RE:HACK 2023 - Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly

Transcript

1. 1 Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly Part

   1 29 December 2023

2. About Fatah Hashim (发达奇拉 ) • Fat |发达奇拉 | C00K13SX

   | x86cookies • Blogging at https://www.cookiesec.blog/ • Contact me on https://www.linkedin.com/in/fatah-iix/ • Focusing on Vulnerability/Malware Research & Dev, Reverse Engineering, OS Internal, AppSec, CTF. (I don’t do Web ) • Global Cybersecurity Camp (GCC) 2023 Singapore Alumni • https://cybercamp.my/ • Malaysia Cybersecurity Camp(MCC) 2022 First Edition Alumni • https://gcc.ac/gcc_2023/ GLOBAL CYBER CAMP (SINGAPORE)

3. 3 Disclaimer The views and opinions expressed in this content

   are my own and do not necessarily reflect the views and opinions of any company or organization that I am affiliated with.

4. 4 TOC 1. Why Assembly? 2. Curve Learning 3. Legal

   Aspects 4. Legal Activity 5. Illegal Activity 6. Static Analysis 7. Dynamic Analysis 8. Practical Setup Environment (Practical) 9. Introduction to Assembly 10. Binary and Hexadecimal Number Systems (Practical) 11. Low-level languages 12. High-level languages 13. Interpreted languages 14. Compiling 15. Disassembly & Decompiler 16. Debugger Overview (Practical) 17. Debugger Overview (Extra:Graph) (Practical) 18. Debugger Overview (Extra: View Trace) (Practical) 19. Debugger Overview (Extra: Mnemonic Brief) (Practical) 20. Prologue & Epilogue (Practical) 20. Hollow Out Lab (Practical) 21. Fun Fact: Hollowed VT Trojan Detection 22. Data Storage Size 23. Registers x86 & x64 24. 64-bit lower portions register 25. Assembly Language Instructions 26. Instructions: MOV (Practical) 27. Instructions: Addition using Full Register and Partial Register (Practi 28. Instructions: SUB (Practical) 29. Instructions: INC & DEC (Practical) 30. Instructions: NOP (Practical) 31. Method: Dropper Code Cave (Practical) 32. EIP 33. Important Flags 34. Endianness 35. Segment Registers 36. Calling Conventions 37. Memory Hierarchy 38. Architecture Overview 39. x86 Architecture 40. CPU Components 41. Main Memory (RAM) 42. RAM Debugger (Practical) 43. The Stack ! 44. Extra: NASM (ELF) (Practical) 45. User Space VS Kernel Space 46. Resource for further study

5. 5 Why I need to learn Assembly? • Become a

   better programmer- When you really want to get the most of your processor, writing in raw Assembly is needed. • Tool is just a tool. Having foundation in your brain is a way to survive • You are the kind of person who really likes to know how things work. In this course you are going to get solid understanding on how computer programs work from the inside. • You want to become a Reverse Engineer or a security researcher, read the code of viruses or look for software vulnerabilities. As most of the time the original source code will not be available to you, solid understanding of x86 Assembly Language is mandatory. • There are a lot of jobs out there to do this work, with not a lot of people to do the work https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2F5tt3y49vplv21.jpg

6. 6 Curve Learning

7. 7 Legal Aspects • Reverse engineering legality governed copyright laws

   • Different country will have different copyright laws • Legal only in specific cases

8. 8 Legal Activity • Recovery own lost source code •

   Recovery of data from legacy formats • Malware analysis and research • Security and Vulnerability research

9. 9 Illegal Activity • Reverse engineering competing product and sell

   it • Crack copy protections • Distribute crack / registration for copyrighted software • Gained unauthorized access to any computer

10. 10 Static Analysis • Read disassembly code • Search for

    strings • Analyzing without executing the program • Basically, it’s all about “strings”

11. 11 Dynamic Analysis • Debug the code • Step thru

    the code, study how it executes and what it does • Fast results and accurate • Executing code either on physical machine or emulator • Tracing the code that gets executed • Analyzed code execution

12. 12 Practical Setup Environment 1/7 • Bare metal, Virtual Box,

    Virtual Player, VMware, etc. • x32/x64 Debugger(Windows) • https://x64dbg.com/ • Windows OS – x86 & x64 • Ubuntu OS (Optional) Practical

13. 13 Practical Setup Environment 2/7 1. Download x32/x64 Debugger •

    https://x64dbg.com/ 2. options>preferences>Events uncheck TLS callback and System Brekpoint Tick check on Graph zoom mode Practical

14. 14 Practical Setup Environment 3/7 ingore range exceptions. (0 &

    f) x8 Practical

15. 15 Practical Setup Environment 4/7 Practical • Open your window

    OS virtual machine settings and change network adapter to Host-only

16. 16 Practical Setup Environment 5/7 Practical • Make a snapshot,

    Just in case anything unintended happen, you can revert to previous state

17. 17 Practical Setup Environment 6/7 Practical • Curious to explore

    further? Download the binary for hands-on testing: https://drive.google.com/drive/folders/1sqbsqUgdiihcx_obuJZcNMT3rbbfQPsB?usp=sharing • Compiling it by yourself? You can use Visual Studio to compile it in C program • Here’s the source code of the binary:

18. 18 Practical Setup Environment 7/7 Practical • What's the best

    way to transfer a binary from my bare metal OS to a virtual machine, given that I downloaded it on the bare metal system due to internet access restrictions? Answer: You can use either python server, drag-drop, vm-share folder, depends on your preferences. There’s a lot method out there to transfer the file. Do explore on it https://www.freecodecamp.org/news/simplehttpserver-explained-how-to-send-files-using-python/

19. 19 Rest Time 5 minutes! Go get some coffee/tea!

20. 20 Introduction to Assembly • There is a lot of

    documentation and source code out there, but it can be difficult to learn without a guide • Different versions for each type of processor • We will go tru all with Intel syntax • x32-bit Intel (most common) • x64-bit Intel • SPARC, PowerPC, MIPS, ARM - others • You don't need to have everything here memorized before moving on, and parts of it will make more sense when you actually see it in action.

21. 21 Binary and Hexadecimal Number Systems 1/4 • Base 10

    (Decimal): • 0,1,2,3,4,5,6,7,8,9 to represent numbers • Base-2 (Binary): • 0 and 1 computers only understand • 0=low voltage and 1=high voltage • Base-16 (Hex): 16 Digits to represent numbers • 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F • A=10, B=11, C=12, D=13, E=14, F=15

22. 22 Binary and Hexadecimal Number Systems 2/4 Way to convert

    number with Windows calculator : Changing to Programmer Calc Selection Practical

23. 23 Binary and Hexadecimal Number Systems 3/4 Way to convert

    number inside debugger : Signed = negative value Unsigned = positive value Practical

24. 24 Binary and Hexadecimal Number Systems 4/4 Way to convert

    number inside debugger : Wait but why we need to play with Hex ?? why not just use decimal format ? Answer: Because base-16(hex) save space In this hex format 2 digit represent 1 byte Practical

25. 25 Low-level languages • Human-readable version of the processor’s instruction

    set • Assembly language • PUSH, POP, NOP, MOV, JMP … • Disassembler generates assembly language • This is the highest-level language that can be reliably recovered from malware when source code is unavailable

26. 26 High-level languages • Most programmers use these • C,

    C++, C#, etc. • Converted to machine code by a compiler

27. 27 Interpreted languages • Highest level • Java, C#, Perl,

    .NET, Python • Code is not compiled into machine code • It is translated into bytecode • An intermediate representation • Independent of hardware and OS • Bytecode executes in an interpreter, which translates bytecode into machine language on the fly at runtime • Ex: Java Virtual Machine https://www.youtube.com/watch?v=G1ubVOl9IBw

28. 28 Compiling 1/3 • Assembly code is the code that

    actually runs on your computer by the processor • The purpose of languages like C, is that we can program without having to really deal with assembly code https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-4-2048.jpg?cb=1667939942

29. 29 Compiling 2/3 https://i.ytimg.com/vi/LOWQg8BNQJ4/maxresdefault.jpg • There are a lot of

    different architectures. • Different types of processors can run different types of assembly code architectures. • In this crash course, We’re dealing with the most 64-bit, and 32-bit ELF (Executable and Linkable Format) and EXE (Portable Executable)

30. 30 Compiling 3/3 • We have tools such as Ghidra

    that will take compiled assembly code and give us a view of what it thinks the C code that the code was compiled from looks like, so we don't need to read endless lines of assembly code. • Downside: - Decompiling it is not always accurate • It’s better to understand it from the assembly itself

31. 31 QnA

32. 32 Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly Part

    2 2 January 2024

33. 33 Disassembly • Converts the binary form to assembly language

    • Disassembly can be used to analyze and understand how software works, even if the source code is not available • Software is proprietary or the source code is not publicly available • bit: Represented by 0’s and 1’s • Byte: Represented by eight bits put together Decompiler Decompiler HIEW HT-Editor

34. 34 • Sometimes, xdbg wrongly intrepreted the hex to assembly.

    always keep on eye also on the hex. • Common Example: • ret= C3 • push ebp= 55 • call=E8 Debugger Overview 1/6 Practical

35. 35 • CPU windows that show register • There’s also

    Flag Register. Zero Flag ZF important to know certain jump to take place or not. Debugger Overview 2/6 Practical

36. 36 • Main register for x32 program Debugger Overview 3/6

    Practical

37. 37 • Ram memory program that’s runnning Debugger Overview 4/6

    Practical

38. 38 • Stack, %tmp% area in memory, store function parameter

    for any function call Debugger Overview 5/6 Practical

39. 39 Debugger Overview 6/6 • https://x64dbg.com/blog/ => all techniques x64

    debugger blogs • https://x64dbg.com/blog/2016/07/27/Control-flow-graph.html => Control flow analysis and graphing Practical

40. 40 Debugger Overview (Extra:Graph) Practical • Graph View feature from

    x32/x64 Debugger ! • Right click & Choose Graph OR • Shortcut Key = G, how to go back normal view? Click G again

41. 41 Debugger Overview (Extra: View Trace) Practical

42. 42 Debugger Overview (Extra: Mnemonic Brief) Practical • Right click

    and choose show mnemonic brief • OR Ctrl+Shift+F1

43. 43 Prologue & Epilogue Practical

44. 44 For now, just understand that Prolog contains the instructions

    that prepare the registers and stack space for the function before it starts execution and Epilog contains instructions that help in restoring the stack and registers to their previous state, that is before the function was called. For a more details explanation, do look this up! • https://www.youtube.com/watch?v=F58WAnf2gr0&ab_channel=YoungSlothLearning => Prologue: Intel x86 Assembly Att Stack Prologue. You will encounter this a lot in the practical part later, it will make more sense when you actually see it in action. Prologue & Epilogue Practical

45. 45 Hollow Out Lab 1/12 Practical You have two options

    here : 1. Either compile by yourself the code (codeblocks, gcc, visual studio, etc) 2. OR use binary template provided in google drive (decompile the binary if you want more information) https://drive.google.com/drive/folders/1sqbsqUgdiihcx_obuJZcNMT3rbbfQPsB?usp=sharing Password: winter-assembly 1. Raw code 2. Binary File

46. 46 Rest Time 5 minutes! Go get some coffee/tea!

47. 47 Hollow Out Lab 2/12 Practical

48. 48 Hollow Out Lab 3/12 Practical

49. 49 Hollow Out Lab 4/12 Practical Software Breakpoint at our

    functions string in the program !

50. 50 Hollow Out Lab 5/12 Practical

51. 51 Hollow Out Lab 6/12 Practical Hollow up at the

    right function, don't hollow all of this. Just empty the content of the function. Plus, we need to know where useful item/call located

52. 52 Hollow Out Lab 7/12 Practical

53. 53 Hollow Out Lab 8/12 Practical Next, We will need

    to leave any useful part, example like “putchar” will print new line.

54. 54 Hollow Out Lab 9/12 Practical This is the code

    we will hollow

55. 55 Hollow Out Lab 10/12 Practical Right click > Binary

    > Fill with NOPs> OK

56. 56 Hollow Out Lab 11/12 Practical Patch it, we don't

    want overwrite the original !

57. 57 Hollow Out Lab 12/12 Practical Done ! We successful

    hollow out the program

58. 58 Fun Fact: Hollowed VT Trojan Detection Visual Studio Mingw

59. 59 Data Storage Size X86-64 supported storage sizes : C/C++

    declarations are mapped as follows: 32b 64b

60. 60 QnA

61. 61 Reverse Engineering and Binary Exploitation: Intel x86/x86-x64 Assembly Part

    3 (Final) 4 January 2024

62. 62 Registers x86 & x64 • 32-bit known as x86

    or IA-32 • 64-bit known as x86-64, AMD64 and Intel 64 • Registers are essentially places where the processor can store memory • These typical sizes we will be dealing with are 8 bytes, 4 bytes, 2 bytes, and 1. The reason for these different sizes is due to the advancement of technology, we can store more data in a register. • Word [ 2 Bytes ] , Dword [ 4 Bytes ] , Qword [ 8 Bytes ] https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/x64- architecture

63. 63 Registers x86 https://www.cs.virginia.edu/~evans/cs216/guides/x86-registers.png

64. 64 64-bit lower portions register Ed Jorgensen, Ph.D Book

65. 65 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-24-2048.jpg?cb=1667939942

66. 66 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-23-2048.jpg?cb=1667939942

67. 67 Instructions: MOV • MOV Destination, Source • Copies data

    from Source to Destination • Can move: • Register to register • Memory to register, register to memory • Immediate to register, immediate to memory • Never! Memory to memory • MOV example: Practical

68. 68 Instructions: Addition using Full Register and Partial Register •

    ADD destination, source Practical https://www.cs.virginia.edu/~evans/cs216/guides/x86-registers.png

69. 69 Instructions: SUB • SUB destination, source • make sure

    take note on partial register return value Practical

70. 70 Instructions: INC & DEC Practical

71. 71 Instructions: NOP Practical

72. 72 https://www.cookiesec.blog/post/CodeCave-Backdoor-PE Practical Method: Dropper Code Cave

73. 73 END - Instructions Practical • There’s still lot more

    instructions/method we can cover, but it takes time to prepare. If you'd like to learn more in a future session, let me know on the feedback form ☺ • MUL/DIV - Arithmetic • Accessing memory • PUSH & POP - The stack • CALL - Functions call • Input/Output Strings/Integer Functions • Flags Register • Unconditional & Conditional Jumps • Structured Branching • CMP • Signed & Unsigned • etc

74. 74 Rest Time 5 minutes! Go get some coffee/tea!

75. 75 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-35-2048.jpg?cb=1667939942 SPRs

76. 76 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-34-2048.jpg?cb=1667939942

77. 77 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-25-2048.jpg?cb=1667939942

78. 78 Little Endian • Offset value: 78 56 34 12

    • Actual value: 0x12345678 Big Endian • Offset value: 12 34 56 78 • Actual value: 0x12345678

79. 79 Segment Registers

80. 80 Segment Registers Code Segment: The Code Segment (CS )

    register points to the Code section in the memory. Stack Segment: The Stack Segment (SS) register points to the program's Stack in the memory. Data Segment: The Data Segment (DS) register points to the program's data section in the memory. Extra Segments (ES, FS, and GS): These extra segment registers point to different data sections. These and the DS register divide the program's memory into four distinct data sections.

81. 81 • Specify how arguments are passed to a function,

    how return values are passed back out of a function, how the function is called, and how the function manages the stack and its stack frame. In short, the calling convention specifies how a function call in C or C++ is converted into assembly language. • two of them are commmonly used in most programming languages: • cdecl - the default call type for C functions. The caller is responsible of cleaning the stack frame. • stdcall - the default call type for Win32 APIs. The callee is responsible of cleaning the stack frame. Calling Conventions

82. 82 Memory Hierarchy <- We are here ! https://en.wikipedia.org/wiki/Memory_hierarchy#/media/File:ComputerMemoryHierarchy.svg Ed

    Jorgensen, Ph.D Book Typical performance and size characteristics :

83. 83 Architecture Overview Ed Jorgensen, Ph.D Book

84. 84 • CPU (Central Processing Unit) executes code • RAM

    contains/stored all the code and data for a program to run • The Memory, also called Main Memory or Random Access Memory (RAM) • I/O system interfaces with hard disk, keyboard, monitor, etc. https://www.oreilly.com/api/v2/epubs/9781593272906/files/httpatomoreillycomsourcenostarchimages2150771.png.jpg x86 Architecture

85. 85 Control Unit • gets instructions to execute from RAM

    using a register - the instruction pointer, which stores the address of the instruction to execute. • Fetches instructions from RAM using a register named the “instruction pointer” • The address to the next instruction to execute is stored in a register called the Instruction Pointer or IP. In 32-bit systems, this register is called EIP, and in 64-bit systems, it is called RIP. Register • Registers are the CPU's storage, stores small amounts of data • Faster than RAM but limited size (has to be used effectively) ALU (Arithmetic Logic Unit) • Executes an instruction and places results in registers or RAM https://www.oreilly.com/api/v2/epubs/9781593272906/files/httpatomoreillycomsourcenostarchimages2150771.png.jpg CPU Components

86. 86 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-18-2048.jpg?cb=1667939942 • Values placed in RAM when a program

    loads • Sometimes these values are called static • They may not change while the program is running • Sometimes these values are called global • Available to any part of the program

87. 87 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-18-2048.jpg?cb=1667939942 • Instructions for the CPU • Controls what

    the program does

88. 88 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-18-2048.jpg?cb=1667939942 • Dynamic memory • Changes Frequently during program

    execution • Program creates (allocates) new values, and eliminates (frees) them when they are no longer needed

89. 89 https://image.slidesharecdn.com/ch4-170116190423/75/cnit-126-4-a-crash-course-in-x86-disassembly-18-2048.jpg?cb=1667939942 • Local variables and parameters for functions •

    Helps programs flow

90. 90 Live memory RAM Debugger 1/2 Practical

91. 91 Memory Inside the process is runnning RAM Debugger 2/2

    Practical

92. 92 The Stack! • The Stack is a part of

    a program's memory that contains the arguments passed to the program, the local variables, and the program's control flow. • The stack is a Last In First Out (LIFO) memory. This means that the last element pushed onto the stack is the first one to be popped out. For example, if we push A, B, and C onto the stack, when we pop out these elements, the first to pop out will be C, B, and then A. The CPU uses two registers to keep track of the stack. One is the Stack Pointer (the ESP or RSP), and the other is the Base Pointer (the EBP or RBP).

93. 93 The Stack! The Stack Pointer(ESP/RSP): The Stack Pointer points

    to the top of the stack. When any new element is pushed on the stack, the location of the Stack Pointer changes to consider the new element that was pushed on the stack. Similarly, when an element is popped off the stack, the stack pointer adjusts itself to reflect that change. The Base Pointer(EBP/RBP): The Base Pointer for any program remains constant. This is the reference address where the current program stack tracks its local variables and arguments. Old Base Pointer and Return Address: Below the Base Pointer lies the old Base Pointer of the calling program (the program that calls the current program). And below the old Base Pointer lies the Return Address, where the Instruction Pointer will return once the current program's execution ends.

94. 94 The Stack! Arguments: The Arguments being passed to a

    function are pushed to the stack before the function starts execution. These arguments are present right below the Return Address on the stack.

95. 95 Rest Time 5 minutes! Go get some coffee/tea!

96. 96 Extra: NASM (ELF) 1/3 Practical Manual Practical You can

    use any text editor you prefer

97. 97 Extra: NASM (ELF) 2/3 Practical Manual Practical

98. 98 Extra: NASM (ELF) 3/3 Practical Manual Practical Exit functions

    way in assembly:

99. 99 User Space VS Kernel Space https://cocomelonc.github.io/assets/images/10/int0x80.png

100. 100 Resource for further study https://www.swag.uwaterloo.ca/asx/assembler.pdf

101. 101 Resource for further study AMD + Book

102. 102 This crash course has covered a lot, but it's

     just the beginning! There are still many more topics that we could cover, but this is a good foundation for you to start with.

103. 103 QnA

104. 104 Thankyou !