Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 497/583 Advanced Topics in Computer Security

Published byElwin Giles Walsh Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 497/583 Advanced Topics in Computer Security"— Presentation transcript:

1 CSC 497/583 Advanced Topics in Computer Security
Class10 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Stack Frame (Review), Calling Convention, Dynamic Analysis Si Chen

2 Stack Frame

3

4

5

6

7

8 Stack Frame

9 StackFrame.exe

10 StackFrame.exe

11 StackFrame.exe

12 StackFrame.exe EBP 12FFC0 ESP 12FF7C

13 StackFrame.exe EBP ESP 12FF78

14 StackFrame.exe

15 StackFrame.exe Create space for ‘a’ and ‘b’  long  4 byte EBP
ESP 12FF78 Create space for ‘a’ and ‘b’  long  4 byte

16 StackFrame.exe Create space for ‘a’ and ‘b’  long  4 byte EBP
ESP 12FF78 Create space for ‘a’ and ‘b’  long  4 byte

17 StackFrame.exe 4 Byte memory space at address [EBP-4] Assembly C
Type Conversion DWORD PTR SS:[EBP-4] *(DWORD*)(EBP-4) DWORD (4 byte) WORD PTR SS:[EBP-4] *(WORD*)(EBP-4) WORD (2 byte) BYTE PTR SS:[EBP-4] *(BYTE*)(EBP-4) 1 byte 4 Byte memory space at address [EBP-4]

18 StackFrame.exe

19 StackFrame.exe

20 StackFrame.exe

21 StackFrame.exe

22 StackFrame.exe

23 StackFrame.exe Clean Stack

24 StackFrame.exe Clean Stack

25 StackFrame.exe

26 StackFrame.exe Set EAX –> 0 Faster than MOV EAX,0

27 Save the return address Save local variable
Stack Pass arguments Save the return address Save local variable

28 Local Variable Limited Register(s)  Store Local Variable in stack
Use esp and ebp to define a stack frame for current function Use relative position of esp or ebp for retrieving and storing data e.g. mov eax, [esp+124] Very easy to do recursive call

29 Calling Convention

30 Two Questions Q: When a function finished, how to handle the parameter left in the stack. Q: When a function finished, how change the ESP value? A: We don’t care… A: ESP should be restored to the previous value

31 Standard C Calling Conventions
Calling conventions are a standardized method for functions to be implemented and called by the machine. A calling convention specifies the method that a compiler sets up to access a subroutine. There are three major calling conventions that are used with the C language on 32-bit x86 processors: CDECL STDCALL, FASTCALL.

32 CDECL The C language, by default, uses the CDECL calling convention
In the CDECL calling convention the following holds: Arguments are passed on the stack in Right-to-Left order, and return values are passed in eax. The calling function cleans the stack. This allows CDECL functions to have variable-length argument lists.

33 STDCALL The C language, by default, uses the CDECL calling convention
In the CDECL calling convention the following holds: Arguments are passed on the stack in Right-to-Left order, and return values are passed in eax. The calling function cleans the stack. This allows CDECL functions to have variable-length argument lists.

34 STDCALL STDCALL, also known as "WINAPI" (and a few other names, depending on where you are reading it) is used almost exclusively by Microsoft as the standard calling convention for the Win32 API.  STDCALL passes arguments right-to-left, and returns the value in eax. The called function cleans the stack, unlike CDECL. This means that STDCALL doesn't allow variable-length argument lists.

35 STDCALL STDCALL, also known as "WINAPI" (and a few other names, depending on where you are reading it) is used almost exclusively by Microsoft as the standard calling convention for the Win32 API.  STDCALL passes arguments right-to-left, and returns the value in eax. The called function cleans the stack, unlike CDECL. This means that STDCALL doesn't allow variable-length argument lists. RET 8  RET + POP 8 Byte

36 FASTCALL The FASTCALL calling convention is not completely standard across all compilers, so it should be used with caution.  The calling function most frequently is responsible for cleaning the stack, if needed.

37 Dynamic Analysis: Let’s reverse helloword.exe

38 Dynamic Analysis: Let’s reverse myhack.dll

39 Q & A

Download ppt "CSC 497/583 Advanced Topics in Computer Security"

Similar presentations

Calling sequence ESP.

Calling sequence ESP.
COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
Procedures in more detail. CMPE12cGabriel Hugh Elkaim 2 Why use procedures? –Code reuse –More readable code –Less code Microprocessors (and assembly languages)

Procedures in more detail. CMPE12cGabriel Hugh Elkaim 2 Why use procedures? –Code reuse –More readable code –Less code Microprocessors (and assembly languages)
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Advanced topics in X86 assembly by Istvan Haller.

Advanced topics in X86 assembly by Istvan Haller.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 8: Advanced Procedures Kip R. Irvine.
Procedures in more detail. CMPE12cCyrus Bazeghi 2 Procedures Why use procedures? Reuse of code More readable Less code Microprocessors (and assembly languages)

Procedures in more detail. CMPE12cCyrus Bazeghi 2 Procedures Why use procedures? Reuse of code More readable Less code Microprocessors (and assembly languages)
1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.

1 Lecture 5: Procedures Assembly Language for Intel-Based Computers, 4th edition Kip R. Irvine.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
28/06/2015CMPUT 229 1 Functions (2)  Function calling convention  Various conventions available  One is specified by CMPUT229  Recursive functions.

28/06/2015CMPUT Functions (2)  Function calling convention  Various conventions available  One is specified by CMPUT229  Recursive functions.
CS2422 Assembly Language & System Programming November 7, 2006.

CS2422 Assembly Language & System Programming November 7, 2006.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Linked Lists in MIPS Let’s see how singly linked lists are implemented in MIPS on MP2, we have a special type of doubly linked list Each node consists.

Linked Lists in MIPS Let’s see how singly linked lists are implemented in MIPS on MP2, we have a special type of doubly linked list Each node consists.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.

Today’s topics Parameter passing on the system stack Parameter passing on the system stack Register indirect and base-indexed addressing modes Register.

Similar presentations

Ads by Google