The summer semester is coming to an end, all of my homework has been turned in and I just have to study for a final later this week. Still waiting on my grades for two assignments, I hope/think I did alright.
I've been doing a lot of extra reading on the side, mostly because I felt I had to in order to make sense of what I was learning. For example, I was initially a little confused by references to registers and registries, but I think I've got it all straight now (very different things!). Assembly Language Step by Step is a really awesome book, btw. Loved it. Of course, I don't know if I would have understood the importance of what it taught if I hadn't seen how that information matters when it comes to understanding malware and computer hacks.
I don't want to get too technical (those who know probably know this even better than I do, and those who don't probably aren't too interested in hearing the details) and I may have misunderstood something, but I'll give a very small snippet, explaining part of why I felt the need to get this book.
There's a bit of a co-evolution going on between cyber defenders and cyber attackers. Sort of like we have with bacteria and anti-bacteria. Any time one side changes their methods, the other side changes to counter it. We have anti-virus scanners, so the people who write malware want to create programs that can't be detected by the scanners. There's a couple of different techniques, one of which is to change up the code (in a way that has no real impact on it's functionality) so that scanners can't easily compare the program to it's known list of programs and identify it as malicious.
Some examples of such junk sequences are:
XOR register, register
SUB register, register
or (used together)
INC AX
DEC AX
If you are like I was just a short little while ago, this doesn't really make a lot of sense. I did know that the first part was instructions (XOR is "Exclusive Or", SUB for subtract, INC for increment and DEC for decrement) but registers? AX? Or (not listed in the commands above) other registers like EBP, EIP, ESP, EAX, etc? And what do those commands above do?
Without trying to go into too much detail, I'll illustrate with the first two sequences.
'register' is just a stand in for any of the computer registers in your processor. That gets into the mechanics of how your computer runs a program. Overly simplified short version is that the computer loads whatever the program needs into a designated memory space, and in that space it will refer to what it needs by the memory address. The various addresses and values are stored in the registers. That's how it knows where to find the next instruction, or what value you told it previously when you want to add 2 + 2. So the instruction above could say XOR EAX, EAX or XOR EDX, EDX, just substitute an appropriate register in the code.
The style is to write the action (XOR), destination and source. So this is saying to XOR the EAX register to the EAX register. When you tell a computer to take an "exclusive or" action, you're telling it to compare the source to the destination. Remember, this is all in binary (1s and 0s). Whatever data is in EAX is going to be something like 010111. "Exclusive or" means it can be one or the other, but not both. So if you compare 110 to 101, it looks at the first digit in each number (0 and 1) and asks "are they the same? or different?" If they are the same, it returns a '0'. If not, it returns a '1'. It then compares the next two digits, and so on and so forth. XOR the values 110 to 101 and it will return 010.
If you compare something to itself, it will always return 0 since each comparison will be a match. And if you subtract something from itself you will also get 0. Both lines of code do the exact same thing, but it's done differently...which means if an anti-virus scanner tries to compare something containing the code XOR EAX, EAX to something containing the code SUB EAX, EAX...it doesn't look the same.
Anyways, I wanted to write a little bit more about another topic, so I'll do that next.
I've been doing a lot of extra reading on the side, mostly because I felt I had to in order to make sense of what I was learning. For example, I was initially a little confused by references to registers and registries, but I think I've got it all straight now (very different things!). Assembly Language Step by Step is a really awesome book, btw. Loved it. Of course, I don't know if I would have understood the importance of what it taught if I hadn't seen how that information matters when it comes to understanding malware and computer hacks.
I don't want to get too technical (those who know probably know this even better than I do, and those who don't probably aren't too interested in hearing the details) and I may have misunderstood something, but I'll give a very small snippet, explaining part of why I felt the need to get this book.
There's a bit of a co-evolution going on between cyber defenders and cyber attackers. Sort of like we have with bacteria and anti-bacteria. Any time one side changes their methods, the other side changes to counter it. We have anti-virus scanners, so the people who write malware want to create programs that can't be detected by the scanners. There's a couple of different techniques, one of which is to change up the code (in a way that has no real impact on it's functionality) so that scanners can't easily compare the program to it's known list of programs and identify it as malicious.
Some examples of such junk sequences are:
XOR register, register
SUB register, register
or (used together)
INC AX
DEC AX
If you are like I was just a short little while ago, this doesn't really make a lot of sense. I did know that the first part was instructions (XOR is "Exclusive Or", SUB for subtract, INC for increment and DEC for decrement) but registers? AX? Or (not listed in the commands above) other registers like EBP, EIP, ESP, EAX, etc? And what do those commands above do?
Without trying to go into too much detail, I'll illustrate with the first two sequences.
'register' is just a stand in for any of the computer registers in your processor. That gets into the mechanics of how your computer runs a program. Overly simplified short version is that the computer loads whatever the program needs into a designated memory space, and in that space it will refer to what it needs by the memory address. The various addresses and values are stored in the registers. That's how it knows where to find the next instruction, or what value you told it previously when you want to add 2 + 2. So the instruction above could say XOR EAX, EAX or XOR EDX, EDX, just substitute an appropriate register in the code.
The style is to write the action (XOR), destination and source. So this is saying to XOR the EAX register to the EAX register. When you tell a computer to take an "exclusive or" action, you're telling it to compare the source to the destination. Remember, this is all in binary (1s and 0s). Whatever data is in EAX is going to be something like 010111. "Exclusive or" means it can be one or the other, but not both. So if you compare 110 to 101, it looks at the first digit in each number (0 and 1) and asks "are they the same? or different?" If they are the same, it returns a '0'. If not, it returns a '1'. It then compares the next two digits, and so on and so forth. XOR the values 110 to 101 and it will return 010.
If you compare something to itself, it will always return 0 since each comparison will be a match. And if you subtract something from itself you will also get 0. Both lines of code do the exact same thing, but it's done differently...which means if an anti-virus scanner tries to compare something containing the code XOR EAX, EAX to something containing the code SUB EAX, EAX...it doesn't look the same.
Anyways, I wanted to write a little bit more about another topic, so I'll do that next.
No comments:
Post a Comment