EAX
Accumulator Register
- Used for common calculations such as ADD and SUB.
- Used to store a return value of a function.
- EAX refers to the 32-bit register in its entirety.
- AX refers to the least significant 16 bits.
- AH: the 8 most significant bits of AX
- AL: the 8 least significant bits of AX
EBX
Base Register
- Does not have a special purpose.
- A catch-all for available storage.
- Can be referenced in whole (EBX), or in part (BX, BA, BL)
ECX
Counter Register
- The counter or count register, used as a loop and function repetition counter.
- Can also be used to store any data.
- Like EAX, it can be referenced in whole (ECX) or in part (CX, CH, CL).
EDX
Data Register
- Like a partner register to EAX.
- Often used in mathematical operations like division and multiplication, to deal with overflow where the most significant bits would be stored in EDX and the least significant in EAX.
- Also commonly used for storing function variables.
- Like EAX, it can be referenced in whole (EDX) or in part (DX, DH, DL)
ESI
Source Index
- Used to store the pointer to a read location.
- If a function is designed to read a string, ESI would hold the pointer to the location of that string.
EDI
Destination Index
- Can be (and is) used for general data storage.
- Primarily designed to store the storage pointers of functions, such as the write address of a string operation.
EBP
Base Pointer
- Used to keep track of the base/bottom of the stack.
- Often used to reference variables located on the stack by using an offset to the current value of EBP, though if parameters are only referenced by register, you may choose to use EBP for general use purposes.
ESP
Stack Pointer
- Used to keep track of the top of the stack.
- As items are moved to and from the stack, ESP increments/decrements accordingly.
- Of all the general purpose registers, ESP is rarely/never used for anything other than it’s intended purpose.
EIP
Instruction Pointer
- Points to the memory address of the next instruction to be executed by the CPU.
- Control the value of EIP and you control the execution flow of the application (to execute code of your choosing.)
ADD/SUB op1, op2
add or subtract two operands, storing the result in the first operand. These can be registers, memory locations (limit of one) or constants. For example, ADD EAX, 10 means add 10 to the value of EAX and store the result in EAX
XOR EAX, EAX
Performing an ‘exclusive or’ of a register with itself sets its value to zero; an easy way of clearing the contents of a register
INC/DEC op1
increment or decrement the value of the operand by one
CMP op1, op2
compare the value of two operands (register/memory address/constant) and set the appropriate EFLAGS value
Jump (JMP) and conditional jump (je, jz, etc)
as the name implies these instructions allow you to jump to another location in the execution flow/instruction set. The JMP instruction simply jumps to a location whereas the conditional jumps (je, jz, etc) are taken only if certain criteria are met (using the EFLAGS register values mentioned earlier). For example, you might compare the values of two registers and jump to a location if they are both equal (uses je instruction and zero flag (zf) = 1).
ADD DWORD PTR [X] or MOV eax, [ebx]
Referring to the value stored at memory address X. In other words, EBX refers to the contents of EBX whereas [EBX] refers to the value stored at the memory address in EBX.
Relevant size keywords
BYTE, WORD, DWORD
Relevant size keywords
BYTE = 1 byte WORD = 2 bytes DWORD = 4 bytes
Kernal Land (Memory Stack)
Reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc. There is no user access to this portion of memory.
PEB (Process Environment Block)
- Resides in user-accessible memory. (When you run a program/application, an instance of that executable known as a process is run. Each process provides the resources necessary to run an instance of that program. Every Windows process has an executive process (EPROCESS) structure that contains process attributes and pointers to related data structures.)
- Examine the contents of PEB by issuing the !peb command.
- The PEB includes information such as the base address of the image (executable), the location of the heap, the loaded modules (DLLs), and Environment variables (Operating system, relevant paths, etc).
TEB (Thread Environment Block)
- A program, or process, can have one or more threads which serve as the basic unit to which the operating system allocates processor time. Each process begins with a single thread (primary thread) but can create additional threads as needed. All of the threads share the same virtual address space and system resources allocated to the parent process. Each thread also has its own resources including exception handlers, priorities, local storage, etc
- Just like each program/process has a PEB, each thread has a Thread Environment Block (TEB). The TEB stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list
- Like the PEB, the TEB resides in the process address space since user-mode components require writable access
DLL (Dynamic Link Libraries)
- Shared code libraries which allow for effecient code reuse and memory allocation.
- Known as executable modules, they occupy a portion of the memory space.
Heap
- Dynamically allocated (e.g. malloc()) portion of memory a program uses to store global variables.
- Must be managed by the application.
- The memory will remain allocated until it is freed by the program or the program itself terminates.
- Think of it as a shared pool of memory.
The Stack
- The stack is used to allocate short-term storage for local (function/method) variables in an ordered manner and that memory is subsequently freed at the termination of the given function.
- Each thread/function is allocated its own stack frame. The size of that stack frame is fixed after creation and the stack frame is deleted at the conclusion of the function.
PUSH and POP
- The stack is a last-in first-out (LIFO) structure meaning the last item you put on the stack is the first item you take off. You “push” items onto the top of the stack and you “pop” items off of the top of the stack.
System Calls
Leverage OS for tasks. Provides a simple interface for userspace programs to the Kernel.
Imagine if you had to write code from scratch to:
- write to disk
- print on screen
- etc…
