Introduction to assembly language.

L

LabZero

Thread author
Source : my school informations

Hello
,

Usually do not have access to the source code of the malware, then we must carry out an analysis of the binary file (the executable file), where static analysis through the disassembler there has provided enough information, you need to use a debugger, to be able to control the low-level code(assembly).
The assembly is a low-level language, very near to the machine language.
In machine language, specific sequences of bits are associated with basic istructions.
Assembly language mnemonic instruction associated with these opcodes (opcodes).
For each different architecture exists then a different Language Assembly, we are going to the
intel x 86 architecture to 32 bits.
The topic is very extended, we will see more important features.

The registers

The registers are "containers", as the language of high level variables.
The first eight logs called "General-purpose registers,"can be used in a generic way, but also have specific uses.

EAX: accumulator

EBX: data pointer

ECX: counter

EDX: i/o pointer

ESI: source pointer for string operations

EDI: target pointer for string operations

ESP: stack pointer

EBP: data pointer onto the stack

EIP is a special register contains the address of the next statement must be executed.

EFLAGS is a registry that contains flags, us concern are the status flag and flag df.

Status flags indicate the result of arithmetic operations, those that most are used :

CF, carry flag-indicates whether an instruction had to carry a bit.

ZF, zero flag: indicates if the result is zero.

SF, sign flag: indicates whether the result is positive or negative.

There is also a flag DF, direction controls the direction of read/write for instructions on
strings.

Cattura.PNG


Is a structure of type LIFO (Last-In, first-out) in memory, the stack pointer points to this memory area, which usually is manipulated through the push and pop istructions.
In addition to contain data also contains the return address of the call.
In fact, when you run a CALL statement to call a sub procedure, you put the address of the stack next statement with respect to the call. In this way, once the procedure, through the RET, the program resumes running from the next statement.

The instructions

In the Intel syntax, the first operand is the destination, the according to the data source.

MOV EAX, EBX, ebx content copy in eax.

MOV EAX, [EBX] copy the dword pointed to by the address contained inebx in eax.

JMP $1234, is an unconditional jump to the address 1234.

CMP EAX, EBX compares the contents of EAX and EBX, and edit the status flags accordingly.

There are also conditional jumps the jump is executed or not according to the corresponding flag.

JNZ/JNE jumps only if the result of the last operation is different (if eax and ebx in cmp are different).

JLE, jump if less than or equal.

Well. These are the main information about the assembly language.
This argument is difficult, but I really like because it allows you to understand the main malware's processes and functions.

Enjoy with Malware Analysis:)



 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top