SIT Internal

Malware
Analysis and Defense
(Additional Material on Assembly Language)

Instructor Contact
Dr Peter Loh [email protected]

1
 SIT Internal

Introduction to
Assembly Language 1

Malware Analysis and Defence 2

 SIT Internal

Scope of Topic

1) Decimal, Binary, Octal and Hexadecimal System

2) Overview of x86 Architecture - Instruction Fetch-Decode-Execute
3) Flags Register
4) Data Transfer Instructions
5) String Instructions
6) Arithmetic Instructions

Malware Analysis and Defence 3

 SIT Internal

Number Systems (Brief Revision)

• Whole Numbers: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, …
• Base of a number: Number of unique digits, including 0,
used to represent the number
• Base 10 numbers:

1310 or 13 99910 or 999 1000010 or 10000

• Base 10 number system: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

• Base N number system: 0, 1, 2, …, N-1

Malware Analysis and Defence 4

 SIT Internal

Common Number Systems

Used by Used in
System Base Symbols humans? computing?
Decimal 10 0, 1, … 9 Yes Yes
Binary 2 0, 1 No Yes
Octal 8 0, 1, … 7 No Yes
Hexa- 16 0, 1, … 9, No Yes
decimal A, B, … F

• Value of each digit in a number can be determined by:

➢ The digit
➢ Digit’s position in the number
➢ Base of the number system
Malware Analysis and Defence 5
 SIT Internal

Value of a Number (base 10)

6
 SIT Internal

Number Systems Comparison

Hexa- Hexa-
Decimal Binary Octal decimal Decimal Binary Octal decimal

0 0 0 0 8 1000 10 8
1 1 1 1 9 1001 11 9
2 10 2 2 10 1010 12 A
3 11 3 3 11 1011 13 B
4 100 4 4 12 1100 14 C
5 101 5 5 13 1101 15 D
6 110 6 6 14 1110 16 E
7 111 7 7 15 1111 17 F

Malware Analysis and Defence 7

 SIT Internal

Number Systems Conversion

2510 = 110012 = 318 = 1916

Base
Malware Analysis and Defence 8
 SIT Internal

Binary to / from Decimal

http://www.rapidtables.com/convert/number/binary-to-decimal.htm
Malware Analysis and Defence 9
 SIT Internal

Binary to / from Octal

http://codebeautify.org/all-number-converter
Malware Analysis and Defence 10
 SIT Internal

Binary to / from Hexadecimal

http://codebeautify.org/all-number-converter
Malware Analysis and Defence 11
 SIT Internal

Octal to / from Decimal

http://codebeautify.org/all-number-converter
Malware Analysis and Defence 12
 SIT Internal

Octal to / from Hexadecimal

http://codebeautify.org/all-number-converter
Malware Analysis and Defence 13
 SIT Internal

Hexadecimal to / from Decimal

http://codebeautify.org/all-number-converter
OCBC – Malware Analysis and Defence 14
 SIT Internal

Number Systems Exercise – 1/2

1. 37910 is equivalent to which of the following octal numbers?
a) 3758
b) 7358
c) 5738
d) 5378

2. Convert 98410 to hexadecimal. Which of the following is your answer?

a) D3816
b) 3D816
c) 83D16
d) 8D316

Malware Analysis and Defence 15

 SIT Internal

Number Systems Exercise – 2/2

3. 156810 is equivalent to which of the following binary numbers?
a) 110011000102
b) 110001100102
c) 101001000102
d) 110001000002

4. Which of the following numbers has the greatest value?

a) 110011000102
b) 8D316
c) 17538
d) 225610

Malware Analysis and Defence 16

 SIT Internal

Overview of
x86 Assembly Language

Malware Analysis and Defence 17

 SIT Internal

What is Assembly Language? – 2/2

Malware Analysis and Defence 18

 SIT Internal

Flags Register

Malware Analysis and Defence 19

 SIT Internal

The x86 Flag Register – 1/4

Hardware – contains
processor status

Malware Analysis and Defence 20

 SIT Internal

Flags in the EFLAGS Register – 2/4

• CF : Carry Flag - Set if the last arithmetic operation carried (addition)

or borrowed (subtraction) a bit beyond register size
• PF : Parity Flag - Set if the number of set bits in LSByte is even
• AF : Adjust/Auxillary Flag - Carry of Binary Code Decimal (BCD)
number arithmetic operations (Carry from lower to higher nibble)
• ZF : Zero Flag - Set if the result of an operation is zero (0)
• SF : Sign Flag - Set if the result of an operation is negative
• TF : Trap Flag - Set to enable step by step debugging
• IF : Interrupt Flag - Set if hardware interrupts are enabled
• DF : Direction Flag. If set, string operations will decrement their
pointer rather than incrementing it, reading memory backwards
Malware Analysis and Defence 21
 SIT Internal

Flags in the EFLAGS Register – 2/4

• OF : Overflow Flag - Set if signed arithmetic operations result in a

value too large for the register to contain
• IOPL : (2 bits). I/O Privilege Level of the current process
• NT : Nested Task flag. Controls chaining of interrupts. Set if the
current process is linked to the next process
• RF : Resume Flag. Response to debug exceptions
• VM : Virtual-8086 Mode. Set if in 8086 compatibility mode.
• AC : Alignment Check. If set, unaligned memory address reference
generates exception
• VIF : Virtual Interrupt Flag. Virtual image of IF
• VIP : Virtual Interrupt Pending flag. Set if an interrupt is pending
Malware Analysis and Defence 22
• ID : Identification Flag. Support for CPUID instruction if can be set
 SIT Internal

Flags Modification Examples – 3/4

Malware Analysis and Defence 23

Malware Analysis and Defence
 SIT Internal

Flag Modification Instructions – 4/4

• sti – sets IF so that processor can accept hardware interrupts
• cli – clears IF but software interrupts not masked
• std – sets DF to inform processor to decrement index registers
when using string instructions
• cld – clears DF to inform processor to increment index registers
when using string instructions
• stc – sets the CF
• clc – clears the CF
• cmc – inverts the CF
• sahf – load SF, ZF, AF, PF, and CF from AH register. Bits 1, 3, and 5
of register AH are ignored.
• lahf – move lowest byte of EFLAGS to AH register.
Malware Analysis and Defence 24
 SIT Internal

Data Transfer Instructions

Malware Analysis and Defence 25

 SIT Internal

Data Transfer Instructions – 1/6

Moves a copy of src operand to dest operand

Moves a copy of one byte from memory location

specified in ESI register to memory location
specified in the EDI register

Moves a copy of one word (two bytes) from

memory location specified in ESI register to
memory location specified in the EDI register

What if I want to copy

Malwaremore than
Analysis and Defence1 byte or 1 word? 26
 SIT Internal

Data Transfer Instructions – 2/6

MOVE WITH ZERO-EXTEND: Moves a copy of src

operand to dest operand and pads the higher
order bits not from src with zeroes (0s)

MOV instructions
Malwaredo not
Analysis affect flags
and Defence 27
 SIT Internal

Data Transfer Instructions – 3/6

Swaps the src operand with the dest operand

Calculates the address of the src operand and

loads it into the dest operand

Flags affected: None

Malware Analysis and Defence 28

 SIT Internal

Data Transfer Instructions – 4/6

DF ← 1

DF ← 0

Malware Analysis and Defence 29

 SIT Internal

Data Transfer Instructions – 5/6

Malware Analysis and Defence 30

 SIT Internal

Data Transfer Instructions – 6/6

This instruction has two implicit operands AL/AX/EAX (depending on the size of
arg1) and ZF (zero) flag. The instruction compares arg1 to AL/AX/EAX and if
they are equal sets arg1 to arg2 and sets the zero flag, otherwise it sets
AL/AX/EAX to arg1 and clears the zero flag. Flags Affected: AF, CF, OF, PF, SF, ZF.

Malware Analysis and Defence 31

Malware Analysis and Defence
 SIT Internal

String Instructions

Malware Analysis and Defence 32

 SIT Internal

String Instructions – 1/3

Scan string compares AL with byte at ES:(E)DI and sets status flags
Scan byte string – similar to SCAS

Scan word string compares AL with word at ES:(E)DI and sets status flags

Scan doubleword string compares AL with doubleword at ES:(E)DI and

sets status flags

The above code checks that byte #4 of my_serial is − (e.g. abcd-efghi)

When used together with the REPNE prefix (REPeat while Not Equal), SCAS scans the
Malware Analysis and Defence 33
string searching for the first string element equal to the value in the accumulator
 SIT Internal

String Instructions – 2/3

Store string copies AL contents to memory location at ES:(E)DI. Status
flags are not affected.
Store byte string – similar to STOS
Store word string copies AX contents to memory location at ES:(E)DI.
Status flags are not affected.
Store doubleword string copies EAX contents to memory location at
ES:(E)DI. Status flags are not affected.

Malware Analysis and Defence 34

 SIT Internal

String Instructions – 3/3

Load string loads byte at address DS:(E)SI into AL. Status flags not affected.

Load byte string – similar to LODS

Load word string loads word at address DS:(E)SI into AX. Status flags not
affected.
Load doubleword string loads double word at address DS:(E)SI into EAX.
Status flags not affected.

Malware Analysis and Defence 35

 SIT Internal

Exercise – What does the code do?

This code assumes that String1 and String2 are in the same segment:

Malware Analysis and Defence 36

 SIT Internal

Arithmetic Instructions

Malware Analysis and Defence 37

 SIT Internal

Arithmetic Instructions – 1/10

Increments destination operand by 1

CF not affected. Sets OF, SF, ZF, AF, and PF according to result

Decrements destination operand by 1

Sets ZF if ecx = 0 What does eax and ebx contain after execution?
Malware Analysis and Defence 38
 SIT Internal

Arithmetic Instructions – 2/10

Adds src operand to dest operand

Subtracts src operand from dest operand.

The sub instruction sets flags (OF, SF, ZF,
AF, PF, and CF)

Malware Analysis and Defence 39

 SIT Internal

Arithmetic Instructions – 3/10

Add with Carry: same as add
but value of the Carry Flag (CF)
is also added;

Flags affected: OF, SF, ZF, AF,

CF, and PF flags are set
according to the result

The above code fragment adds two 8-bit integers (0FFh + 0FFh),
producing a 16-bit sum in DL:AL, which is 01h:FEh;
Malware Analysis and Defence 40
 SIT Internal

Arithmetic Instructions – 4/10

Unsigned Multiplication: Multiplies the arg

operand by corresponding byte-length in the AX
register. Product is stored in AX register. High
order 8 bits stored in AH and low order 8 bits in
AL.

Malware Analysis and Defence

Malware Analysis and Defence 41

 SIT Internal

Arithmetic Instructions – 5/10

Same as mul but signed operation.

Multiplies src operand by dest operand. Product

is stored in dest operand

Malware Analysis and Defence 42

 SIT Internal

Arithmetic Instructions – 6/10

Multiplies the src operand by the aux operand

and the product is stored in the dest operand

Malware Analysis and Defence 43

 SIT Internal

Arithmetic Instructions – 7/10

Divides value in the dividend register(s) by arg
according to the table

The : means concatenation. EDX

contains bits 32 - 63 and EAX
contains bits 0 - 31

Malware Analysis and Defence 44

 SIT Internal

Arithmetic Instructions – 8/10

Malware Analysis and Defence 45

Malware Analysis and Defence
 SIT Internal

Arithmetic Instructions – 9/10

Similar to div except signed

Malware Analysis and Defence 46

 SIT Internal

Arithmetic Instructions – 10/10

Arithmetically negates the argument arg
(i.e. two's complement negation)

Malware Analysis and Defence 47

 SIT Internal

Exercise
1. Consider the following code segments:

Which of the flags, CF and OF, are set in each case?

2. What do AL, CF and OF contain after the following code runs:

Malware Analysis and Defence 48