Weeks 1-2: Binary Analysis Flashcards
What is the key differences between x86 and x64?
Addresses in x64 are twice as long.
In x86, arguments are past on the stack.
In x64, first 6 arguments are past in registers (e.g. rax, rcx, XMM0 for floating points).
What is the x64 architecture?
LOW ADDRESS
Text (program code)
Data Heap (longer lived data - static vars, strings etc)
Free Memory
Stack (data in use by functions, env vars, etc)
HIGH ADDRESS
What are some registers in x64 architecture?
RAX - accumulator: primary work register, function return results
RIP - next command to ex
RSP - top of stack
RBP - bottom of stack
What are the calling conventions for functions in x64?
1 -> (first six) Arguments put in registers (RDI, RSI, etc)
2 -> Old RIP written to stack, RIP updated.
4 -> Old RBP stored on stack for function return.
5 -> RBP = RSP.
5 -> Results return in RAX and RDX.
What are executable files?
- Packages up assembly with info the OS needs to run it.
- Includes entry point to code, required libraries and links to important functions.
Linux: ELF
Mac: Mach-O
Windows: PE
Explain Buffer Overflows on x86 machines?
Instruction pointer stored on stack.
If program does not check input length, can overwrite.
Explain the NX-bit defense?
Provides hardware distinction between text and stack.
Program will crash if EIP ever points to stack.
Explain ASLR?
Adds random offset to stack base on each run of the program.
Jumps in program are altered to point to right line.
Now much harder to guess adress of functions + where to inject code.
Explain Stack Canaries/Stack Protection?
At the start of a function a random value from heap is written to the base of the stack.
When function finishes the value on the stack is checked against the value on the heap.
Any overwrite attempts will lead to a mismatch.
How can the NX-bit be bypassed?
Re-use code from executable part of memory.
These include functions from main binary or from any loaded libraries.
Can just to any point in function, not just the start.
Explain return-to-libc attacks?
Lots of useful functions in standard C library (e.g. “system” that runs any command) which is almost always loaded.
Memory map tells you where they are loaded.
Find function offsets in IDA.
Explain ROP attacks?
Can queue up instruction pointers on stack and execute any number of code segments one after another.
In x64: must load arg /bin/sh to RDI prior, calls to libc must make stack end in 0 - bytes alligned in groups of 16.
What attacks are possible against ASLR/Stack Canaries?
Brute forcing may be possible on 32-bit, not 64-bit.
Stack canaries only protect instruction pointer, can overwrite other values.
Heap overflow lets us overwrite data below it on the heap (mem alloc errors).
Explain Memory Allocation Vunerabilites?
Copying to/reading allocated memory with incorrect bound can overflow/learn heap memory.
Incorrect allocation can also lead to vunerabilities.
E.g: Use after free.
Explain Use-After-Free attacks?
malloc->use->free->use
After free, data remains in memory so program may work.
However other data may be allocated in its place.
If attacker controls new data they can control old data too.
