Permalink
Browse files

syntax highlighting

  • Loading branch information...
1 parent 3ed3f2b commit 1058f52612973030e6d7384e7498c91141731a38 @dennis714 committed Dec 31, 2016
Showing 512 changed files with 1,584 additions and 1,588 deletions.
View
@@ -140,7 +140,7 @@ \subsection{\CapitalPICcode}
\myindex{objdump}
\IDA упростит код на выходе убирая упоминания RIP, так что будем использовать \IT{objdump} вместо нее:
-\begin{lstlisting}[style=customasm]
+\begin{lstlisting}[style=customasmx86]
0000000000000720 <f1>:
720: 48 8b 05 b9 08 20 00 mov rax,QWORD PTR [rip+0x2008b9] # 200fe0 <_DYNAMIC+0x1d0>
727: 53 push rbx
@@ -72,7 +72,7 @@ \subsubsection{Let's forget about MSVC}
We save it in the stack and store the address of our handler there.
The structure is named \TT{\_EXCEPTION\_REGISTRATION}, it is a simple singly-linked list and its elements are stored right in the stack.
-\begin{lstlisting}[caption=MSVC/VC/crt/src/exsup.inc,style=customasm]
+\begin{lstlisting}[caption=MSVC/VC/crt/src/exsup.inc,style=customasmx86]
\_EXCEPTION\_REGISTRATION struc
prev dd ?
handler dd ?
@@ -192,7 +192,7 @@ \subsubsection{Let's forget about MSVC}
The code that's reading from memory at address 0 is looks like this:
-\lstinputlisting[style=customasm,caption=MSVC 2010]{OS/SEH/1/1_fragment.asm}
+\lstinputlisting[style=customasmx86,caption=MSVC 2010]{OS/SEH/1/1_fragment.asm}
Will it be possible to fix this error \q{on the fly} and to continue with program execution?
@@ -72,7 +72,7 @@ \subsubsection{Забудем на время о MSVC}
Эта структура называется \TT{\_EXCEPTION\_REGISTRATION},
это простейший односвязный список, и эти элементы хранятся прямо в стеке.
-\begin{lstlisting}[caption=MSVC/VC/crt/src/exsup.inc,style=customasm]
+\begin{lstlisting}[caption=MSVC/VC/crt/src/exsup.inc,style=customasmx86]
\_EXCEPTION\_REGISTRATION struc
prev dd ?
handler dd ?
@@ -191,7 +191,7 @@ \subsubsection{Забудем на время о MSVC}
А если заглянуть в то что получилось на ассемблере,
то можно увидеть, что код читающий из памяти по адресу 0, выглядит так:
-\lstinputlisting[caption=MSVC 2010,style=customasm]{OS/SEH/1/1_fragment.asm}
+\lstinputlisting[caption=MSVC 2010,style=customasmx86]{OS/SEH/1/1_fragment.asm}
Возможно ли \q{на лету} исправить ошибку и предложить программе исполняться далее?
Да, наш обработчик может изменить значение в \EAX и предложить \ac{OS} исполнить эту же инструкцию еще раз.
@@ -93,7 +93,7 @@ \subsubsection{Now let's get back to MSVC}
\lstinputlisting[style=customc]{OS/SEH/2/2.c}
-\lstinputlisting[caption=MSVC 2003,style=customasm]{OS/SEH/2/2_SEH3.asm}
+\lstinputlisting[caption=MSVC 2003,style=customasmx86]{OS/SEH/2/2_SEH3.asm}
Here we see how the SEH frame is constructed in the stack.
The \IT{scope table} is located in the \TT{CONST} segment---indeed, these fields are not to be changed.
@@ -162,7 +162,7 @@ \subsubsection{Now let's get back to MSVC}
So the \IT{scope table} now has two entries, one for each block.
\IT{Previous try level} changes as execution flow enters or exits the \TT{try} block.
-\lstinputlisting[caption=MSVC 2003,style=customasm]{OS/SEH/2/3_SEH3.asm}
+\lstinputlisting[caption=MSVC 2003,style=customasmx86]{OS/SEH/2/3_SEH3.asm}
If we set a breakpoint on the \printf{} function, which is called from the handler,
we can also see how yet another SEH handler is added.
@@ -218,9 +218,9 @@ \subsubsection{Now let's get back to MSVC}
Here are both examples compiled in MSVC 2012 with SEH4:
-\lstinputlisting[caption=MSVC 2012: one try block example,style=customasm]{OS/SEH/2/2_SEH4.asm}
+\lstinputlisting[caption=MSVC 2012: one try block example,style=customasmx86]{OS/SEH/2/2_SEH4.asm}
-\lstinputlisting[caption=MSVC 2012: two try blocks example,style=customasm]{OS/SEH/2/3_SEH4.asm}
+\lstinputlisting[caption=MSVC 2012: two try blocks example,style=customasmx86]{OS/SEH/2/3_SEH4.asm}
Here is the meaning of the \IT{cookies}: \TT{Cookie Offset}
is the difference between the address of the saved EBP value in the stack
@@ -85,7 +85,7 @@ \subsubsection{Теперь вспомним MSVC}
\lstinputlisting[style=customc]{OS/SEH/2/2.c}
-\lstinputlisting[caption=MSVC 2003,style=customasm]{OS/SEH/2/2_SEH3.asm}
+\lstinputlisting[caption=MSVC 2003,style=customasmx86]{OS/SEH/2/2_SEH3.asm}
Здесь мы видим, как структура SEH конструируется в стеке.
\IT{Scope table} расположена в сегменте \TT{CONST} --- действительно, эти поля не будут меняться.
@@ -149,7 +149,7 @@ \subsubsection{Теперь вспомним MSVC}
Так что \IT{scope table} теперь содержит два элемента, один элемент на каждый блок.
\IT{Previous try level} меняется вместе с тем, как исполнение доходит до очередного \TT{try}-блока, либо выходит из него.
-\lstinputlisting[caption=MSVC 2003,style=customasm]{OS/SEH/2/3_SEH3.asm}
+\lstinputlisting[caption=MSVC 2003,style=customasmx86]{OS/SEH/2/3_SEH3.asm}
Если установить точку останова на функцию \printf{} вызываемую из обработчика,
мы можем увидеть, что добавился еще один SEH-обработчик.
@@ -204,9 +204,9 @@ \subsubsection{Теперь вспомним MSVC}
Оба примера скомпилированные в MSVC 2012 с SEH4:
-\lstinputlisting[caption=MSVC 2012: one try block example,style=customasm]{OS/SEH/2/2_SEH4.asm}
+\lstinputlisting[caption=MSVC 2012: one try block example,style=customasmx86]{OS/SEH/2/2_SEH4.asm}
-\lstinputlisting[caption=MSVC 2012: two try blocks example,style=customasm]{OS/SEH/2/3_SEH4.asm}
+\lstinputlisting[caption=MSVC 2012: two try blocks example,style=customasmx86]{OS/SEH/2/3_SEH4.asm}
Вот значение \IT{cookies}: \TT{Cookie Offset}
это разница между адресом записанного в стеке значения EBP и значения $EBP \oplus security\_cookie$ в стеке.
@@ -12,9 +12,9 @@ \subsubsection{Windows x64}
Here are the two examples from the previous section compiled for x64:
-\lstinputlisting[caption=MSVC 2012,style=customasm]{OS/SEH/3/2_x64.asm}
+\lstinputlisting[caption=MSVC 2012,style=customasmx86]{OS/SEH/3/2_x64.asm}
-\lstinputlisting[caption=MSVC 2012,style=customasm]{OS/SEH/3/3_x64.asm}
+\lstinputlisting[caption=MSVC 2012,style=customasmx86]{OS/SEH/3/3_x64.asm}
Read \IgorSkochinsky for more detailed information about this.
@@ -10,9 +10,9 @@ \subsubsection{Windows x64}
Вот два примера из предыдущей секции, скомпилированных для x64:
-\lstinputlisting[caption=MSVC 2012,style=customasm]{OS/SEH/3/2_x64.asm}
+\lstinputlisting[caption=MSVC 2012,style=customasmx86]{OS/SEH/3/2_x64.asm}
-\lstinputlisting[caption=MSVC 2012,style=customasm]{OS/SEH/3/3_x64.asm}
+\lstinputlisting[caption=MSVC 2012,style=customasmx86]{OS/SEH/3/3_x64.asm}
Смотрите \IgorSkochinsky для более детального описания.
@@ -13,7 +13,7 @@ \subsubsection{Linux}
The \TT{GS:} selector is also used to access the \ac{TLS}, but in a somewhat different way:
-\lstinputlisting[caption=\Optimizing GCC 4.8.1 x86,style=customasm]{OS/TLS/linux/rand.lst}
+\lstinputlisting[caption=\Optimizing GCC 4.8.1 x86,style=customasmx86]{OS/TLS/linux/rand.lst}
% FIXME (to be checked) Uninitialized data is allocated in \TT{.tbss} section, initialized --- in \TT{.tdata} section.
@@ -13,7 +13,7 @@ \subsubsection{Linux}
\myindex{x86!\Registers!GS}
Селектор \TT{GS:} также используется для доступа к \ac{TLS}, но немного иначе:
-\lstinputlisting[caption=\Optimizing GCC 4.8.1 x86,style=customasm]{OS/TLS/linux/rand.lst}
+\lstinputlisting[caption=\Optimizing GCC 4.8.1 x86,style=customasmx86]{OS/TLS/linux/rand.lst}
% FIXME (to be checked) Uninitialized data is allocated in \TT{.tbss} section, initialized --- in \TT{.tdata} section.
@@ -10,7 +10,7 @@ \subsubsection{Win32}
Hiew shows us that there is a new PE section in the executable file: \TT{.tls}.
% TODO1 hiew screenshot?
-\lstinputlisting[caption=\Optimizing MSVC 2013 x86,style=customasm]{OS/TLS/win32/rand_x86_uninit.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2013 x86,style=customasmx86]{OS/TLS/win32/rand_x86_uninit.asm}
\TT{rand\_state} is now in the \ac{TLS} segment, and each thread has its own version of this variable.
@@ -28,7 +28,7 @@ \subsubsection{Win32}
The \TT{GS:} selector is used in Win64 and the address of the \ac{TLS} is 0x58:
-\lstinputlisting[caption=\Optimizing MSVC 2013 x64,style=customasm]{OS/TLS/win32/rand_x64_uninit.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2013 x64,style=customasmx86]{OS/TLS/win32/rand_x64_uninit.asm}
\myparagraph{Initialized \ac{TLS} data}
@@ -39,7 +39,7 @@ \subsubsection{Win32}
The code is no differ from what we already saw, but in IDA we see:
-\lstinputlisting[style=customasm]{OS/TLS/win32/rand_init_IDA.lst}
+\lstinputlisting[style=customasmx86]{OS/TLS/win32/rand_init_IDA.lst}
1234 is there and every time a new thread starts, a new \ac{TLS} is allocated for it,
and all this data, including 1234, will be copied there.
@@ -77,7 +77,7 @@ \subsubsection{Win32}
Let's see it in IDA:
-\lstinputlisting[caption=\Optimizing MSVC 2013,style=customasm]{OS/TLS/win32/rand_TLS_callback.lst}
+\lstinputlisting[caption=\Optimizing MSVC 2013,style=customasmx86]{OS/TLS/win32/rand_TLS_callback.lst}
TLS callback functions are sometimes used in unpacking routines to obscure their processing.
@@ -10,7 +10,7 @@ \subsubsection{Win32}
Hiew показывает что в исполняемом файле теперь есть новая PE-секция: \TT{.tls}.
% TODO1 hiew screenshot?
-\lstinputlisting[caption=\Optimizing MSVC 2013 x86,style=customasm]{OS/TLS/win32/rand_x86_uninit.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2013 x86,style=customasmx86]{OS/TLS/win32/rand_x86_uninit.asm}
\TT{rand\_state} теперь в \ac{TLS}-сегменте и у каждого потока есть своя версия этой переменной.
@@ -27,7 +27,7 @@ \subsubsection{Win32}
\myindex{x86!\Registers!GS}
В Win64 используется селектор \TT{GS:} и адрес \ac{TLS} теперь 0x58:
-\lstinputlisting[caption=\Optimizing MSVC 2013 x64,style=customasm]{OS/TLS/win32/rand_x64_uninit.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2013 x64,style=customasmx86]{OS/TLS/win32/rand_x64_uninit.asm}
\myparagraph{Инициализированные данные в \ac{TLS}}
@@ -39,7 +39,7 @@ \subsubsection{Win32}
Код ничем не отличается от того, что мы уже видели, но вот что мы видим в IDA:
-\lstinputlisting[style=customasm]{OS/TLS/win32/rand_init_IDA.lst}
+\lstinputlisting[style=customasmx86]{OS/TLS/win32/rand_init_IDA.lst}
Там 1234 и теперь, во время запуска каждого нового потока, новый \ac{TLS} будет выделен для нового потока,
и все эти данные, включая 1234, будут туда скопированы.
@@ -78,7 +78,7 @@ \subsubsection{Win32}
Посмотрим в IDA:
-\lstinputlisting[caption=\Optimizing MSVC 2013,style=customasm]{OS/TLS/win32/rand_TLS_callback.lst}
+\lstinputlisting[caption=\Optimizing MSVC 2013,style=customasmx86]{OS/TLS/win32/rand_TLS_callback.lst}
TLS-коллбэки иногда используются в процедурах распаковки для запутывания их работы.
@@ -9,7 +9,7 @@ \subsection{cdecl}
The gls{caller} also must return the value of the \gls{stack pointer} (\ESP) to its initial state after the \gls{callee} function exits.
-\begin{lstlisting}[caption=cdecl,style=customasm]
+\begin{lstlisting}[caption=cdecl,style=customasmx86]
push arg3
push arg2
push arg1
@@ -28,7 +28,7 @@ \subsection{stdcall}
The \gls{caller} is not adjusting the \gls{stack pointer},
there are no \TT{add esp, x} instruction.
-\begin{lstlisting}[caption=stdcall,style=customasm]
+\begin{lstlisting}[caption=stdcall,style=customasmx86]
push arg3
push arg2
push arg1
@@ -56,7 +56,7 @@ \subsection{stdcall}
As a consequence,
the number of function arguments can be easily deduced from the \TT{RETN n} instruction: just divide $n$ by 4.
-\lstinputlisting[caption=MSVC 2010,style=customasm]{OS/calling_conventions/stdcall_ex.asm}
+\lstinputlisting[caption=MSVC 2010,style=customasmx86]{OS/calling_conventions/stdcall_ex.asm}
\subsubsection{Functions with variable number of arguments}
@@ -89,7 +89,7 @@ \subsection{fastcall}
The \gls{stack pointer} must be restored to its initial state by the \gls{callee} (like in \IT{stdcall}).
-\begin{lstlisting}[caption=fastcall,style=customasm]
+\begin{lstlisting}[caption=fastcall,style=customasmx86]
push arg3
mov edx, arg2
mov ecx, arg1
@@ -111,7 +111,7 @@ \subsection{fastcall}
Here is how it is to be compiled:
-\lstinputlisting[caption=\Optimizing MSVC 2010 /Ob0,style=customasm]{OS/calling_conventions/fastcall_ex.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2010 /Ob0,style=customasmx86]{OS/calling_conventions/fastcall_ex.asm}
We see that the \gls{callee} returns \ac{SP} by using the \TT{RETN} instruction with an operand.
@@ -175,7 +175,7 @@ \subsubsection{Windows x64}
\lstinputlisting[style=customc]{OS/calling_conventions/x64.c}
-\lstinputlisting[caption=MSVC 2012 /0b,style=customasm]{OS/calling_conventions/x64_MSVC_Ob.asm}
+\lstinputlisting[caption=MSVC 2012 /0b,style=customasmx86]{OS/calling_conventions/x64_MSVC_Ob.asm}
\myindex{Scratch space}
@@ -189,7 +189,7 @@ \subsubsection{Windows x64}
The \q{scratch space} allocation in the stack is the caller's duty.
-\lstinputlisting[caption=\Optimizing MSVC 2012 /0b,style=customasm]{OS/calling_conventions/x64_MSVC_Ox_Ob.asm}
+\lstinputlisting[caption=\Optimizing MSVC 2012 /0b,style=customasmx86]{OS/calling_conventions/x64_MSVC_Ox_Ob.asm}
If we compile the example with optimizations, it is to be almost the same,
but the \q{scratch space} will not be used, because it won't be needed.
@@ -213,7 +213,7 @@ \subsubsection{Linux x64}
used instead of 4 (\RDI, \RSI, \RDX, \RCX, \Reg{8}, \Reg{9}) and there is no \q{scratch space},
although the \gls{callee} may save the register values in the stack, if it needs/wants to.
-\lstinputlisting[caption=\Optimizing GCC 4.7.3,style=customasm]{OS/calling_conventions/x64_linux_O3.s}
+\lstinputlisting[caption=\Optimizing GCC 4.7.3,style=customasmx86]{OS/calling_conventions/x64_linux_O3.s}
\myindex{AMD}
@@ -243,7 +243,7 @@ \subsection{Modifying arguments}
\lstinputlisting[style=customc]{OS/calling_conventions/change_arguments.c}
-\lstinputlisting[caption=MSVC 2012,style=customasm]{OS/calling_conventions/change_arguments.asm}
+\lstinputlisting[caption=MSVC 2012,style=customasmx86]{OS/calling_conventions/change_arguments.asm}
% TODO (OllyDbg) пример как в стеке меняется $a$
@@ -258,7 +258,7 @@ \subsection{Modifying arguments}
For example, code like this will be generated by usual \CCpp compiler:
-\begin{lstlisting}[style=customasm]
+\begin{lstlisting}[style=customasmx86]
push 456 ; will be b
push 123 ; will be a
call f ; f() modifies its first argument
@@ -267,7 +267,7 @@ \subsection{Modifying arguments}
We can rewrite this code like:
-\begin{lstlisting}[style=customasm]
+\begin{lstlisting}[style=customasmx86]
push 456 ; will be b
push 123 ; will be a
call f ; f() modifies its first argument
Oops, something went wrong.

0 comments on commit 1058f52

Please sign in to comment.