THM | x86 Architecture Overview
Malware Analysis | x86 Architecture Overview | Summary:
The room provides an overview of CPU architecture, explaining how it executes instructions and interacts with external components. It details the basic components of a CPU (Control Unit, Arithmetic Logic Unit, Registers) and how they interact with memory and I/O devices.
It then delves deeper into registers, explaining their types (Instruction Pointer, General-Purpose Registers, Status Flag Registers), and how they are used to store data temporarily while it is being processed by the CPU. Additionally, the room covers program memory layout, highlighting the importance of the stack in malware analysis, and explains common malware techniques such as stack buffer overflow attacks.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.
Learning Objectives
- Overview of CPU architecture and its components
- Different types of CPU registers and their usage
- Memory layout as viewed by a program
- Stack layout and stack registers
1 | Introduction�
Question 1: Go through the Learning Objectives
No answer needed
2 | CPU architecture overview
Here they explain the basic components of a CPU (Control Unit, Arithmetic Logic Unit, Registers) and how they interact with external devices (Memory, I/O devices). Here's a brief overview:
- The Control Unit fetches instructions from memory and executes them one at a time.
- The Arithmetic Logic Unit performs calculations and operations based on those instructions.
- The Registers are a small, high-speed storage area that holds important data for quick access by the CPU.
- Memory (RAM) stores all program code and data.
- I/O devices include keyboards, displays, printers, etc. that interact with the computer.
Overall, they provide a simple explanation of how a CPU executes instructions and interacts with external components to run programs.
Question 1: In which part of the Von Neumann architecture are the code and data required for a program to run stored?
Memory
Question 2: What part of the CPU stores small amounts of data?
Registers
Question 3: In which unit are arithmetic operations performed?
Arithmetic Logic Unit
3 | Registers overview
They follow up with an explanation about the concept of registers as the CPU's storage medium, which provides quick access to data compared to other storage mediums. The registers are divided into several types, including:
- Instruction Pointer (IP/RIP): A register that stores the address of the next instruction to be executed by the CPU.
- General-Purpose Registers: These 32-bit or 64-bit registers store data during general execution of instructions by the CPU. They include:
- EAX/RAX, EBX/RBX, ECX/RCX, EDX/RDX | Accumulator, Base, Counter, and Data Registers
- ESP/RSP, EBP/RBP, ESI/RSI, EDI/RDI | Stack Pointer, Base Pointer, Source Index, and Destination Index Registers
- R8-R15 | 64-bit general-purpose registers not present in 32-bit systems
These registers are used to store data temporarily while it is being processed by the CPU. Moreover they also explain how each register type can be addressed at different levels of precision (e.g., byte, word, double-word).
Question 1: Which register holds the address to the next instruction that is to be executed?
Instruction Pointer
Question 2: Which register in a 32-bit system is also called the Counter Register?
ECX
Question 3: Which registers from the ones discussed above are not present in a 32-bit system?
R8-R15
4 | Registers - Continued
Status Flag Registers | Indicating Execution Status
Here they explain the concept of Status Flag Registers, which provide information about the status of execution in a CPU. These registers are:
- EFLAGS (32-bit) and RFLAGS (64-bit) | A single 32-bit or 64-bit register that contains individual single-bit flags.
Some key flags include:
- Zero Flag (ZF) | Indicates when the result of an instruction is zero.
- Carry Flag (CF) | Indicates when a number is too big or small for the destination register.
- Sign Flag (SF) | Indicates if a result is negative or has the most significant bit set to 1.
- Trap Flag (TF) | Indicates if the processor is in debugging mode.
Segment Registers | Organizing Memory
They also explain Segment Registers, which are used to organize memory into different segments for easier addressing. There are six segment registers:
- Code Segment (CS) | Points to the code section in memory.
- Data Segment (DS) | Points to the program's data section in memory.
- Stack Segment (SS) | Points to the program's stack in memory.
- Extra Segments (ES, FS, and GS) | Divide the program's memory into four distinct data sections.
Question 1: Which flag is used by the program to identify if it is being run in a debugger?
Trap Flag
Question 2: Which flag will be set when the most significant bit in an operation is set to 1?
Sign Flag
Question 3: Which Segment register contains the pointer to the code section in memory?
Code Segment
5 | Memory overview
Program Memory Layout
When a program runs on Windows, it sees an abstracted view of memory, with its own memory space isolated from the rest of the system. The program has access to four main sections of memory:
- Code | Contains the program's instructions and code, which can be executed by the CPU.
- Data | Holds initialized data that remains constant during execution, including global variables.
- Heap (Dynamic Memory) | Allocates and deallocates memory for variables created and destroyed at runtime.
- Stack | Stores local variables, function arguments, and return addresses, which can be targeted by malware to hijack control flow.
They also provide here a brief overview of each section, highlighting their characteristics and importance in malware analysis. The Stack is emphasized as a critical area from a malware perspective, particularly due to its role in controlling the program's execution flow.
Question 1: When a program is loaded into Memory, does it have a full view of the system memory? Y or N?
N
Question 2: Which section of the Memory contains the code?
Code
Question 3: Which Memory section contains information related to the program's control flow?
Stack
6 | Stack Layout
Understanding the Stack
The Stack is a critical part of a program's memory that contains local variables, function arguments, and control flow information. It's essential for malware analysis and reverse engineering. The Stack follows a Last In First Out (LIFO) principle, where the last element added is the first to be removed.
Stack Pointers
The CPU uses two registers to manage the Stack:
- Stack Pointer (ESP/RSP) | Points to the top of the stack, adjusting as elements are pushed or popped.
- Base Pointer (EBP/RBP) | Remains constant for a program, tracking local variables and arguments.
Function Prologue and Epilogue
- When a function is called:
- Function prologue pushes arguments, return address, and old base pointer onto the stack.
- The base pointer address changes to point to the top of the stack (the current stack pointer).
- When a function exits:
- Function epilogue pops off the old base pointer, return address, and rearranges the stack pointers.
Malware Technique | Stack Buffer Overflow
A common malware technique is to overflow a local variable on the stack, overwriting the Return Address with an attacker's chosen address. This can hijack control flow and execute malicious code.
Here they conclude by asking us to arrange the stack correctly on a static site to find a flag.
This is how the correct arrangement looks like.
Copy the flag to answer the question below.
Question 1: Follow the instructions in the attached static site and find the flag. What is the flag?
<flag>
7 | Conclusion
Question 1: Join the discussion on our social channels
No answer needed