Ki Kaspersky Academy
Instructions - Examples
CES
‘Major instruction groups and common examples:
+ Data movement: MOV, XCHG, LEA
‘Stack manipulation: PUSH, POP, PUSHA, POPA.
Integer arithmetic: ADD, ADC, SUB, SBI
ov. ow
Comparison: CMP, TEST
Logical: AND, OR, XOR, NOT
Shift and rotate: SHR, SHL, ROL, ROR
KASPERSKY
INC, DEC, MUL, MUL,
Control transter: JP, Jc (conefional), CALL, RET, LOOP
‘String manipulation: MOVS, CMPS, LODS, SCAS
Flag manipulation: STC, CLC, STD, CLO
Prefixes: REP, REPZ, REPNZ
I Kaspersky Academy
instructions - Operands
Each instruction has a fixed number of operands.
Operands can have the following types:
* mov ecx, edx
redister ll cx, edx — register operands
aoe + sub eax, [1000h]
"Y _][+_ 1000 memory address operand
* add ebx, 20h
immediate 1}. 20n immediate constant
imolied |] increment adds 1 (implied) tothe value in esiI Kaspersky Academy Kaspensiya
Assembly Syntax - Intel vs AT&T
x86 assembly has 2 major syntax branches:
= Intel syntax — dominant in Windows world
+ AT&T syntax ~ dominant in Unix world
Intel syntax ATRT syntax
mov eax, 1 movl $1, Xeax
mov ebx, @Ash movl $oxab, %ebx
add eax, ebx add ebx, Keax
TEN Itasca
ae
() we are going to use inte! syntax in al examples from now
‘on, because it is common in the analysis of Windows malware.
‘The general form af an assembly instruction in Intel syntax:
‘mnemonic operand(s)
Kaspersky Academy
‘nstructions - Opcodes, Mnemonics, Operands
Opoode
ie
i
aiid
Mnemonic Destination Source
operand operand
Single
instructioni Kaspersky Academy KASPERSKY
Assembly — Examples - Loops
‘mov eax, dword ptr [art]; eax — arr
start
Harris an array of XOr 06x, e6x ; ECX is the counter “ent”
sOWORDS. OF €x, eox — sels it to zero.
int ent = 0; WhileLoopStart:
while (ent < 100) ( mov [eaxtecx'4], eck ; multiply by 4,
anrfent] = ont because arr is a DWORD (4-byte)
ents array
ine ecx ; increment ent
1 AfterWhileLoop ‘emp cx, 100 ; while exit condition
jl WhileLoopStart oO
AfterWhileLoop: 7
i Kaspersky Academy KASPERSKY
Assembly — Examples — Function call Q
push b
push a
call foo
WTrueCondition cmp eax, 0
nz TrueCondition
yelse ( FalseCondition:
1 FalseCondition
Mf (fooVa, b))
{
mp AfterCondition / Skip
} “rueCorsition
1 AterCondtion TrueCondition
AfterCondition:i Kaspersky Academy
KASPERSKY
Instructions - Memory Addressing modes
‘rect ‘add eax, [100h]
add the value ofthe variable at 100h to EAX
base + disp}
subtract the value at the address [eax + 8] from the value in ex
fesp)
register indirect | [sub dvord ptr TebxI,
base} subtract the value 4 (as a dword) from the value at the memory address contained in eb.
~~ based ‘sub dword ptr ecx, [eax + 8]
Indexed
Hindex”* scale) + dsp}
ine duord ptr [edita + 1080h]
Increment the value at the address 4°edl + 1000
‘based-indexed without scale factor
QO Mase + index dsp
nov dword ptr [eax + esi + 40h], 2D
bbased-Indexed with scale factor
[base + (index * scale) + disp}
nov duiord ptr [eax + esit8 + 40h], 10h
KI Kaspersky Academy
(var) (
fo0();
yelse {
4H ElseCondition
}
11 AfterCondition
KASPER)KY
mov eax, [va ; place var value to EAX i
test eax, eax; test EAX for z0r0
jz ElseCondtion
call foo
jmp AfterConaition ; Skip ise block
ElseConaition:
mov [var 5
‘AfterCondition:
——IB Kaspersky Academy
Stack
‘Stack is a special area of memory mainly used to:
+ Save stale of the calling procedure and retum address,
+ Pass parameters to the called procedure
+ Store focal variables for the currently executing procedure
Usage of PUSH/POP instructions allows to access it as a LIFO
+ Flat memory model — anywhere in the linear address space
+ Sogmented memory model - in @ segment identfied by the
selector in the SS register
‘A program or operating sysiem can set up multiple stacks (e.g
in multitasking systems, each task can be given ts own stack).
IK Kaspersky Academy
Stack — Continued
ESP register points to the top of the stack.
Place dword on the stack:
PUSH instruction = decrement ESP and save dword at address [ESP]
Get dword from the stack:
POP instruction = read dword from address [ESP] and increment ESP.
The stack grows down towards lesser addresses.
a
(ETO
oo
pop push
Lower addresses
ESP
Top ofstack |
Higher addresses
taMmoi6 yesIK Kaspersky Academy KASPERSKY
Stack — Continued - PUSH
Place dword on the slack
PUSH instruction = decrement ESP
and save dword at address [ESP].
PUSH OxBADBAD:
sub esp, @x4
mov [esp], @xBADBAD
Kaspersky Academy KASPER}KYA
Get dword from the stack:
POP instruction = read dword from
address [ESP] and inorement ESP.
POP EAX:
«ftack — Continued - POP
.
mov eax, [esp]
add esp, @x4i Kaspersky “cademy KASPERSKY
Heap
+ Heap allows to dynamically allocate portions of
memory to programs at their request and free it for
reuse when no longer needed. Unlike the stack, any
black can be allocated and deallocated at any time.
Because it makes monitoring freetbusy blocks much
harder — special heap allocators are needed.
O
t
1B Kaspersky Academy KASPERSKY
Heap Cy
* Stack is unique to @ thread, while heap is usually unique to a process.
“ Must be destroyed manually inC++—delete, delete[], free, ~TestClass().
+ In other languages (Java, Go, Python, etc.)
Garbage Collector can be used to reclaim objects in Heap. {
300 MB.
c++ delete, Et a ]
delete[], free,
“TestClass(). 1 Freei Kaspersky Academy
Heap - Visualization
‘Address Space axis
Time axis
KASPERSKY
IB Kaspersky Academy
( }tack vs Heap
TestClass a();
TestClass.
object
i
A
I
Stack allocation
‘TestClass a = new TesiClass();
TestClass.
object
Heap allocation
KASPERSKYS