Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

- Initial commit

  • Loading branch information...
commit f480d29c3ac80883f2b5305bdf4dd49cba5fb033 1 parent 6d99446
@felipensp authored
View
4 x86/README
@@ -0,0 +1,4 @@
+My short Assembly X86 sample codes
+
+.asm => NASM version (Intel)
+.s => GAS version (AT&T)
View
61 x86/itoa.s
@@ -0,0 +1,61 @@
+#;
+#; integer to string
+#; Author: Felipe Pena <sigsegv>
+#; as -o itoa.o itoa.s | ld --dynamic-linker /lib/ld-linux.so.2 -lc -o itoa itoa.o
+
+ .section .data
+
+fmt: .string "%s\n"
+
+.lcomm converted, 10
+
+.set NUMBER, 123
+
+ .section .text
+
+.global _start
+
+_start:
+
+ xorl %ecx, %ecx
+ xorl %edi, %edi
+ movl $NUMBER, %eax
+
+itoa_loop:
+ # Limpa para divisão
+ xorl %edx, %edx
+
+ movl $10, %esi
+
+ # Agora nós temos o quociente em %eax
+ # e o resto da divisão em %edx
+ idiv %esi
+
+ # Convertendo para a representação em ASCII
+ addl $48, %edx
+
+ pushl %edx
+ incl %ecx
+
+ xorl $0, %eax
+ jnz itoa_loop
+
+rev_loop:
+ popl %eax
+ movl %eax, converted(, %edi, 1)
+ incl %edi
+ decl %ecx
+
+ cmpl $0, %ecx
+ jnz rev_loop
+
+ pusha
+ pushl $converted
+ pushl $fmt
+ call printf
+ addl $8, %esp
+ popa
+
+ # Exiting
+ movl $1, %eax
+ int $0x80
View
33 x86/loop-over-chars.s
@@ -0,0 +1,33 @@
+#;
+#; Iterando cadeia de caracters
+#; Author: Felipe Pena <sigsegv>
+#;
+
+ .section .data
+
+texto: .ascii "foo\0"
+
+ .section .text
+.global _start
+
+_start:
+ xorl %edi, %edi
+ xorl %ebx, %ebx
+
+loop:
+ leal texto(, %edi, 1), %ecx
+
+ cmpb $0, (%ecx)
+ je exit
+
+ movl $4, %eax
+ movl $1, %ebx
+ movl $1, %edx
+ int $0x80
+
+ incl %edi
+ jmp loop
+exit:
+ movl $1, %eax
+ movl $0, %ebx
+ int $0x80
View
27 x86/loop-over-numbers.s
@@ -0,0 +1,27 @@
+#;
+#; Iterando numeros
+#; Author: Felipe Pena <sigsegv>
+#;
+
+ .section .data
+
+numeros: .long 10, 20, 30, 0
+
+ .section .text
+.global _start
+
+_start:
+ xorl %edi, %edi
+ xorl %ebx, %ebx
+
+loop:
+ movl numeros(, %edi, 4), %eax
+ incl %edi
+ cmpl $0, %eax
+ je exit
+ addl %eax, %ebx
+ jmp loop
+
+exit:
+ movl $1, %eax
+ int $0x80
View
94 x86/phpasm.s
@@ -0,0 +1,94 @@
+# A simple PHP extension
+#
+# Author: Felipe Pena <sigsegv>
+# Date: 2011-05-09
+#
+# ld -shared -o phpasm phpasm.o
+#
+
+ .section .bss
+
+# sizeof(zend_function_entry) = 20
+.lcomm module_functions, 40
+
+# sizeof(zend_module_entry) = 92
+.lcomm module_entry 92
+
+ .section .rodata
+extname: .string "asm"
+phpbuild: .string "API20090626,TS,debug"
+funcname: .string "helloworld"
+str: .string "hello world from Assembly! :)"
+ len = . - str - 1
+
+ .section .text
+.global get_module
+.global zif_helloworld
+
+zif_helloworld:
+ # typedef union _zvalue_value {
+ # long lval;
+ # double dval;
+ # struct {
+ # char *val;
+ # int len;
+ # } str;
+ # HashTable *ht;
+ # zend_object_value obj;
+ # } zvalue_value;
+
+ # struct _zval_struct {
+ # zvalue_value value;
+ # zend_uint refcount__gc;
+ # zend_uchar type;
+ # zend_uchar is_ref__gc;
+ # };
+
+ # return_value zval
+ movl 8(%esp), %ebx
+
+ # Changing the zval type to IS_STRING
+ movl $6, 12(%ebx)
+
+ pushl $0
+ pushl $0
+ pushl $len
+ pushl $str
+ call _estrndup
+ addl $16, %esp
+
+ # Set the pointer for our alloc'ed string
+ movl %eax, (%ebx)
+ # Set the string length
+ movl $len, 4(%ebx)
+ ret
+
+__initialize_functions:
+ movl $0, %edi
+ movl $funcname, module_functions(,%edi,4)
+
+ movl $1, %edi
+ movl $zif_helloworld, module_functions(,%edi,4)
+ ret
+
+get_module:
+ call __initialize_functions
+
+ # Zend API
+ movl $1, %edi
+ movl $20090626, module_entry(,%edi,4)
+
+ # Module name
+ movl $5, %edi
+ movl $extname, module_entry(,%edi,4)
+
+ # Functions
+ movl $6, %edi
+ movl $module_functions, module_entry(,%edi,4)
+
+ # Build ID
+ movl $22, %edi
+ movl $phpbuild, module_entry(,%edi,4)
+
+ movl $module_entry, %eax
+ ret
View
94 x86/pipe.s
@@ -0,0 +1,94 @@
+#;
+#; Author: Felipe Pena <sigsegv>
+#;
+
+ .section .data
+.set pipe, 42
+sfmt: .string "Fd: %d\n"
+L1: .string "test\n"
+ L1len = . - L1
+
+ .section .bss
+.lcomm fds, 4
+.lcomm buff, 20
+
+ .section .text
+.global _start
+
+# Escreve em um FD
+write:
+ movl $4, %eax
+ movl 4(%esp), %ebx
+ movl 8(%esp), %ecx
+ movl 12(%esp), %edx
+
+ int $0x80
+ ret
+
+# Lê de um FD
+read:
+ movl $3, %eax
+ movl 4(%esp), %ebx
+ movl $buff, %ecx
+ movl $5, %edx
+
+ int $0x80
+
+ movl %ecx, %eax
+ ret
+
+# Imprime o file descriptor
+printfd:
+ mov 4(%esp), %eax
+
+ pushl %ebp
+ movl %esp, %ebp
+
+ pushl %eax
+ pushl $sfmt
+ call printf
+
+ addl $8, %esp
+ movl %ebp, %esp
+ popl %ebp
+ ret
+
+_start:
+ # Chama a syscall do pipe
+ movl $pipe, %eax
+ movl $fds, %ebx
+ int $0x80
+
+ # Imprime o fd do pipe
+ pushl (%ebx)
+ call printfd
+ addl $4, %esp
+
+ # Imprime o fd do pipe
+ pushl 4(%ebx)
+ call printfd
+ addl $4, %esp
+
+ pushl $L1len
+ pushl $L1
+ pushl 4(%ebx) # Escrevendo no pipe
+ call write
+ addl $12, %esp
+
+ leal fds, %eax
+ pushl (%eax)
+ call read # Lendo do pipe
+ movl %eax, %ebx
+ addl $4, %esp
+
+ leal fds, %eax
+ pushl $L1len
+ pushl %ebx
+ pushl $1 # Escrevendo no STDOUT
+ call write
+ addl $12, %esp
+
+ # Exit
+ movl $1, %eax
+ xorl %ebx, %ebx
+ int $0x80
View
73 x86/sigaction.s
@@ -0,0 +1,73 @@
+# Signal handling
+# Author: Felipe Pena <sigsegv>
+# Date: 2011-05-09
+#
+# $ as -o sigaction.o sigaction.s
+# $ ld --dynamic-linker /lib/ld-linux.so.2 -lc -o sigaction sigaction.o
+# $ ./sigaction
+# ^CExiting...
+# $ echo $?
+
+ .section .data
+
+.set SIGINT, 2
+.set SA_SIGINFO, 4
+str: .string "Exiting...\n"
+ len = . - str
+
+ .section .bss
+
+# The sigaction structure
+# sizeof(struct sigaction) = 140
+# (this might be different on your system, see sigaction.h)
+#
+# struct sigaction {
+# sighandler_t sa_handler (4 bytes)
+# sigset_t sa_mask (128 bytes)
+# int sa_flags (4 bytes)
+# void (*sa_restorer) (void); (4 bytes)
+# }
+.lcomm struct_sigaction, 140
+
+ .section .text
+.global _start
+
+__sigint_handler:
+ # Writing in STDOUT
+ movl $4, %eax
+ movl $1, %ebx
+ movl $str, %ecx
+ movl $len, %edx
+ int $0x80
+
+ # Exiting using the exit status that would be used by the system
+ # without the signal handler (i.e. 128 + signal number)
+ movl $1, %eax
+ movl $3, %ebx
+ addl $128, 4(%esp)
+ movl 4(%esp), %ebx
+ int $0x80
+
+_start:
+ # Writing the sa_handler field
+ # offsetof(struct sigaction, sa_handler) == 0
+ movl $__sigint_handler, struct_sigaction
+
+ # Writing the sa_flags field
+ # offsetof(struct sigaction, sa_flags) == 132
+ movl $132, %edi
+ movl $SA_SIGINFO, struct_sigaction(,%edi,1)
+
+ # Calling sigaction(int, const struct sigaction *, struct sigaction *)
+ pushl $0
+ pushl $struct_sigaction
+ pushl $SIGINT
+ call sigaction
+ addl $12, %esp
+
+ # Infinite loop
+ jmp .
+
+ movl $1, %eax
+ movl $0, %ebx
+ int $0x80
View
47 x86/signal.s
@@ -0,0 +1,47 @@
+# Signal handling
+# Author: Felipe Pena <sigsegv>
+# Date: 2011-05-09
+#
+# $ as -o signal.o signal.s
+# $ ld --dynamic-linker /lib/ld-linux.so.2 -lc -o signal signal.o
+# $ ./signal
+# ^CExiting...
+# $ echo $?
+
+ .section .data
+
+.set SIGINT, 2
+str: .string "Exiting...\n"
+ len = . - str
+
+ .section .text
+.global _start
+
+__sigint_handler:
+ # Writing in STDOUT
+ movl $4, %eax
+ movl $1, %ebx
+ movl $str, %ecx
+ movl $len, %edx
+ int $0x80
+
+ # Exiting using the exit status that would be used by the system
+ # without the signal handler (i.e. 128 + signal number)
+ movl $1, %eax
+ addl $128, 4(%esp)
+ movl 4(%esp), %ebx
+ int $0x80
+
+_start:
+ # Calling signal( SIGINT, __sigint_handler)
+ pushl $__sigint_handler
+ pushl $SIGINT
+ call signal
+ addl $8, %esp
+
+ # Infinite loop
+ jmp .
+
+ movl $1, %eax
+ movl $0, %ebx
+ int $0x80
View
58 x86/tausworthe.s
@@ -0,0 +1,58 @@
+#; Tausworthe
+#; Author: Felipe Pena <sigsegv>
+#; Date: 2011-05-08
+
+ .section .data
+
+.set n1, 69069 * 13
+.set n2, 69069 * 14
+.set n3, 69069 * 15
+
+.set s1, 4294967294
+.set s2, 4294967288
+.set s3, 4294967280
+
+str: .string "seed: %u\n"
+
+ .section .bss
+
+.macro tausworthe s, a, b, c, d
+# (s&c) << d
+ movl \c, %ebx
+ andl \s, %ebx
+ sall \d, %ebx
+# ((s << a) ^ s) >> b
+ movl \s, %eax
+ sall \a, %eax
+ movl \s, %ecx
+ xorl %eax, %ecx
+ sarl \b, %ecx
+
+ xorl %ebx, %ecx
+.endm
+
+ .section .text
+.global _start
+
+_start:
+ tausworthe $n1, $13, $19, $s1, $12
+ pushl %ecx
+ pushl $str
+ call printf
+ addl $8, %esp
+
+ tausworthe $n2, $2, $25, $s2, $4
+ pushl %ecx
+ pushl $str
+ call printf
+ addl $8, %esp
+
+ tausworthe $n3, $3, $11, $s3, $17
+ pushl %ecx
+ pushl $str
+ call printf
+ addl $8, %esp
+
+ movl $1, %eax
+ movl $0, %ebx
+ int $0x80
View
12 x86_64/syscall-hijack/Makefile
@@ -0,0 +1,12 @@
+obj-m := test.o
+test-objs := hijack.o
+
+
+KDIR := /lib/modules/$(shell uname -r)/build
+PWD := $(shell pwd)
+
+default:
+ $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
+
+clean:
+ rm -rf *.ko *.o *.order *.symvers *.mod.c .*.cmd .tmp_versions
View
114 x86_64/syscall-hijack/hijack.S
@@ -0,0 +1,114 @@
+# Macro para carregar o endereço da syscall setreuid em %rsi
+.macro __get_setreuid_ptr
+ movq $0xffffffff81307240, %rsi # endereço da sys_call_table
+ movq $113, %rcx # 113 = sys_setreuid
+ leaq (%rsi, %rcx, 8), %rsi # endereço da sys_setreuid
+.endm
+
+# Macro para desabilitar proteção de escrita (bit WP do cr0) em páginas de memória
+.macro __disable_write_protection
+ movq %cr0, %rdx
+ movq $0x10000, %rcx
+ notq %rcx
+ andq %rcx, %rdx
+ movq %rdx, %cr0
+.endm
+
+# Macro para habilitar a proteção de escrita (bit WP do cr0) em páginas de memória
+.macro __enable_write_protection
+ movq %cr0, %rdx
+ orq $0x10000, %rdx
+ movq %rdx, %cr0
+.endm
+
+ .section .rodata
+init_msg: .string "<1>Modulo inicializado!\n"
+exit_msg: .string "<1>Modulo finalizado!\n"
+hijack: .string "<1>setreuid hijacked!\n"
+setreuid_msg: .string "<1>sys_setreuid addr = %lx\n"
+
+ .section .bss
+# Onde guardaremos o endereço original da sys_setreuid
+.lcomm old_setreuid, 8
+
+ .section .text
+.global init_module
+.global cleanup_module
+.global my_setreuid
+
+# Implementação da sys_setreuid que só mostra uma mensagem
+my_setreuid:
+ callq *old_setreuid
+ movq %rax, %r12
+
+ leaq hijack, %rdi
+ callq printk
+
+ xorq %rax, %rax
+ ret
+
+init_module:
+ leaq init_msg, %rdi
+ callq printk
+
+ __disable_write_protection
+
+ __get_setreuid_ptr
+
+ leaq setreuid_msg, %rdi
+ movq (%rsi), %rsi
+ # Guarda o antigo endereço
+ movq %rsi, old_setreuid(%rip)
+ # Printa o endereço atual
+ callq printk
+
+ __get_setreuid_ptr
+ leaq my_setreuid(%rip), %rcx
+ # Altera o endereço para apontar para nossa setreuid
+ movq %rcx, (%rsi)
+
+ leaq setreuid_msg, %rdi
+ movq (%rsi), %rsi
+ # Printa o novo endereço
+ callq printk
+
+ __enable_write_protection
+
+ xorq %rax, %rax
+ ret
+
+cleanup_module:
+ leaq exit_msg, %rdi
+ callq printk
+
+ __get_setreuid_ptr
+
+ leaq setreuid_msg, %rdi
+ movq (%rsi), %rsi
+ # Printa o endereço atual na sys_call_table para setreuid
+ callq printk
+
+ __disable_write_protection
+
+ __get_setreuid_ptr
+
+ leaq setreuid_msg, %rdi
+ # Coloca o antigo endereço (o original) devolta para a sys_call_table
+ movq old_setreuid(%rip), %rax
+ movq %rax, (%rsi)
+ movq (%rsi), %rsi
+
+ __enable_write_protection
+
+ # Mostra o endereço que escrevemos devolta na sys_call_table
+ callq printk
+
+ xorq %rax, %rax
+ ret
+
+ .section .modinfo, "aS", @progbits
+__kernel_version: .string "kernel_version=2.6.32"
+__module_license: .string "license=GPL"
+__module_author: .string "author=Felipe Pena"
+__module_depends: .string "depends="
+__module_description: .string "description=Modulo de teste"

0 comments on commit f480d29

Please sign in to comment.
Something went wrong with that request. Please try again.