Scribd
Upload
140 views41 pages

Assembly Language and Disassembly Primer

This document discusses assembly language and disassembly as it relates to malware analysis. It provides an introduction and overview of key concepts like program structure in memory, using a disassembler to translate machine code to assembly code, x86 registers, common instructions like data transfer, arithmetic, branching and conditionals. It also covers functions, calling conventions, arrays, strings and structures.

Uploaded by

sarim imran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
140 views41 pages

Assembly Language and Disassembly Primer

This document discusses assembly language and disassembly as it relates to malware analysis. It provides an introduction and overview of key concepts like program structure in memory, using a disassembler to translate machine code to assembly code, x86 registers, common instructions like data transfer, arithmetic, branching and conditionals. It also covers functions, calling conventions, arrays, strings and structures.

Uploaded by

sarim imran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

Malware Analysis CIS-672

Lecture 05: Assembly Language and


Disassembly Primer
Dr. Muhammad Abid,
DCIS, PIEAS

Malware Analysis, PIEAS


Introduction

To gain a deeper understanding of a


malware's inner workings and to understand
the critical aspects of a malicious binary,
code analysis needs to be performed.

Malware Analysis, PIEAS


Program In Memory

Structure of the executable on the disk is


similar to the structure of the executable in
the memory

Malware Analysis, PIEAS


Program Disassembly

A disassembler/debugger (like IDA Pro or


x64dbg) is a program that translates machine
code into a low-level code called assembly
code (assembly language program), which
can be read and analyzed to determine the
workings of a program.
From a code analysis perspective,
determining the program's functionality
mainly relies on understanding these
assembly instructions and how to interpret
them.

Malware Analysis, PIEAS


X86 General-Purpose Registers

eight general purpose registers: eax, ebx,


ecx, edx, esp, ebp, esi, and edi.
32 bits (4 bytes) in size

Malware Analysis, PIEAS


Other X86 Registers

Instruction Pointer (EIP): EIP contains the


address of the next instruction to execute.
EFLAGS Register: The eflags register is a
32-bit register, and each bit in this register is
a flag.
Segment registers (cs, ss, ds, es, fs, and
gs), which keep track of sections in the
memory.

Malware Analysis, PIEAS


Data Transfer Instructions

mov dst,src
mov eax,10 ; moves 10 into EAX register, same
as eax=10
mov bx,7 ; moves 7 in bx register, same as bx=7
mov eax,64h ; moves hex value 0x64 (i.e 100)
into EAX
mov eax,ebx ; moves content of ebx into eax, i.e
eax=ebx
mov eax,[0x403000] ; move 4B from given addr
lea ebx,[0x403000] ; loads the address 0x403000
into ebx
lea eax, [ebx] ; if ebx = 0x403000, then eax will also
contain 0x403000
Malware Analysis, PIEAS
Disassembly Challenge

Malware Analysis, PIEAS


Arithmetic Operations

add eax,42 ; same as eax = eax+42


add eax,ebx ; same as eax = eax+ebx
add [ebx],42 ; adds 42 to the value in
address specified by ebx
sub eax, 64h ; subtracts hex value 0x64 from
eax, same as eax = eax-0x64
These instructions set or clear flags in the eflags
register, based on the operation.
inc eax ; same as eax = eax+1
dec ebx ; same as ebx = ebx-1

Malware Analysis, PIEAS


Arithmetic Operations

The mul instruction takes only one operand;


that operand is multiplied by the content of either
the al, ax, or eax register.
The result of the multiplication is stored in either
the ax (8-bit), dx and ax(16-bit), or
edx and eax (32-bit) register
mul ebx ;ebx is multiplied with eax and result is
stored in EDX and EAX
mul bx ;bx is multiplied with ax and the result is
stored in DX and AX

Malware Analysis, PIEAS


Arithmetic Operations

Division is performed using the div


instruction.
The div takes only one operand, which can
be either a register or a memory reference.
div ebx ; divides the value in EDX:EAX by EBX
After the div instruction is executed, the
quotient is stored in eax, and the remainder
is stored in the edx register

Malware Analysis, PIEAS


Bitwise/ Shift/ Rotate Operations

not eax
and bl,cl ; same as bl = bl & cl
The shr (shift right) and shl (shift left)
instructions take two operands (the
destination and the count). The destination
can be either a register or a memory
reference.
shl dst,count
rol (rotate left) and ror (rotate right)
instructions
rol al,2

Malware Analysis, PIEAS


Disassembly Challenge

Malware Analysis, PIEAS


Branching And Conditionals

Unconditional Jumps
jmp <jump address>

Malware Analysis, PIEAS


Conditional Jumps

The x86 cmp instruction subtracts the source


operand from the destination operation and
alters the flags without storing the difference
in the destination
cmp eax,5 ; subtracts eax from 5, sets the flags
but result is not stored
The test instruction performs a bitwise and
operation and alters the flags without storing
the result.

Malware Analysis, PIEAS


Conditional Jumps

Conditional jump instructions general format:


jcc <address>

Malware Analysis, PIEAS


Conditional Jumps

Malware Analysis, PIEAS


Conditional Jumps

Malware Analysis, PIEAS


Disassembly Challenge

Malware Analysis, PIEAS


Loops

Malware Analysis, PIEAS


Disassembly Challenge

Malware Analysis, PIEAS


Functions

Calling a function:
call <some_function>
Returning From a Function:
ret

Malware Analysis, PIEAS


Function Parameters And Return
Values
main()

Return val

function prologue

test()

Return val

function epilogue

Malware Analysis, PIEAS


X86 Function Calling Conventions

Malware Analysis, PIEAS


X86 Calling Conventions: __cdecl

default calling convention for C and C++


programs.
can do vararg functions.
creates larger executables than __stdcall,
because it requires each function call to include
stack cleanup code. The following list shows the
implementation of this

Malware Analysis, PIEAS


X86 Calling Conventions: __cdecl

int __cdecl test(int a, int b)

Malware Analysis, PIEAS


X86 Calling Conventions: __cdecl

Malware Analysis, PIEAS


X86 Calling Conventions: __cdecl

Malware Analysis, PIEAS


X86 Calling Conventions: __stdcall

used to call Win32 API functions.


The callee cleans the stack
int __stdcall test(int a, int b)

Malware Analysis, PIEAS


X86 Calling Conventions: __stdcall

Malware Analysis, PIEAS


X86 Calling Conventions: __stdcall

CALLER CALLEE
Malware Analysis, PIEAS
X86 Calling Conventions: __fastcall

__fastcall
only applies to the x86 architecture

Malware Analysis, PIEAS


X86 Calling Conventions: __fastcall

Malware Analysis, PIEAS


X86 Calling Conventions: __fastcall

Malware Analysis, PIEAS


Arrays

Malware Analysis, PIEAS


Disassembly Challenge

Malware Analysis, PIEAS


Strings

eax, esi, and edi


rep movsX; X can be b, w, d
rep stosX; X can be b, w, d

Malware Analysis, PIEAS


Structures

Malware Analysis, PIEAS


x64 Architecture

64-bit registers:
rax, rbx, rcx, rdx, rsi, rdi, rbp, and rsp
8 new registers: r8, r9, r10, r11, r12, r13, r14, and
r15
64-bit addresses and pointers
supports rip-relative addressing
Function Calling: first four parameters are
passed in the rcx, rdx, r8, and r9 registers,
and if the program contains additional
parameters they are stored on the stack.

Malware Analysis, PIEAS


Analyzing 32-bit Executable On 64-bit
Windows
The 64-bit Windows OS can run a 32-bit
executable using a subsystem called
WOW64 (Windows 32-bit on Windows 64-
bit).
The 32-bit executable cannot load 64-bit
DLLs (and a 64-bit process cannot load 32-
bitDLLs), so Microsoft separated the DLLs for
both 32-bit and 64-bit.
The 64-bit binaries are stored in the
\Windows\system32 directory, and the 32-bit
binaries are stored in the
\Windows\Syswow64 directory
Malware Analysis, PIEAS
Analyzing 32-bit Executable On 64-bit
Windows
it is better to analyze a 32-bit binary in a 32-
bit Windows environment.

Malware Analysis, PIEAS

You might also like