Shulou(Shulou.com)06/02 Report--

[PS: the notes that I recently wrote on my previous blog have been transferred directly. ]

Contact with the field of security for four years, large and small directions have seen some, but are not proficient, increasingly feel the lack of strength, so I decided to start today to learn the core knowledge and skills of Hack technology: vulnerability mining and malicious code analysis. Because it is mainly involved in this field, it has little to do with WEB security scripts and so on. It is necessary to pursue the root of everything, and it is hoped that we can make use of nearly two years to achieve little success.

Today, we are going to talk about the programming foundation of Hack technology. When it comes to the basics, everyone will give some insightful opinions. The mainstream recommendations are CAccord +, Java, Perl, Python, VB, etc.; furthermore, there are SOCKET programming, system programming and so on. I was confused for a long time. I studied C in university, self-taught Clearing courses for graduate students, and studied Python after work. My feeling is: to do engineering or to use C++, Java, but the development of security tools, or Python is better, because easy to learn and use and powerful, very suitable for writing their own personal gadgets. In my opinion, the foundation of Hack programming should involve the following aspects:

1. C _ programming language

two。 Computer memory knowledge

3. Basic knowledge of Intel processor

4. The basis of assembly language

5. Gdb program debugging

6. Python programming skills

The following is a brief explanation one by one.

1. C programming language

The importance of C is that the systems of Unix and Windows are mainly written in C, so the underlying core mechanism is still C. although the C++ framework is used more and more in Widows system, the root cause of its vulnerability is roughly the same as C, and the fundamental problem of its vulnerability has not been solved. C _ language can help us to understand the implementation of vulnerabilities. This section only needs to master the basic knowledge of main (), variables, function calls, basic input and output, string manipulation, condition / loop structure, and so on.

Another need to learn is the basic compilation skills, it is recommended to use gcc, because you can choose to get the target file (gcc-c), assembly file (gcc-S), turn off stack protection (gcc-fno-stack-protector) and other options, it can be said that the function is very powerful.

Specific points of knowledge can be found in my collection: http://blog.chinaunix.net/special/show/sid/1129.html

II. Computer memory

The memory of the computer is the basic read-write memory, and the most relevant to our program is RAM. Here are a few small points to grasp:

-1. Byte order: different vendors support different write orders. Some manufacturers think that data should be written from a low address in memory, such as Intel, so it is called "small-end method"; others think that it should start from a high address, such as Moto, so it is called "big-end method". We will actually deal with these two write methods when we discuss shellcode later.

-2. Program layout in memory: of course, each process has its own memory space, the process is actually the resource container in which the program is running, and the thread is the concrete running instance. Here we focus on six main memory sections, which are:

This section, which is consistent with the .text section of the binary executable file, mainly contains the machine instructions that need to be executed to complete the work. This section is read-only and will result in segment errors if written.

Section 2.2, which is mainly used to store global initialization variables, such as int a = 0, whose size is fixed at run time

-2.3-:.bss section, below the stack (below stack section), which stores uninitialized global variables, such as int b, and has a fixed runtime size

-2.4 music: heap section, which is used to deal with variables dynamically assigned by the program at run time, and the space allocated is written from low address to high address.

The stack section mainly deals with function procedure call data, including variables and statements within the function, but most systems use the method from high address to low address. This stack growth mode leads to the existence of soul rush overflow.

-2.6 shell: environment / parameters section, which is used to hold copies of system-level variables that may be used by a process at run time, such as the path accessible to the running process, the environment name, and the host name.

-3. Buffers, strings and pointers: this part is the basis of C, so there is no need to say more, right?

3. Intel processor

Processor part of the main knowledge is to focus on commonly used registers, such as the general register EAX/EBX/ECX/EDX, such as segment register CS/SS/DS/ES/FS/GS, etc., where the more important is ESP (extended stack pointer), we often need to use ESP to determine the location of the top of the stack; the other is the EIP register, which stores the address of the next instruction that CPU will execute.

For more information, please refer to http://blog.chinaunix.net/uid-26275986-id-4334522.html

IV. Foundation of assembly language

To do security, you have to understand assembly, and you may not be able to program with assembly, but reading assembly is a basic requirement, and it is difficult for people who do not understand assembly to go deep into the nature of security issues. Assembly language is divided into ATT and NASM formats, although the final generated machine instructions are exactly the same, but the assembly language representation is different. For example, the order of operands of ATT is opposite to that of NASM:

Write 0x10 to the EAX register:

ATT: Movl% eax, $0x10

NASM: mov 0x10, eax

As you can see, constants under ATT need to use the $prefix, while registers must use the% prefix, and the operands are in reverse order. Assembly language is not easy to learn. Fortunately, we are not assembly programmers. We just need to be familiar with some common commands and be able to read and analyze them when needed:

1. Mov: this command is used to copy data from source to destination. After successful replication, the source data will not be removed.

2. The add/sub:add command is used to add the source data to the destination data and save the result at the destination; the sub command is used to subtract the source from the destination and store the result at the destination

3. Push/pop:push is used to press the stack to write a data to the stack, while pop is used to pop the stack, that is, to take the top element from the stack and save it to the Operand

4. Xor: XOR command is actually an operation to determine whether the binary bit is the same. The difference is different, that is, '1binary, the same is' 0binary, similar to the mod2 operation.

5. Jne/jnz, je/jz, jmp:jne and jnz are the same thing: jump when zero marks ZF=0; je and jz jump when ZF=1; jmp jumps whenever

6. Call/ret: for function procedure calls and procedure returns

7. Inc/dec: this command is used to increment or decrement the destination Operand

8. Lea: this command is used to load the actual address of the source Operand into the destination Operand, such as lea eax, [dsi+4]

9. Int: this command throws a system interrupt signal to CPU, usually 0x80, which is used to send system calls to the kernel

In addition to the basic assembly commands, you also need to understand the addressing mode of assembly, mainly a variety of indirect and relative addressing, which are fortunately not difficult. Another skill is the ability to debug programs using gdb, such as setting up endpoint tracking.

5. Python programming skills

This part can mainly use the tools needed for Python development, the basic grammar concepts can refer to the mainstream textbooks and books, you can also refer to my collection: http://blog.chinaunix.net/special/show/sid/1235.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.