



# **Intel Architecture**

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

### Content



**Intel Architecture** 

**Memory Layout** 

C Arrays

Assembler

Shellcode

**Function Calls** 

Debugging

**Buffer Overflow** 

**BoF Exploit** 

Remote Exploit

**Exploit Mitigations** 

**Defeat Exploit Mitigations** 





# Intel Architecture Intel CPU

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

## **Intel CPU**





## **Intel CPU**





www.csnc.ch

# Intermezzo: Chip De-caping and Analysis



http://www.bluehatil.com/files/Extracting%20Secrets%20from%20Silicon%20%E2%80%93%20A%20New%20Generation%20of%20Bug%20Hunting.pdf

### Extracting Secrets from Silicon – A New Generation of Bug Hunting

- → Gunter Ollmann, Microsoft
- → Blue Hat Security



### Intel CPU





## **Intel CPU**

Pentium Die







# Overview: Computerz



# Memory:

instruction instruction instruction instruction instruction instruction instruction

# Load Instruction at IP



IP= 0x100 CPU





# Read:

- Data
- Instructions

# Write:

Data

# Overview: Computerz



# von Neumann Architecture



# Read:

- Data
- Instructions

# Write:

- Data
- Instructions

# Overview: Computerz





- Read:
- Data
- Instructions

- Write:
- Data
- Instructions



Register are the "variables" on the CPU

Immediate access for the CPU

Cannot write Memory -> Memory

→ Always: Memory -> Register -> Memory

Register: <1 cycle

L1: ~3

L2: ~14

RAM: ~240



# Register can hold:

- → Data (numbers)
- → Addresses (also numbers, but with a different meaning)

# Registers can be used to:

- → Perform computations
- ★ Read / Write memory
- Execute instructions



| 32  |          | 64     | Acronym           | What?                   |
|-----|----------|--------|-------------------|-------------------------|
| EAX | (        | RAX    | Accumulator       | Adding stuff            |
| EBX | (        | RBX    | Base              | Referencing stuff       |
| ECX |          | RCX    | Count             | Counting stuff          |
| EDX | <b>(</b> | RDX    | Data              | Stuff                   |
| ESI |          | RSI    | Source Index      | Points to a source      |
| EDI |          | RDI    | Destination Index | Points to a destination |
|     |          | R8-R15 |                   | General Purpose         |



| 32  | 64  | Acronym             | Points to?                      |
|-----|-----|---------------------|---------------------------------|
| EIP | RIP | Instruction Pointer | Next instruction to be executed |
| ESP | RSP | Stack Pointer       | Top of Stack                    |
| EBP | RBP | Base Pointer        | Current Stack Frame (Bottom)    |

# Print this slide and stick it on your bathroom mirror









|                           |     | •  | 8 bits | 8 bits |
|---------------------------|-----|----|--------|--------|
|                           | EAX | AX | АН     | AL     |
| General-purpose Registers | ЕВХ | вх | ВН     | BL     |
| ose Re                    | ECX | сх | СН     | CL     |
| al-purp                   | EDX | DX | DH     | DL     |
| Genera                    | ESI |    |        |        |
|                           | EDI |    |        |        |
| ESP<br>(stack pointer)    |     |    |        |        |
| <b>EBP</b> (base pointer) |     |    |        |        |

© Compass Security Schweiz AG

- 32 bits -----



Fun Fact: Current Intel CPU's are compatible to the 8086

### 8086:

- **→** From 1978
- **→** 5-10mhz





### Recap:

- ★ CPU work with registers
- Registers can hold data
- Registers can also hold addresses of memory locations (to write/read data)

www.csnc.ch

- → They can be 32 bit (EAX) or 64 bit (RAX)
- Some registers are multi-purpose
- Some registers are special (RIP, RBP, RSP)





# How a CPU interprets instructions

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

### **CPU Instructions**



### A CPU in a few lines of code:

```
instr = [0x01 0xA0 0xB0 0x02 0xA1 0xA2 ...]
ip = 0
while true:
  switch instr[ip]:
       case 0x01:
            add( instr[ip+1], instr[ip+2] )
            ip = ip + 3
            break
       case 0x02:
            sub( instr[ip+1], instr[ip+2] )
```

# **CPU Instructions**



| 83 | c4 | 08 |    |    |    |    | add  | \$0x8,%rsp           |
|----|----|----|----|----|----|----|------|----------------------|
| 83 | с3 | 01 |    |    |    |    | add  | \$0x1,%rbx           |
| 83 | 44 | 24 | 0c | 01 |    |    | addl | \$0x1,0xc(%rsp)      |
| 83 | 05 | 41 | 94 | 2c | 00 | 01 | addl | \$0x1,0x2c9441(%rip) |



### **FKIE**

FRAUNHOFER-INSTITUT FÜR KOMMUNIKATION, INFORMATIONSVERARBEITUNG UND ERGONOMIE FKIE

### **x86 Opcode Structure and Instruction Overview**



| _ | 2 <sup>nd</sup><br>1 <sup>st</sup> | 0                           | 1                                | 2     | 3     | 4        | 5       | 6     | 7             | 8                        | 9         | Α                       | В     | C    | D     | Ε      | F    |
|---|------------------------------------|-----------------------------|----------------------------------|-------|-------|----------|---------|-------|---------------|--------------------------|-----------|-------------------------|-------|------|-------|--------|------|
|   | 0                                  | {L,S}TR                     | {L,S}GDT<br>{L,S}IDT<br>{L,S}MSW | LAR   | LSL   |          |         | CLTS  |               | INVD                     | WBINVD    |                         | UD2   |      | NOP   |        |      |
|   | 1                                  |                             | SSE{1,2,3}                       |       |       |          |         |       |               |                          |           | Prefetch SSE1 HINT_NOP  |       |      |       |        |      |
|   | 2                                  | М                           | OV                               | CR/I  | OR    |          |         |       |               |                          |           |                         | SSE{  | 1,2  | 1     |        |      |
|   | 3                                  | WRMSR                       | RDTSC                            | RDMSR | RDPMC | SYSENTER | SYSEXIT |       | GETSEC<br>SMX | MOVBE /<br>THREE<br>BYTE |           | THREE<br>BYTE<br>SSE4   |       |      |       |        |      |
|   | 4                                  |                             | CMOV                             |       |       |          |         |       |               |                          |           |                         |       |      |       |        |      |
|   | 5                                  |                             | SSE{1,2}                         |       |       |          |         |       |               |                          |           |                         |       |      |       |        |      |
|   | 6                                  |                             | MMX, SSE2                        |       |       |          |         |       |               |                          |           |                         |       |      |       |        |      |
|   | 7                                  | MMX, SSE{1,2,3}, VMX        |                                  |       |       |          |         |       | (             | MMX, SSE{2,3}            |           |                         |       | 3}   |       |        |      |
|   | 8                                  | JO                          | JNO                              | JB    | JNB   | JE       | JNE     | JBE   | JA<br>Jcc 5   | JS                       | JNS       | JPE                     | JPO   | JL   | JGE   | JLE    | JG   |
|   | 9                                  | SETO                        | SETNO                            | SETB  | SETNB | SETE     | SETNE   | SETBE | SETA          | SETS                     | SETNS     | SETPE                   | SETPO | SETL | SETGE | SETLE  | SETG |
|   | Α                                  | PUSH<br>FS                  | POP<br>FS                        | CPUID | ВТ    | SH       | LD      |       |               | PUSH<br>GS               | POP<br>GS | RSM                     | BTS   | SH   | RD    | *FENCE | IMUL |
|   | В                                  | CMP                         | XCHG                             | LSS   | BTR   | LFS      | LGS     | МО    | VZX           | POPCNT                   | UD        | BT<br>BTS<br>BTR<br>BTC | втс   | BSF  | BSR   | МО     | VSX  |
|   | C                                  | XADD SSE{1,2} CMPXCHG BSWAP |                                  |       |       |          |         |       |               |                          |           |                         |       |      |       |        |      |
| \ | D                                  | MMX, SSE{1,2,3}             |                                  |       |       |          |         |       |               |                          |           |                         |       |      |       |        |      |
|   | E                                  |                             |                                  |       |       |          |         | ΜN    | 1X, S         | SSE{                     | 1,2}      |                         |       |      |       |        |      |
| \ | F                                  |                             |                                  |       |       |          | MI      | ИX,   | SSE           | {1,2                     | ,3}       |                         |       |      |       |        |      |

| mod | 0       | 0      | 0:            | 1           | 1              | 0            | 11            |
|-----|---------|--------|---------------|-------------|----------------|--------------|---------------|
| r/m | 16bit   | 32bit  | 16bit         | 32bit       | 16bit          | 32bit        | r/m // REG    |
| 000 | [BX+SI] | [EAX]  | [BX+SI]+disp8 | [EAX]+disp8 | [BX+SI]+disp16 | [EAX]+disp32 | AL/AX/EAX     |
| 001 | [BX+DI] | [ECX]  | [BX+DI]+disp8 | (ECX)+disp8 | [BX+DI]+disp16 | [ECX]+disp32 | CL/CX/EC      |
| 010 | [BP+SI] | [EDX]  | [BP+SI]+disp8 | [EDX]+disp8 | [8P+Si]+disp16 | [EDX]+disp32 | DL/DX/ED      |
| 011 | [BP+DI] | [EBX]  | [BP+OI]+disp8 | [EBX]+disp8 | [BP+DI]+disp16 | [EBX]+disp32 | BL/BX/EB      |
| 100 | [SI]    | SIB    | [SI]+disp8    | S/B+disp8   | [SI]+disp16    | SiB+disp32   | AH / SP / ESF |
| 101 | [DI]    | disp32 | [Di]+disp8    | [EBP]+disp8 | [DI]+disp16    | [EBP]+disp32 | CH/BP/EBR     |
| 110 | disp16  | [ESI]  | [BP]+disp8    | [ESI]+disp8 | [BP]+disp16    | [ESI]+disp32 | DH/SI/ESI     |
| 111 | [BX]    | [EDI]  | [BX]+disp8    | [EDI]+disp8 | [BX]+disp16    | [EDI]+disp32 | BH / DI / EDI |

| encoding | scale (2bit) | Index (3bit) | Base (3bit)                               |
|----------|--------------|--------------|-------------------------------------------|
| 000      | 20=1         | [EAX]        | EAX                                       |
| 001      | 21=2         | [ECX]        | ECX                                       |
| 010      | 22=4         | [EDX]        | EDX                                       |
| 011      | 23=8         | [EBX]        | EBX                                       |
| 100      | -            | none         | ESP                                       |
| 101      | -            | [EBP]        | disp32 / disp8+ [EBP] i<br>disp32 + [EBP] |
| 110      |              | [ESI]        | ESI                                       |
| 111      |              | [EDI]        | EDI                                       |

### **CPU Instructions**



Slide 26

### Add

| Opcode   | Mnemonic         | Description                     |
|----------|------------------|---------------------------------|
| 04 ib    | ADD AL, imm8     | Add imm8 to AL                  |
| 05 iw    | ADD AX, imm16    | Add imm16 to AX                 |
| 05 id    | ADD EAX, imm32   | Add imm32 to EAX                |
| 80 /0 ib | ADD r/m8, imm8   | Add imm8 to r/m8                |
| 81 /0 iw | ADD r/m16, imm16 | Add imm16 to r/m16              |
| 81 /0 id | ADD r/m32, imm32 | Add imm32 to r/m32              |
| 83 /0 ib |                  | Add sign-extended imm8 to r/m16 |
| 83 /0 ib | ADD r/m32, imm8  | Add sign-extended imm8 to r/m32 |
| 00 /r    | ADD r/m8, r8     | Add r8 to r/m8                  |
| 01 /r    | ADD r/m16, r16   | Add r16 to r/m16                |
| 01 /r    | ADD r/m32, r32   | Add r32 to r/m32                |
| 02 /r    | ADD r8, r/m8     | Add r/m8 to r8                  |
| 03 /r    | ADD r16, r/m16   | Add r/m16 to r16                |
| 03 /r    | ADD r32, r/m32   | Add r/m32 to r32                |

### Description

Adds the first operand (destination operand) and the second operand (source operand) and stores the result in the destination operand. The destination operand can be a register or a memory location; the source operand can be an immediate, a register, or a memory location. (However, two memory operands cannot be used in one instruction.) When an immediate value is used as an operand, it is sign-extended to the length of the destination operand format.

The ADD instruction performs integer addition. It evaluates the result for both signed and unsigned integer operands and sets the OF and CF flags to indicate a carry (overflow) in the signed or unsigned result, respectively. The SF flag indicates the sign of the signed result.

www.csnc.ch

This instruction can be used with a LOCK prefix to allow the instruction to be executed atomically.

### Operation

Destination = Destination + Source;

# **CPU Instructions**



## Recap:

◆ CPU looks at bytes, and then decides what to execute based on them

www.csnc.ch

# Overview: Computerz



### Memory:

C4 0A

C5 02

instruction

instruction

instruction

instruction

$$X = 0$$

# Load Instruction at IP

EIP+=1

EIP=0x123

IP= 0x100

**CPU** 

X = 5

# Overview: Computerz



### Memory:

$$X = 10$$

$$X += 2$$

instruction

instruction

instruction

instruction

$$X = 0$$

# Load Instruction at IP

EIP=0x123

**CPU** 

$$X = 5$$



# Hex Numbers, and Little Endian

A guide to understand the rest of my slides

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

# Hex Numbers, and Little Endian



### Intel CPU's

- → 1 Byte = 8 Bit
- ★ Little endian

# Hex Numbers, and Little Endian



### Intel CPU's

- → 1 Byte = 8 Bit
- Little endian

### Others:

- → CDC 6000: 18, 24 and 60 bit
- → PDP1/9/15: 18 bit words
- → Apollo Guidance Computer: 15 bit
- ★ ARM and other RISC: 8 bit Bytes, but in Big Endian

# **Decimal Numbers**



Decimal: 0123456789

1 decimal digit: 10 values

2 decimal digits: 100 values

10 \* 10 = 100

### **Hex Numbers**



Hex: 0123456789 A B C D E F

1 hex digit: 16 values (4 bit, 2^4)

2 hex digits: 256 values (8 bit, 2^8 = 2^4 \* 2^4)

16 \* 16 = 256

1 Byte = 8 Bit = 256 values!

### Hex numbers



$$0 \times 00 = 0$$

$$0x01 = 1$$

$$0x0f = 15$$

$$0x10 = 16$$

$$0x11 = 17$$

$$0x20 = 32$$

$$0xf0 = 240$$

$$0xff = 255$$



### **Hex Numbers**



Base 10

6975

Base 16

0x1B3F

Nibbles 0001 1011 0011 1111

# **Hex Numbers**



Base 10

Base 16

**Bytes** 



# **Endianness**



Number: 0x1B3F

Big Endian: 0x1B 0x3F 0x1B3F

Little Endian: 0x3F 0x1B 0x3F1B

f0 32 7d 60 95 48 d0 62 08 80 4b 67 b4 4a 21 dc 80 3f 6c dd 4a f5 a3 d4 ce 32 8d e4 21 d7 a5 5a 92 93 4b f1 ca 0a ce 3c b9 14 20 a5 00 a4 4a 3e bd 4b 8c b4 d1 90 2b 25 a9 c8 f4 c8 10 85 fb d6 fc 2a 1f c6 8a 7f 25 e7 47 f4 95 01 e2 d7 82 fe 22 95 fa 8e 49 e4 50 98 d3 84 95 a7 97 1d 97 92 25 32 9f 90 0c a9 07 73 c2 2b 49 06 4c 1a 26 69 b2 75 3e 20 db 65 bf 22 68 cf 29 1b 8a 65 8d 54 91 ba 33 f3 05 59 07 39 cd 43 96 6f 5d 88 bb 7a

# Endianness: Big Endian (ARM)





# Number in Decimal (10) Number in Hex (16) Big Endian Storage

# **Endianness: Little Endian (Intel)**



$$32 \text{ bit} = 4 \text{ bytes}$$



Number in Decimal (10)
Number in Hex (16)
Little Endian Storage

# **Endianness: Little Endian (Intel)**





### Four 8 bit numbers:

- → DD
- **+** CC
- **→** BB
- **→** AA

# Two 16 bit numbers:

- ◆ 0xCCDD
- → 0xAABB

# A 32 bit number:

◆ OxAABBCCDD



**Endianness: Little endian** 



# Number: 0x1122334455667788

# Little Endian:

| 88 | 77 | 66 | 55 | 44 | 33 | 22 | 11 |  |
|----|----|----|----|----|----|----|----|--|
| 0  | 1  | 2  | 3  | 4  | 5  | 6  | 7  |  |



| <b>^</b> |            |
|----------|------------|
| 4        | 0x11223344 |
| 0        | 0x55556666 |
| 0        | 0x77778888 |

32 bit = 4 bytes

www.csnc.ch



| <b>^</b> |            |
|----------|------------|
| 1        | 0x11223344 |
| 0        | 0x55556666 |
| 0        | 0x77778888 |

| 32 | bit | = | 4 | by | tes |
|----|-----|---|---|----|-----|
|----|-----|---|---|----|-----|

$$32 \text{ bit} = 4 \text{ bytes}$$

$$32 \text{ bit} = 4 \text{ bytes}$$





# In memory:

0 4 8

| 0x66 0x66 0x55 0x55 | 0x88 0x88 0x77 0x77 |
|---------------------|---------------------|
|                     | 0x66 0x66 0x55 0x55 |

# For humans:

0 4 8

| 0x11223344 | 0x55556666 | 0x77778888 |
|------------|------------|------------|

32 bit

32 bit

32 bit



# **ASCII TABLE**

| Decima | al Hex | Char                   | Decimal | Hex | Char    | Decimal | Hex | Char | Decimal | Hex | Char  |
|--------|--------|------------------------|---------|-----|---------|---------|-----|------|---------|-----|-------|
| 0      | 0      | [NULL]                 | 32      | 20  | [SPACE] | 64      | 40  | @    | 96      | 60  | `     |
| 1      | 1      | [START OF HEADING]     | 33      | 21  | 1       | 65      | 41  | Α    | 97      | 61  | a     |
| 2      | 2      | [START OF TEXT]        | 34      | 22  |         | 66      | 42  | В    | 98      | 62  | b     |
| 3      | 3      | [END OF TEXT]          | 35      | 23  | #       | 67      | 43  | С    | 99      | 63  | c     |
| 4      | 4      | [END OF TRANSMISSION]  | 36      | 24  | \$      | 68      | 44  | D    | 100     | 64  | d     |
| 5      | 5      | [ENQUIRY]              | 37      | 25  | %       | 69      | 45  | E    | 101     | 65  | e     |
| 6      | 6      | [ACKNOWLEDGE]          | 38      | 26  | &       | 70      | 46  | F    | 102     | 66  | f     |
| 7      | 7      | [BELL]                 | 39      | 27  |         | 71      | 47  | G    | 103     | 67  | g     |
| 8      | 8      | [BACKSPACE]            | 40      | 28  | (       | 72      | 48  | н    | 104     | 68  | h     |
| 9      | 9      | [HORIZONTAL TAB]       | 41      | 29  | )       | 73      | 49  | 1    | 105     | 69  | i     |
| 10     | Α      | [LINE FEED]            | 42      | 2A  | *       | 74      | 4A  | J    | 106     | 6A  | j     |
| 11     | В      | [VERTICAL TAB]         | 43      | 2B  | +       | 75      | 4B  | K    | 107     | 6B  | k     |
| 12     | С      | [FORM FEED]            | 44      | 2C  | ,       | 76      | 4C  | L    | 108     | 6C  | 1     |
| 13     | D      | [CARRIAGE RETURN]      | 45      | 2D  | -       | 77      | 4D  | M    | 109     | 6D  | m     |
| 14     | E      | [SHIFT OUT]            | 46      | 2E  |         | 78      | 4E  | N    | 110     | 6E  | n     |
| 15     | F      | [SHIFT IN]             | 47      | 2F  | /       | 79      | 4F  | 0    | 111     | 6F  | 0     |
| 16     | 10     | [DATA LINK ESCAPE]     | 48      | 30  | 0       | 80      | 50  | P    | 112     | 70  | р     |
| 17     | 11     | [DEVICE CONTROL 1]     | 49      | 31  | 1       | 81      | 51  | Q    | 113     | 71  | q     |
| 18     | 12     | [DEVICE CONTROL 2]     | 50      | 32  | 2       | 82      | 52  | R    | 114     | 72  | r     |
| 19     | 13     | [DEVICE CONTROL 3]     | 51      | 33  | 3       | 83      | 53  | S    | 115     | 73  | S     |
| 20     | 14     | [DEVICE CONTROL 4]     | 52      | 34  | 4       | 84      | 54  | Т    | 116     | 74  | t     |
| 21     | 15     | [NEGATIVE ACKNOWLEDGE] | 53      | 35  | 5       | 85      | 55  | U    | 117     | 75  | u     |
| 22     | 16     | [SYNCHRONOUS IDLE]     | 54      | 36  | 6       | 86      | 56  | V    | 118     | 76  | v     |
| 23     | 17     | [ENG OF TRANS. BLOCK]  | 55      | 37  | 7       | 87      | 57  | W    | 119     | 77  | w     |
| 24     | 18     | [CANCEL]               | 56      | 38  | 8       | 88      | 58  | Χ    | 120     | 78  | X     |
| 25     | 19     | [END OF MEDIUM]        | 57      | 39  | 9       | 89      | 59  | Υ    | 121     | 79  | у     |
| 26     | 1A     | [SUBSTITUTE]           | 58      | 3A  | :       | 90      | 5A  | Z    | 122     | 7A  | z     |
| 27     | 1B     | [ESCAPE]               | 59      | 3B  | ;       | 91      | 5B  | [    | 123     | 7B  | {     |
| 28     | 1C     | [FILE SEPARATOR]       | 60      | 3C  | <       | 92      | 5C  | \    | 124     | 7C  |       |
| 29     | 1D     | [GROUP SEPARATOR]      | 61      | 3D  | =       | 93      | 5D  | 1    | 125     | 7D  | }     |
| 30     | 1E     | [RECORD SEPARATOR]     | 62      | 3E  | >       | 94      | 5E  | ^    | 126     | 7E  | ~     |
| 31     | 1F     | [UNIT SEPARATOR]       | 63      | 3F  | ?       | 95      | 5F  | _    | 127     | 7F  | [DEL] |
|        |        |                        |         |     |         |         |     |      | 1       |     |       |

# ASCII - Hexdump



| %f           | 00         | 00 | 00  | 00  | 00 | 84 | 1f  | 0f | 66  | ff  | ff | fd | CC  | <b>e</b> 9 | 00 | 25 | 0008b400 |
|--------------|------------|----|-----|-----|----|----|-----|----|-----|-----|----|----|-----|------------|----|----|----------|
| .+!fb        | 00         | 00 | 44  | 1f  | 0f | 66 | ff  | ff | fe  | c4  | e9 | 00 | 01  | 21         | 2b | e8 | 0008b410 |
| D;%          | d5         | 05 | 8b  | ff  | ff | fe | 5f  | 8f | 0f  | 00  | 25 | fe | f1  | 2d         | 3b | 44 | 0008b420 |
| .%.;%M       | 83         | ff | ff  | fe  | 4d | 8d | 0f  | 00 | 25  | fd  | fb | 05 | 3b  | 00         | 25 | fe | 0008b430 |
| %?           | 00         | 1f | 0f  | ff  | ff | fe | 3f  | e9 | 00  | 25  | fe | с0 | 05  | 89         | 01 | c0 | 0008b440 |
| AWAVAUIATUSH | ec         | 83 | 48  | 53  | 55 | 54 | 41  | fd | 89  | 49  | 55 | 41 | 56  | 41         | 57 | 41 | 0008b450 |
| %o .C.Lc.    | <b>e</b> 3 | 63 | 4c  | 01  | 43 | 8d | 20  | 6f | 8b  | 00  | 25 | fd | cd  | 1d         | 8b | 08 | 0008b460 |
| %%.H.        | 8b         | 48 | 0.0 | 2.5 | fd | b6 | 0.5 | 89 | 0.0 | 2.5 | dd | b8 | 2.d | 89         | ef | 89 | 0008b470 |





# Recap:

- → Numbers can be displayed in decimal, or hex (0-9, a-f)
- → Numbers are stored as 16, 32 or 64 bit value as little endian
- If we look at little endian numbers as bytes, they are inverted
- ◆ If we look at numbers in memory, we can't know if they are 8, 16, 32 or 64 bit.
- We can try to interpret bytes as ASCII

# Numbers test!



$$0x07 + 0x07 = ?$$

$$0x0a + 0x0a = ?$$

$$0x22 - 0x10 = ?$$

$$0x22 - 0x0a = ?$$

0xbb4c00d in little endian = 0x????????

ASCII 0x42 0x46 0x48 = «???»

The string «leet» in ASCII = 0x?? 0x?? 0x?? 0x??



# **Operating System Basics**

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

# **OS Basics: Rings**



# Ring 0: Kernel (Kernelspace)

- ♦ Not covered here
- Can be interacted with by using "syscalls"

# Ring 3: Userspace

- ♦ Where all programs run
- → Is, Bash, Vim, Apache, Xorg, Firefox, ...



Slide 51

# How to transit from userspace to kernelspace?

www.csnc.ch

→ System Calls (syscall)

**OS Basics: Rings** 



**Process Process Process** Please do things for me Kernel

# **OS Basics: Processes**



# A Process:

- ★ Is a running program
  - → Program lives on disk (static)
  - → Process lives on memory (alive)
- → Process thinks he "owns" the hardware
  - **→** RAM
  - **♦** CPU

# Multiple processes can run simultaneously

- ★ Everyone thinks he is the only one
- → Like Kanye West

# **OS Basics: Processes**



# A Process:

- → Is a running program
  - → Program lives on disk (static)
  - → Process lives on memory (alive)
- → Process thinks he "owns" the hardware
  - **→** RAM
  - **→** CPU

# Multiple processes can ru

- ★ Everyone thinks he is the d
- → Like Kanye West

# I AM THE NUMBER ONE HUMAN BEING IN MUSIC. THAT MEANS ANY PERSON THAT'S LIVING OR BREATHING IS NUMBER TWO.

- KANYE WEST



# **OS Basics: Process and Memory**



# Processes can address:

- **→ 4 GB of memory** in 32bit OS
  - → (2-3 GB actually)
- → Independent on how much memory there really is

# What if we have:

- → Only 2 GB RAM?
  - → OOM (Out Of Memory) when too much memory is used
- **★** 8 GB RAM?
  - → 2 Processes can use all their 4GB!

# OS Basics – Kernelspace/Userspace



OS/CPU manages mapping between physical pages and process (virtual) pages – called **paging** 



# **OS Basics: Process and Memory**



# Why 4 GB?

- → 32 bit register size in Intel CPU
- ★ Register are used to address memory
- + 2^32 = 4 billion = 4 gigabyte

A process has therefore access to 4 billion one-byte memory locations

# **OS Basics: Process and Memory**





RAM





http://www.slideshare.net/saumilshah/operating-systems-a-primer



# History lesson: "The good old times"

- → Windows did not have true protected memory until windows NT/2000
  - → Including all of DOS, Windows 3.1, Windows 95, 98, ME
- ★ Every process could write into all all other processes, or even the OS
- "Blue screen of death"

### Windows

An error has occurred. To continue:

Press Enter to return to Windows, or

Press CTRL+ALT+DEL to restart your computer. If you do this, you will lose any unsaved information in all open applications.

Error: 0E : 016F : BFF9B3D4

Press any key to continue



# There's only one CPU, how can:

- → Multiple programs run at the same time?
- ★ The OS and the programs run at the same time?

# Solution: Interrupts

- → Timer interrupts
- Interrupts are handled by the kernel
  - → Time / clock
  - → Network interface
  - → USB devices
- ★ Kernel schedules the different processes



# Recap:

- → Processes are programs which are alive in the RAM
- ★ Every process thinks he owns the computer (including all the RAM)
- ★ Evey process has access to 2^32 (~4 billion) memory locations of 1 byte size





Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch



### From 32 to 64 bit

- You all are probably too young for this
- But it was kinda big thing
- ★ AMD invented the current 64 bit architecture
  - ★ Intel wanted a new one: Itanium. Failed hard.
  - → (AMD was better than Intel in most respects back then. Sigh).
- ★ x86 to x64 / amd64
  - → 8086, 80286, 80386, 80486, 80586 aka Pentium
- "Is windows 64 bit twice as good/fast than windows 32 bit?"
  - → Width of the CPU registers define the amount of addressable memory



# 64 bit pros:

- ★ Can address more than 4 gb of memory per computer
  - → 18'446'744'073'709'551'616 bytes theoretically
- ★ 64 bit calculations are maybe a bit faster

### 64 bit cons:

- Programs use more space
  - Because pointers and data-types (integer) are twice as big
  - → On disk, memory and most importantly: cache



64 bit registers are prefixed with "R" (RAX, RIP, ...)

New registers: R8-R15

Pointers are 64 bit

Push/Pop are 64 bit



# For 64 bit:

- ★ 64 bit are 18 exabytes
- → Only 47 bit are used (=140 terabytes)
- **→** < 0x00007fffffffffff</p>



# For 64 bit:

- ★ 64 bit are 18 exabytes
- → Only 47 bit are used (=140 terabytes)
- **→** < 0x00007fffffffffff</p>

halvarflake Retweeted



Anders Fogh @anders\_fogh · 7h
Yay. We're getting 57 bit physical address space.

Giuseppe `N3mes1s` @gN3mes1s

5-Level Paging and 5-Level EPT - software.intel.com/sites/default/...







...



### 5-Level Paging and 5-Level EPT

White Paper

Revision 1.0
December 2016



Linux (and Windows) can execute 32 bit processes on a 64 bit OS

- ★ C:\Program Files
- → C:\Program Files (x86)
- → /lib/lib
- → /lib/lib64

The 32 bit process does not realize he's on a 64 bit system

→ But needs a 32 bit runtime



# For this presentation:

32 bit is "old" and "dead"

→ But its much easier to create and explain exploits in it

Old plan was: "Lets be modern, 64 bit only"

Current plan: "Lets be modern, but still use 32 bit to exploit stuff"

Sorry...



# Recap

- ★ There are some differences between 32 and 64 bit
- → A 32 bit process can run on a 64 bit system as 32 bit





C64

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

# Commodore 64

~1 MHz, 64kb RAM (2^16)

3 general purpose registers, 8 bit: A, X, Y

Stack Pointer: 8 bit, IP: 16 bit

Screen memory mapping: 0x0400 (1000 bytes, 40x25)

00 01 02 03 40 41 42 43

RAM BASIC RAM I/O Kernal ROM

# **Videos**



https://media.ccc.de/v/34c3-9064the ultimate apollo guidance computer talk

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Christopher-Domas-Breaking-The-x86-ISA.pdf