cambie@malbian ~ $

Blogs

The (Extended) Instruction Pointer (EIP)

What is EIP ?

The instruction pointer is simply the most important register to deal with in Reverse Engineering. Simply because if we were to alter this pointer to jump to another area in the code we would have complete control over said program flow.

Consider the following code:

void unrecheableFunction(void){
 printf("Nobody ever calls me! Except Hackers!");
 exit(1337);
}

int main(void){
 printf("Hello from Main! My name is Cambie.");
 return 0;
}

If we compile this program and run it we see the following output:
ASM Introduction

Aseembly!

Assembly is a low-level programming language that provides a human-readable representation of machine code instructions. When reverse engineering malware, malcicious programs can be converted from binary machine code to assembly code; a process called as ‘disassembly’.

x86 assembly refers to 32-bit architecture and x86_64 (x64) is for 64-bit acrhitectures.

What are CPU Registers ?

As a program is running, CPUs uses registers, which are memory locations on the physical processor chip, to store data and keep track of the processing state. Because memory storage is much slower, the CPU takes advantage of registers as much as possible for data storage and manipulation. Depending on processor Architecture, each register can store a certain amount of data. A word is equal to 16 bits of data. An x86 processor can store one dword (double-word) or 32 bits of data, while an x64 processor register can store one qword (quad-word) or 64 bits of data.
Malware Lab

One of the key aspects of analyzing malware is having a safe environment in which we can detonate malware without any danger. In this guide we’ll set up our own lab using qemu/kvm stack.

Let’s start with the basics.

What is KVM, Qemu and libvirt ?

These three components are system tools, services or features that enable us to virtualize.

  • KVM (Kernel-based Virtual Machine) is an open source virtualization technology for Linux OS. It allows Linux to function as a hypervisor that runs multiple, isolated VMs.
  • Qemu (Quick Emulator) is a generic and open source machine emulator and virtualizer. The most common use is for System Emulation, where it provides hardware such as Disk, network and USB. Even though the CPU can be fully emulated, it may work with a hypervisor like KVM to allow the guest to run directly on the host CPU.
  • libvirt is an opensource API, daemon and management tool for managing platform virtualization. It can be used to manage KVM, Xen, VM-Ware, Qemu, etc. APIs are consumed by client tools for provisioning and managing VMs.

Why qemu?

In my experience qemu is insanely fast and incredibly reliable when it comes to virtualization.