on the slack PUSH instruction = decrement ESP and save dword at address [ESP]. PUSH OxBADBAD: sub esp, @x4 mov [esp], @xBADBAD Kaspersky Academy KASPER}KYA Get dword from the stack: POP instruction = read dword from address [ESP] and inorement ESP. POP EAX: «ftack — Continued - POP . mov eax, [esp] add esp, @x4i Kaspersky “cademy KASPERSKY Heap + Heap allows to dynamically allocate portions of memory to programs at their request and free it for reuse when no longer needed. Unlike the stack, any black can be allocated and deallocated at any time. Because it makes monitoring freetbusy blocks much harder — special heap allocators are needed. O t 1B Kaspersky Academy KASPERSKY Heap Cy * Stack is unique to @ thread, while heap is usually unique to a process. “ Must be destroyed manually inC++—delete, delete[], free, ~TestClass(). + In other languages (Java, Go, Python, etc.) Garbage Collector can be used to reclaim objects in Heap. { 300 MB. c++ delete, Et a ] delete[], free, “TestClass(). 1 Freei Kaspersky Academy Heap - Visualization ‘Address Space axis Time axis KASPERSKY IB Kaspersky Academy ( }tack vs Heap TestClass a(); TestClass. object i A I Stack allocation ‘TestClass a = new TesiClass(); TestClass. object Heap allocation KASPERSKYS