Crash Dump Analysis: Jakub Jermář Martin Děcký

Crash Dump Analysis
IA-32
Jakub Jerm
Martin Dck
Crash Dump Analysis MFF UK IA-32 2
IA-32 Overview
32 bit CISC architecture
Starts with 80386
Also known as x86, i386, i586, i686, etc.
Strong inheritance of 8086, even 8080
Some RISC characteristics after Pentium (P5, i586)
Variable instruction size
Non-orthogonal instruction set
Most instructions can have memory operands

IA-32 Overview (2)
Very few GPRs (8)
Actually only 6 or 7 practically usable (ABI dependent)
Little-endian
Implicit stack
Complicated memory management
Several operational modes
Real mode (8086), V86 (virtual 8086), 16bit Protected mode

(80286), 32bit Protected mode (80386+), SMM,
Paging and segmentation

Little vs. Big Endian
Memory is usually addressed in bytes (8 bits)
There are at least two native ways how to store

larger data structures in sequence of bytes
v = 0xAA884400
Big-Endian
big end first
most significant byte first
AA 88 !!
! " 2 3
Litte-Endian
#itt#e end first
#east significant byte first
!! 88 AA
! " 2 3
Little-Endian
Storing data using larger element sizes
v = 0xAA884400
Element size: 16 bits

!! AA88
! " 2 3
!! AA 88
! " 2 3
IA-32 Manuals
Intel 64 and IA-32 Architectures Software

Developer's Manual
Volume 1: Basic Architecture
Volume 2A + 2B: Instruction Set Reference
Volume 3A + 3B: System Programming Guide
Intel 64 and IA-32 Architectures Optimization

Reference Manual
http://www.intel.com/products/processor/manuals
IA-32 ABI
System V Application Binary Interface, Intel386

Architecture Processor Supplement
This is the authoritative source of information
At least for systems using GNU GCC toolchain

(GNU/Linux, *BSD, most Unixes, etc.)
We will use and present a simplified view which is

sufficient for common cases (integer arguments)
www.sco.com/developers/devspecs/abi386-4.pdf
IA-32 Registers
A$ A%
A&
'A&
($ (%
(&
'(&
)$ )%
)&
')&
D$ D%
D&
'D&
DI
'DI
*I
'*I
(+
'(+
*+
'*+
,%A-*
',%A-*
)* D* '* ** ,* -*
.
-+/s
segment
registers
frame
0ointer
stack
0ointer
.
return 1a#ue
I+
'I+
. .
ABI in a Nutshell
Arguments passed on stack
In reverse order (the last argument is pushed first)
Return value
For simple integer types in EAX
Otherwise on the stack
Implicit stack pointer
Some instructions use ESP as implicit register

operand
ABI in a Nutshell (2)
Frame pointer
Usually (not always) stored in EBP
Volatile (scratch, caller-saved) registers
EAX, ECX, EDX
Non-volatile (preserved, callee-saved) registers
EBX, EDI, ESI, EBP, ESP
Stack aligned on 4B boundary
Some compilers use even larger alignment

IA-32 Instructions
Hundreds of instructions
Most of them have several variants (operands as

registers, operands as memory addresses, etc.)
Informal classification
General purpose (arithmetic, logic, jumps, etc.)
System instructions (altering processor mode)
FPU instructions
SIMD and other instructions (MMX, SSE, etc.)

IA-32 Instructions (2)
Most general purpose instructions have two

operands
register register
immediate register
memory register
immediate memory
INST opl, opr
AT&T syntax
opr 2opr INST opl
Intel syntax
opl 2opl INST opr
ADDL EAX, EBX
EBX EBX + EAX

IA-32 AT&T Syntax
Left operand source
Right operand destination
Register names prefixed by % (e. g. %eax)
Immediate operands prefixed by $ (e. g. $0x1)
Operand size encoded as instruction suffix
b (byte, 8 bit), w (word, 16 bit), l (long, 32 bit)
Example: movl $0x1, %eax

IA-32 AT&T Syntax (2)
Memory operands
Using implicit segment register
displacement(base, index, scale)
base and index are GPRs
scale is 1, 2, 4 or 8 (defaults to 1 if not specified)
displacement is an immediate offset
Effective address is calculated as

EA = displacement + base + index * scale
0x8111f30, 0x8(%ebp), -0x28(%eax),
-0x2(%esi, %eax, 2)
mov (%esp), %edi
IA-32 AT&T Syntax (3)
Memory operands with explicit segment register
segment_register:displacement(base, index, scale)
Segmentation is not used widely in modern OSes
Cannot be turned off
Mostly used for thread-local storage and in kernel
movl %gs:0x10, %eax
When accessing memory, the segment base is

always applied (added) to the effective address
Also in the case of implicit segment registers

Common Instructions
Real programs tend to use a limited set of

instructions most of the time
NOP, MOV, LEA
ADD, SUB, INC, DEC
XOR, AND, OR
PUSH, POP, CALL, RET
CMP, TEST
JMP, JE, JNE, JL, JB, JG, JA

Common Instructions (2)
NOP
Single byte instruction, opcode 0x90
No operation (actually XCHG EAX, EAX)
Important role for optimization and debugging
MOV
Move between registers
Memory loads and stores

LEA
Evaluate effective address in memory operand
Compiler often use it as a fast calculator
EA = displacement + base + index * scale

leal (%edx, %edx, 8), %eax
EAX EDX + 8 * EDX = 9 * EDX
ADD, SUB, XOR, AND, OR
Addition, subtraction, logical exclusive OR, logical

AND, logical OR
Example: xorl %ebx, %ebx
INC, DEC
Increment, decrement
Only one operand
Example: incb %al

PUSH
Push a register
content on the stack
Example: pushl %ecx

ESP 2ESP - 4
(ESP) 2ECX
POP
Pop a value from the

stack
Example: popl %edx

EDX ( 2 ESP)
ESP 2ESP + 4
CALL
Call function
Example: call -0x8da0

ESP 2ESP - 4
(ESP) 2EIP + inst_size
EIP 2EIP - 0x8da0
RET
Return from function

call
Example: ret
ESP 2 ESP + 4
EIP 2 (ESP - 4)
CMP
Compare two operands
Like SUB, but the result is discarded
Modifies bits in EFLAGS register
Example: cmpb $0x2f, (%esi)
TEST
Test bits
Like AND, but result is discarded and EFLAGS modified
Example: test %eax, %eax

JMP
Unconditional jump
Relative address in operand or a long jump
JE, JNE, JL, JB, JG, JA
Conditional jumps (there are many more)
The condition ~ state of bits in EFLAGS
Jump if (not) equal, less (signed), below (unsigned),

greater (signed), above (unsigned)
Relative address in operand (128 B)

Function Prologue
pushl %ebp
movl %esp, %ebp
subl $imm, %esp
movl %ebx, 4(%esp)
pushl %edi

Function Epilogue
popl %edi
movl 4(esp), %ebx
movl %ebp, %esp
popl %ebp
ret
popl %edi
movl 4(esp), %ebx
leave
ret
Stack and Code Example
Remember the foo(), bar() and foobar()

from previous slides?
Compile using gcc -O1
Disassemble and single step main() and foo()
Observe the stack

Stack and Code Example (2)
main3 0us4# 5eb0
main6"3 mo1# 5es075eb0
main633 sub# 8!9875es0
main6:3 and# 8!9fffffff!75es0
main6;3 sub# 8!9"c75es0
main6!9c3 0us4# !98<5eb0=
main6!9f3 ca## -!93f >foo?
main6!9"3 #ea1e
main6!9"@3 ret
foo3 0us4# 5eb0
foo6"3 mo1# 5es075eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bf!3 Astart6!98!
Initial state
No instructions executed
Inherited stack pointer from

main()'s caller
Save previous frame

pointer on the stack
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Establish a new, fixed

frame pointer in EBP
It points to where we saved

the previous one
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
Allocate some space on the

stack
Will not be used

main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:be3 Ainit6!9"a
!98!:be83 !9feffbBdc
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Align the stack pointer on

16 B boundary
Not required by the ABI
Performance reasons
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Allocate some more space

on the stack
Will not be used

main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bc3 Af0start6!92c
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Copy the incoming

argument (argc) to the
outgoing argument (a)
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Call foo()
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Save the previous frame

pointer to the stack
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Establish a new frame

pointer in EBP
It points to the address

where the previous one is
stored
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Allocate some space on the

stack
Will not be used

foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:ba3 !98!@!;e8
!98!:ba83 dbgAdesc
!98!:bac3 8
!98!:bb!3 "
!98!:bb3 !
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Copy the incoming

argument of foo() to the
outgoing argument for
bar()
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:ba!3 "
!98!:ba3 !98!@!;e8
!98!:ba83 dbgAdesc
!98!:bac3 8
!98!:bb!3 "
!98!:bb3 !
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Call bar()
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:b;c3 foo6!9e
!98!:ba!3 "
!98!:ba3 !98!@!;e8
!98!:ba83 dbgAdesc
!98!:bac3 8
!98!:bb!3 "
!98!:bb3 !
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Step through and return

from bar()
bar()'s return value is in

EAX
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:ba!3 "
!98!:ba3 !98!@!;e8
!98!:ba83 dbgAdesc
!98!:bac3 8
!98!:bb!3 "
!98!:bb3 !
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Free some stack space
Not necessary because of

the next instruction
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:bb!3 "
!98!:bb3 !
!98!:bb83 !98!:bec
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Destroy foo()'s stack

frame
foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:bbc3 main6!9"
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Return back to main()
Return value is again in EAX

foo3 0us4# 5eb0
foo633 sub# 8!9"75es0
foo6:3 0us4# !98<5eb0=
foo6;3 ca## 6!9@ >bar?
foo6!9e3 add# 8!9"!75es0
foo6!9""3 #ea1e
foo6!9"23 ret
!98!:bc!3 "
!98!:bc83 !92;
!98!:bcc3 Af0A4C
!98!:bd!3 !9"33f
!98!:bd3 !98!@!cda
!98!:bd83 !98!:!d3c
!98!:bdc3 !98!:bcc
!98!:be!3 !98!:bec
!98!:be3 Ainit6!9"a
!98!:bec3 !98!:c!
!98!:bf!3 Astart6!98!
Destroy main()'s stack

frame
main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
!98!:bf!3 Astart6!98!
Return from main()

main3 0us4# 5eb0
main6!9c3 0us4# !98<5eb0=
main6!9"3 #ea1e
main6!9"@3 ret
IA-32 ABI Cheat Sheet
EAX return value
EBX
ECX
EDX
ESI
EDI
EBP frame pointer
ESP stack pointer
non-volatile registers
volatile registers

Crash Dump Analysis: Jakub Jermář Martin Děcký

Uploaded by

Copyright:

Available Formats

Crash Dump Analysis: Jakub Jermář Martin Děcký

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Crash Dump Analysis: Jakub Jermář Martin Děcký

Uploaded by

Copyright:

Available Formats

Crash Dump Analysis

32 bit CISC architecture

Starts with 80386

Also known as x86, i386, i586, i686, etc.

Strong inheritance of 8086, even 8080

Some RISC characteristics after Pentium (P5, i586)

Variable instruction size

Non-orthogonal instruction set

Most instructions can have memory operands

Very few GPRs (8)

Actually only 6 or 7 practically usable (ABI dependent)

Complicated memory management

Several operational modes

Real mode (8086), V86 (virtual 8086), 16bit Protected mode

Paging and segmentation

Memory is usually addressed in bytes (8 bits)

There are at least two native ways how to store

Storing data using larger element sizes

Element size: 16 bits

Intel 64 and IA-32 Architectures Software

Volume 1: Basic Architecture

Volume 2A + 2B: Instruction Set Reference

Volume 3A + 3B: System Programming Guide

Intel 64 and IA-32 Architectures Optimization

System V Application Binary Interface, Intel386

This is the authoritative source of information

At least for systems using GNU GCC toolchain

We will use and present a simplified view which is

Arguments passed on stack

In reverse order (the last argument is pushed first)

For simple integer types in EAX

Otherwise on the stack

Implicit stack pointer

Some instructions use ESP as implicit register

Usually (not always) stored in EBP

Volatile (scratch, caller-saved) registers

EAX, ECX, EDX

Non-volatile (preserved, callee-saved) registers

EBX, EDI, ESI, EBP, ESP

Stack aligned on 4B boundary

Some compilers use even larger alignment

Most of them have several variants (operands as

General purpose (arithmetic, logic, jumps, etc.)

System instructions (altering processor mode)

SIMD and other instructions (MMX, SSE, etc.)

Most general purpose instructions have two

INST opl, opr

opr 2opr INST opl

opl 2opl INST opr

ADDL EAX, EBX

EBX EBX + EAX

Left operand source

Right operand destination

Register names prefixed by % (e. g. %eax)

Immediate operands prefixed by $ (e. g. $0x1)

Operand size encoded as instruction suffix

b (byte, 8 bit), w (word, 16 bit), l (long, 32 bit)

Example: movl $0x1, %eax