WEBVTT 00:00.520 --> 00:01.870 Hello and welcome. 00:01.870 --> 00:09.280 In this video, we are going to talk about assembly language basics for malware analysis of native exe 00:09.310 --> 00:09.910 files. 00:11.200 --> 00:12.520 What is the stack? 00:13.230 --> 00:18.060 Stack stands for LIFO, last in, first out data structure. 00:18.510 --> 00:23.100 It stores local variables and return addresses for functions. 00:23.860 --> 00:26.310 Is accessed through push pop. 00:26.730 --> 00:33.390 Call and read instructions and the ram memory layout for the stack are as follows. 00:33.720 --> 00:40.230 It starts at a high address as shown in the diagram here, and as more values are pushed, smaller and 00:40.230 --> 00:45.940 smaller addresses are used and the lower addresses are at the top of the stack. 00:45.960 --> 00:47.520 So this whole thing is a stack. 00:47.520 --> 00:56.670 Here is part of the Ram memory and the EVP is the base pointer is the register which stores the address 00:56.670 --> 00:58.740 of the bottom of the stack. 00:59.130 --> 01:05.590 The ESP is another pointer which stores the address of the top of the stack. 01:05.610 --> 01:11.130 So these are all registers which are useful for creating a stack. 01:11.940 --> 01:12.970 What is the hip? 01:13.330 --> 01:16.870 Hip are used for globally storing memory. 01:17.110 --> 01:20.740 All functions can access it because it is stored globally. 01:21.130 --> 01:24.310 They are typically stored in a data section of a program. 01:25.240 --> 01:26.490 In this API. 01:26.530 --> 01:30.190 RTL allocate heap can be used to create a heap. 01:31.060 --> 01:31.690 Malware. 01:31.720 --> 01:39.280 Use heap as a storage area for anything it is going to use and you can look up the mSDN help in the 01:39.280 --> 01:43.120 Google description of this API function. 01:43.570 --> 01:45.640 Next we look at CPU registers. 01:46.180 --> 01:49.960 The CPU registers consists of the following registers. 01:50.320 --> 01:51.070 Ekb. 01:51.400 --> 01:59.680 All the way to IP X is typically known as the accumulator for arithmetic operations. 02:00.100 --> 02:02.710 EB is the base pointer to point to data. 02:03.700 --> 02:08.800 X is usually a counter for shifting rotating instructions and for looping. 02:09.700 --> 02:14.320 X is for data arithmetic and IO esi is a source. 02:14.320 --> 02:16.510 Index is a pointer to the source. 02:16.630 --> 02:23.500 In string operations, EDI is a destination index pointer to destination in string operations. 02:24.100 --> 02:28.430 EB is a base pointer which points to the base of the stack which we have seen. 02:28.820 --> 02:35.960 ESP is a stack pointer which points to the top of the stack and EIP is the instruction pointer, which 02:35.960 --> 02:39.710 stores the address of the next instruction that is going to execute. 02:40.280 --> 02:42.140 There are also segment registers. 02:42.150 --> 02:44.690 SS is a stack pointer. 02:44.810 --> 02:46.940 CS is a good pointer. 02:46.980 --> 02:49.490 DS Data pointer and so on. 02:49.520 --> 02:55.220 The important ones are SS, CS and DS, and these are called segment registers. 02:55.310 --> 02:59.060 You can access parts of a register, for example. 02:59.150 --> 03:00.140 A register. 03:00.440 --> 03:07.640 In this example is 32 bit register consists of four bytes, which is also known as the DWord, four 03:07.640 --> 03:08.930 bytes, 32 bits. 03:08.960 --> 03:14.720 If you only wanted to access half of it, which is actually accessing the word the lower two bytes, 03:14.720 --> 03:19.520 which is 16 bits, you can use this symbol a x instead of x. 03:19.910 --> 03:28.250 And if you wanted to access the lower lower most byte, which is the eight bits, then you can use Al. 03:29.200 --> 03:32.050 So Al accesses the lower byte. 03:32.440 --> 03:33.970 H accesses the higher byte. 03:35.050 --> 03:36.430 So example is this. 03:36.430 --> 03:41.650 Supposing the x has got this hex values one, two, three, four, five, six, seven and eight. 03:41.680 --> 03:45.730 If you are going to access the x, this is this is a DWord. 03:45.760 --> 03:49.300 If you want to access the word, then he will use a X. 03:49.570 --> 03:54.670 If he wanted to access the higher byte, you use a and lower byte al. 03:54.700 --> 03:56.020 So this is what you will get. 03:56.230 --> 03:58.270 A X will give you five, six, seven, eight. 03:58.660 --> 04:02.350 H will give you five, six and Al will give you seven eight. 04:02.920 --> 04:05.740 The same thing applies to all the other registers. 04:05.770 --> 04:13.990 For example, if you are accessing x, you will use for the word and for the lower byte will be b, 04:13.990 --> 04:17.080 l, higher byte will be B and so on. 04:17.680 --> 04:19.630 We also have the flex register. 04:19.720 --> 04:24.100 This is the register where each bit acts as a flag containing a one or a zero. 04:24.130 --> 04:26.050 The important ones are as follows. 04:26.290 --> 04:28.510 The CF is a carry flag. 04:28.540 --> 04:33.260 It is set when the result of an operation is too large for the destination operand. 04:33.620 --> 04:34.850 The zero flag. 04:35.030 --> 04:38.600 It is set when the result of an operation is equal to zero. 04:38.870 --> 04:42.530 The sign flag is set if the result of an operation is negative. 04:42.680 --> 04:46.820 And the DF flag, also known as a trap flag, is set. 04:46.850 --> 04:53.810 If you are doing step by step, debugging and malware can detect this sometimes if they have Anti-debugging 04:53.810 --> 04:54.770 functionality. 04:55.280 --> 04:57.050 Assembly language Instructions. 04:57.200 --> 04:58.550 Three main categories. 04:58.580 --> 04:59.740 Data flow. 04:59.750 --> 05:00.530 For example. 05:00.530 --> 05:01.740 The Move instruction. 05:01.760 --> 05:02.720 Control Flow. 05:02.720 --> 05:03.320 For example. 05:03.320 --> 05:03.650 Push. 05:03.650 --> 05:04.610 Call and jump. 05:04.940 --> 05:06.050 Arithmetic and logic. 05:06.050 --> 05:06.890 For example. 05:06.890 --> 05:07.970 Xor or. 05:07.970 --> 05:08.720 And mul. 05:08.720 --> 05:09.320 And add. 05:10.490 --> 05:12.980 Examples of data transfer instructions are. 05:13.460 --> 05:14.180 Move. 05:14.480 --> 05:15.720 The purpose is to move. 05:15.740 --> 05:18.830 For example, move source to destination. 05:18.830 --> 05:25.760 An example will be move the value stored in the address to the x register. 05:26.150 --> 05:32.600 Move x which means move zero extended for example, move source to destination. 05:32.600 --> 05:39.950 So this will move the hexadecimal 123 into x and pad the higher order bits with zeros. 05:40.850 --> 05:44.870 LDA load effective address for example for source to destination. 05:45.110 --> 05:51.800 This will load the address after u minus four zero inches hex from EB and store. 05:51.800 --> 05:58.940 The resulting address in exchange is to swap the values between two registers. 05:58.940 --> 06:05.030 For example, exchange source and destination will swap whatever is in source into destination and whatever 06:05.030 --> 06:06.680 in destination into source. 06:07.100 --> 06:10.190 Examples of control flow instructions jumps. 06:10.760 --> 06:17.960 So this is an unconditional jump where it will jump no matter what the condition is prior to it. 06:18.200 --> 06:23.210 Example we jump to the value stored in this address. 06:23.660 --> 06:25.400 J is a conditional jump. 06:25.790 --> 06:28.250 It jumps only if the zero flag is one. 06:28.250 --> 06:36.970 For example, J address jump not zero jump not zero will jump if the zero flag is zero. 06:37.150 --> 06:41.020 If jump is preceded by either a test or compare instruction. 06:41.230 --> 06:47.260 However, jump is a unconditional jump and not preceded by any test or compare. 06:48.730 --> 06:50.620 Here is an example of a jump. 06:51.280 --> 06:58.180 So this jump will only take place if the comparison here is is equal to zero. 06:58.180 --> 07:02.560 For example, if x minus SC is zero, then this will jump. 07:03.220 --> 07:05.020 This JB is jumped below. 07:05.020 --> 07:15.340 So this jump below only happens if the x minus the value stored in Ed's plus C is less than zero. 07:15.370 --> 07:16.330 Then if we jump. 07:18.100 --> 07:19.570 And over here, jump. 07:19.570 --> 07:20.260 Not equal. 07:20.290 --> 07:21.310 Jump not equal. 07:21.310 --> 07:23.380 Only happen if the. 07:24.460 --> 07:25.540 X minus. 07:26.110 --> 07:27.540 I is not equal to zero. 07:27.550 --> 07:28.690 Then only it will jump. 07:30.030 --> 07:35.010 Examples of arithmetic instructions add sub email and inc. 07:35.010 --> 07:37.110 So examples would be. 07:37.880 --> 07:43.310 Add source to destination, which means that you take whatever is in source, add to destination and 07:43.310 --> 07:45.230 store the results in destination. 07:45.720 --> 07:48.410 Sub just the same thing, but just minus. 07:48.790 --> 07:55.340 Email is where you multiply source by the value and then store the result in destination. 07:55.370 --> 07:59.840 Increment in C means you increment whatever is in the register by one. 07:59.840 --> 08:01.550 And these are examples here. 08:02.120 --> 08:04.070 Examples of logic instructions. 08:04.100 --> 08:07.060 XOR performs bitwise xor for example. 08:07.080 --> 08:08.930 Source Source Destination. 08:09.790 --> 08:11.530 And then here, shift left. 08:11.560 --> 08:18.010 That means you shift all the bits by left, by by the number of bits indicated in source. 08:18.040 --> 08:25.630 For example, if x is one, then you shift every bit here to the left by one and perform bitwise and. 08:25.660 --> 08:29.950 So here you perform an n operation with a source and a destination. 08:31.600 --> 08:33.400 Test and compare instructions. 08:33.820 --> 08:37.910 This is where you perform a bitwise and on two operands. 08:37.930 --> 08:40.930 If the result is zero zero flag is set. 08:41.110 --> 08:43.030 Often used with conditional jumps. 08:43.660 --> 08:48.680 CMP is where you compare the first operation with the second operation by subtraction. 08:48.700 --> 08:56.380 So this is an example here where you take argument one minus, argument two jump instructions always 08:56.380 --> 09:02.320 come immediately after a test or a compare, as I've just demonstrated earlier on return values. 09:02.620 --> 09:06.250 X Register is used to hold the return value of a function call. 09:06.520 --> 09:13.600 The return value could be an integer or a zero or even negative one, which is denoted in hex by all 09:13.600 --> 09:14.140 F's. 09:14.170 --> 09:18.160 It can also be an address, for example, this hexadecimal address. 09:19.120 --> 09:25.360 Take for example this output from the x64 DBG. 09:25.900 --> 09:28.810 Over here you will see a bush seven. 09:28.810 --> 09:35.090 So push seven will push seven to the stack down here and then call after it calls this function. 09:35.120 --> 09:38.030 It will return the result of the call in X. 09:39.680 --> 09:43.770 That's all for this primer on assembly language. 09:43.790 --> 09:45.020 Thank you for watching.