SlideShare une entreprise Scribd logo

Perl x86 JIT Programming

takesako
takesako

Shibuya.pm#11 Technical Talks

Technologie
1  sur  46
Télécharger pour lire hors ligne
Perl で学ぶ x86 アセンブラ⼊⾨ CybozuLabs, Inc. ”TAKESAKO” <takesako@shibuya.pl>
MS-DOS 時代の 16bit アセンブラ入門
MS-DOS 16bit (int 21H) ; N A S M H e l l o W o r l d ( M S - D O S 1 6 b i t x 8 6 C O M ) ; ; $ n a s m w – f b i n h e l l o 1 6 . a s m - o h e l l o 1 6 . c o m ; $ n d i s a s m w h e l l o 1 6 . c o m > h e l l o 1 6 . t x t o r g 1 0 0 h s e c t i o n . t e x t s t a r t : m o v a x , c s m o v d s , a x ; コードセグメント( c s ) とデータセグメント( d s ) を同一に p r i n t : m o v d x , m s g m o v a h , 0 9 H i n t 2 1 H ; m s g から' $ ' まで標準出力に表示する( a h = 0 9 H ) e x i t : m o v a h , 4 c H m o v a l , 0 0 H i n t 2 1 H ; ステータス( a l = 0 ) で終了する( a h = 4 c H ) s e c t i o n . d a t a m s g d b ' H e l l o , w o r l d ! ' , 0 d H , 0 a H , ' $ ' s e c t i o n . b s s
MS-DOS 16bit hello16.com
ドットコム バブル時代
disasm hello16.com 0 0 0 0 0 0 0 0 8 C C 8 m o v a x , c s 0 0 0 0 0 0 0 2 8 E D 8 m o v d s , a x 0 0 0 0 0 0 0 4 B A 1 4 0 1 m o v d x , 0 x 1 1 4 0 0 0 0 0 0 0 7 B 4 0 9 m o v a h , 0 x 9 0 0 0 0 0 0 0 9 C D 2 1 i n t 0 x 2 1 0 0 0 0 0 0 0 B B 4 4 C m o v a h , 0 x 4 c 0 0 0 0 0 0 0 D B 0 0 0 m o v a l , 0 x 0 0 0 0 0 0 0 0 F C D 2 1 i n t 0 x 2 1 0 0 0 0 0 0 1 1 0 0 0 0 a d d [ b x + s i ] , a l 0 0 0 0 0 0 1 3 0 0 4 8 6 5 H e a d d [ b x + s i + 0 x 6 5 ] , c l 0 0 0 0 0 0 1 6 6 C l i n s b 0 0 0 0 0 0 1 7 6 C l i n s b 0 0 0 0 0 0 1 8 6 F o o u t s w 0 0 0 0 0 0 1 9 2 C 2 0 , s u b a l , 0 x 2 0 0 0 0 0 0 0 1 B 7 7 6 F w o j a 0 x 8 c 0 0 0 0 0 0 1 D 7 2 6 C r l j c 0 x 8 b 0 0 0 0 0 0 1 F 6 4 2 1 0 D d ! ¥ r a n d [ f s : d i ] , c x 0 0 0 0 0 0 2 2 0 A 2 4 ¥ n $ o r a h , [ s i ]
Windows PE 32bit Binary
Hello, Win32API world ; N A S M H e l l o W o r l d ( W i n 3 2 A P I x 8 6 P E ) u s i n g A L I N K ; ; $ n a s m w - f w i n 3 2 h e l l o 3 2 x . a s m ; $ a l i n k - o P E h e l l o 3 2 x c : ¥ n a s m ¥ w i n 3 2 . l i b - e n t r y m a i n e x t e r n M e s s a g e B o x A s e c t i o n . t e x t g l o b a l m a i n m a i n : p u s h d w o r d 0 p u s h d w o r d t i t l e p u s h d w o r d t e x t p u s h d w o r d 0 c a l l M e s s a g e B o x A r e t s e c t i o n . d a t a t i t l e : d b ' M e s s a g e ' , 0 t e x t : d b ' H e l l o , W o r l d ! ' , 0
PE Golf (Win32 x86) - 1/2 B I T S 3 2 ; h t t p : / / f i r e w o o d . t x t - n i f t y . c o m / b b c / f i l e s / h e l l o . a s m O R G 0 ; h t t p : / / d . h a t e n a . n e . j p / f i r e w o o d / 2 0 0 6 1 1 2 0 / 1 1 6 3 9 5 7 0 2 9 W r i t e F i l e e q u 0 x 7 c 8 1 0 d 8 7 ; V a r i e s d e p e n d i n g o n e n v i r o n m e n t s I m a g e B a s e e q u 0 x 0 0 4 0 0 0 0 0 f i l e a l i g n e q u 4 s e c t a l i g n e q u 4 ; m u s t b e 4 b e c a u s e o f e _ l f a n e w % d e f i n e r o u n d ( n , r ) ( ( ( n + ( r - 1 ) ) / r ) * r ) d w quot; M Z quot; d w 0 p e _ h d r d d quot; P E quot; ; S i g n a t u r e d w 0 x 0 1 4 C ; C P U : i 3 8 6 d w 1 ; N u m b e r o f S e c t i o n s h e l l o d b quot; H e l l o , w o r l d quot; h e l l o _ e d b 0 d w 4 ; o f f s e t b e t w e e n s e c t i o n s a n d o p t h d r d w 0 x 0 1 0 3 ; C h a r a c t e r i s t i c s : R E L O C S _ S T R I P P E D | E X E C U T A B L E | 3 2 B I o p t h d r : d w 0 x 0 1 0 B ; M a g i c c o d e 1 : m o v e d x , h e l l o + I m a g e B a s e p u s h e a x p u s h e b x j m p s h o r t c o d e 2 d b 0 ; n o t u s e d d d c o d e s i z e d d c o d e 1 ; d d c o d e s i z e d d c o d e 1 ; E n t r y P o i n t d d I m a g e B a s e ; I m a g e B a s e A d d r e s s
PE Golf (Win32 x86) - 2/2 s e c t b l : d d 4 ; P E h d r / S e c t i o n A l i g n m e n t d d 4 ; F i l e A l i g n m e n t c o d e 2 : p u s h b y t e h e l l o _ e - h e l l o p u s h e d x p u s h b y t e 7 ; s t d o u t h a n d l e j m p s h o r t c o d e 3 d b 0 ; n o t u s e d d w 4 ; S u b s y s M a j o r V e r c o d e 3 : c a l l W r i t e F i l e - I m a g e B a s e r e t d d r o u n d ( h d r s i z e , s e c t a l i g n ) + r o u n d ( c o d e s i z e , s e c t a l i g n ) ; S i z e O f I m a g e d d r o u n d ( h d r s i z e , f i l e a l i g n ) ; S i z e O f H e a d e r s d d 0 d b 3 ; S u b s y s t e m : c o n s o l e c o d e s i z e e q u $ - c o d e 1 h d r s i z e e q u $ - $ $ f i l e s i z e e q u $ - $ $ Tiny PE - Creating the smallest possible PE executable http://www.phreedom.org/solar/code/tinype/
hello32.exe 97byte executable binary
N o B i n a r y ; u s e P e r l ;
Win32::API u s e P e r l ;
use Win32::API; # ! / u s r / b i n / p e r l u s e W i n 3 2 : : A P I ; m y $ M e s s a g e B o x = W i n 3 2 : : A P I - > n e w ( quot; u s e r 3 2 quot; , quot; M e s s a g e B o x A quot; , quot; N P P N quot; , quot; N quot; ) ; $ M e s s a g e B o x - > C a l l ( 0 , quot; H e l l o , W o r l d ! ¥ n quot; , quot; M e s s a g e quot; , 0 ) ;
DynaLoader u s e x 8 6 ;
no Win32::API; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; s u b G e t P r o c A d d r e s s { m y ( $ D L L , $ A P I ) = @ _ ; m y $ p a t h = quot; $ E N V { S y s t e m R o o t } ¥ ¥ s y s t e m 3 2 ¥ ¥ $ D L L quot; ; m y $ l i b r e f = D y n a L o a d e r : : d l _ l o a d _ f i l e ( $ p a t h ) ; p a c k quot; L quot; , D y n a L o a d e r : : d l _ f i n d _ s y m b o l ( $ l i b r e f , $ A P I ) ; } m y $ x 8 6 = quot; quot; . quot; h quot; . quot; ¥ 0 ¥ 0 ¥ 0 ¥ 0 quot; # p u s h 0 ( ' h ' = = ' ¥ x 6 8 ' ) . quot; h quot; . p a c k ( quot; P quot; , quot; M e s s a g e quot; ) # p u s h $ t i t l e . quot; h quot; . p a c k ( quot; P quot; , quot; H e l l o , W o r l d ! ¥ n quot; ) # p u s h $ m e s s a g e . quot; h quot; . p a c k ( quot; L quot; , 0 ) # p u s h 0 . quot; ¥ x b 8 quot; . G e t P r o c A d d r e s s ( quot; u s e r 3 2 . d l l quot; , quot; M e s s a g e B o x A quot; ) # m o v e a x . quot; ¥ x f f ¥ x d 0 quot; # c a l l e a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ( ) ;
Security Issue
DEP (Data Execution Prevention) on Windows
Linux x86 E L F G o l f
Linux system call (int 80H) ; N A S M H e l l o W o r l d ( L i n u x x 8 6 E L F ) u s i n g g c c ; ; $ n a s m w h e l l o . a s m – f e l f – o h e l l o . o ; $ g c c h e l l o . o – o h e l l o s e c t i o n . d a t a m s g d b ' H e l l o , w o r l d ! ' , 0 x 0 A l e n e q u $ - m s g ; m a i n : m o v e a x , 4 ; s y s t e m c a l l n u m b e r ( s y s _ w r i t e ) m o v e b x , 1 ; f i l e d e s c r i p t o r ( s t d o u t ) m o v e c x , m s g ; m e s s a g e t o w r i t e m o v e d x , l e n ; m e s s a g e l e n g t h i n t 0 x 8 0 ; c a l l k e r n e l m o v e a x , 1 ; s y s t e m c a l l n u m b e r ( s y s _ e x i t ) i n t 0 x 8 0 ; c a l l k e r n e l ; s y s _ w r i t e ( s t d o u t , m s g , l e n ) ; ; s y s _ e x i t ; s e c t i o n . t e x t
* l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 0 - 9 9 / 2 9 3 ) 0 s y s _ r e s t a r t _ s y s c a l l 2 5 s y s _ s t i m e 5 0 s y s _ g e t e g i d 1 6 7 5 s y s _ s e t r l i m i t 1 s y s _ e x i t 2 6 s y s _ p t r a c e 5 1 s y s _ a c c t 7 6 s y s _ o l d _ g e t r l i m i t 2 s y s _ f o r k 2 7 s y s _ a l a r m 5 2 s y s _ u m o u n t 7 7 s y s _ g e t r u s a g e 3 s y s _ r e a d 2 8 s y s _ f s t a t 5 3 s y s _ n i _ s y s c a l l 7 8 s y s _ g e t t i m e o f d a y 4 s y s _ w r i t e 2 9 s y s _ p a u s e 5 4 s y s _ i o c t l 7 9 s y s _ s e t t i m e o f d a y 5 s y s _ o p e n 3 0 s y s _ u t i m e 5 5 s y s _ f c n t l 8 0 s y s _ g e t g r o u p s 1 6 6 s y s _ c l o s e 3 1 s y s _ n i _ s y s c a l l 5 6 s y s _ n i _ s y s c a l l 8 1 s y s _ s e t g r o u p s 1 6 7 s y s _ w a i t p i d 3 2 s y s _ n i _ s y s c a l l 5 7 s y s _ s e t p g i d 8 2 o l d _ s e l e c t 8 s y s _ c r e a t 3 3 s y s _ a c c e s s 5 8 s y s _ n i _ s y s c a l l 8 3 s y s _ s y m l i n k 9 s y s _ l i n k 3 4 s y s _ n i c e 5 9 s y s _ o l d u n a m e 8 4 s y s _ l s t a t 1 0 s y s _ u n l i n k 3 5 s y s _ n i _ s y s c a l l 6 0 s y s _ u m a s k 8 5 s y s _ r e a d l i n k 1 1 s y s _ e x e c v e 3 6 s y s _ s y n c 6 1 s y s _ c h r o o t 8 6 s y s _ u s e l i b 1 2 s y s _ c h d i r 3 7 s y s _ k i l l 6 2 s y s _ u s t a t 8 7 s y s _ s w a p o n 1 3 s y s _ t i m e 3 8 s y s _ r e n a m e 6 3 s y s _ d u p 2 8 8 s y s _ r e b o o t 1 4 s y s _ m k n o d 3 9 s y s _ m k d i r 6 4 s y s _ g e t p p i d 8 9 o l d _ r e a d d i r 1 5 s y s _ c h m o d 4 0 s y s _ r m d i r 6 5 s y s _ g e t p g r p 9 0 o l d _ m m a p 1 6 s y s _ l c h o w n 1 6 4 1 s y s _ d u p 6 6 s y s _ s e t s i d 9 1 s y s _ m u n m a p 1 7 s y s _ n i _ s y s c a l l 4 2 s y s _ p i p e 6 7 s y s _ s i g a c t i o n 9 2 s y s _ t r u n c a t e 1 8 s y s _ s t a t 4 3 s y s _ t i m e s 6 8 s y s _ s g e t m a s k 9 3 s y s _ f t r u n c a t e 1 9 s y s _ l s e e k 4 4 s y s _ n i _ s y s c a l l 6 9 s y s _ s s e t m a s k 9 4 s y s _ f c h m o d 2 0 s y s _ g e t p i d 4 5 s y s _ b r k 7 0 s y s _ s e t r e u i d 1 6 9 5 s y s _ f c h o w n 1 6 2 1 s y s _ m o u n t 4 6 s y s _ s e t g i d 1 6 7 1 s y s _ s e t r e g i d 1 6 9 6 s y s _ g e t p r i o r i t y 2 2 s y s _ o l d u m o u n t 4 7 s y s _ g e t g i d 1 6 7 2 s y s _ s i g s u s p e n d 9 7 s y s _ s e t p r i o r i t y 2 3 s y s _ s e t u i d 1 6 4 8 s y s _ s i g n a l 7 3 s y s _ s i g p e n d i n g 9 8 s y s _ n i _ s y s c a l l 2 4 s y s _ g e t u i d 1 6 4 9 s y s _ g e t e u i d 1 6 7 4 s y s _ s e t h o s t n a m e 9 9 s y s _ s t a t f s
* l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 1 0 0 - 1 9 9 / 2 9 3 ) 1 0 0 s y s _ f s t a t f s 1 2 5 s y s _ m p r o t e c t 1 5 0 s y s _ m l o c k 1 7 5 s y s _ r t _ s i g p r o c m a s k 1 0 1 s y s _ i o p e r m 1 2 6 s y s _ s i g p r o c m a s k 1 5 1 s y s _ m u n l o c k 1 7 6 s y s _ r t _ s i g p e n d i n g 1 0 2 s y s _ s o c k e t c a l l 1 2 7 s y s _ n i _ s y s c a l l 1 5 2 s y s _ m l o c k a l l 1 7 7 s y s _ r t _ s i g t i m e d w a i t 1 0 3 s y s _ s y s l o g 1 2 8 s y s _ i n i t _ m o d u l e 1 5 3 s y s _ m u n l o c k a l l 1 7 8 s y s _ r t _ s i g q u e u e i n f o 1 0 4 s y s _ s e t i t i m e r 1 2 9 s y s _ d e l e t e _ m o d u l e 1 5 4 s y s _ s c h e d _ s e t p a r a m 1 7 9 s y s _ r t _ s i g s u s p e n d 1 0 5 s y s _ g e t i t i m e r 1 3 0 s y s _ n i _ s y s c a l l 1 5 5 s y s _ s c h e d _ g e t p a r a m 1 8 0 s y s _ p r e a d 6 4 1 0 6 s y s _ n e w s t a t 1 3 1 s y s _ q u o t a c t l 1 5 6 s y s _ s c h e d _ s e t s c h e d u l e r 1 8 1 s y s _ p w r i t e 6 4 1 0 7 s y s _ n e w l s t a t 1 3 2 s y s _ g e t p g i d 1 5 7 s y s _ s c h e d _ g e t s c h e d u l e r 1 8 2 s y s _ c h o w n 1 6 1 0 8 s y s _ n e w f s t a t 1 3 3 s y s _ f c h d i r 1 5 8 s y s _ s c h e d _ y i e l d 1 8 3 s y s _ g e t c w d 1 0 9 s y s _ u n a m e 1 3 4 s y s _ b d f l u s h 1 5 9 s y s _ s c h e d _ g e t _ p r i o r i t y _ m a x 1 8 4 s y s _ c a p g e t 1 1 0 s y s _ i o p l 1 3 5 s y s _ s y s f s 1 6 0 s y s _ s c h e d _ g e t _ p r i o r i t y _ m i n 1 8 5 s y s _ c a p s e t 1 1 1 s y s _ v h a n g u p 1 3 6 s y s _ p e r s o n a l i t y 1 6 1 s y s _ s c h e d _ r r _ g e t _ i n t e r v a l 1 8 6 s y s _ s i g a l t s t a c k 1 1 2 s y s _ n i _ s y s c a l l 1 3 7 s y s _ n i _ s y s c a l l 1 6 2 s y s _ n a n o s l e e p 1 8 7 s y s _ s e n d f i l e 1 1 3 s y s _ v m 8 6 o l d 1 3 8 s y s _ s e t f s u i d 1 6 1 6 3 s y s _ m r e m a p 1 8 8 s y s _ n i _ s y s c a l l 1 1 4 s y s _ w a i t 4 1 3 9 s y s _ s e t f s g i d 1 6 1 6 4 s y s _ s e t r e s u i d 1 6 1 8 9 s y s _ n i _ s y s c a l l 1 1 5 s y s _ s w a p o f f 1 4 0 s y s _ l l s e e k 1 6 5 s y s _ g e t r e s u i d 1 6 1 9 0 s y s _ v f o r k 1 1 6 s y s _ s y s i n f o 1 4 1 s y s _ g e t d e n t s 1 6 6 s y s _ v m 8 6 1 9 1 s y s _ g e t r l i m i t 1 1 7 s y s _ i p c 1 4 2 s y s _ s e l e c t 1 6 7 s y s _ n i _ s y s c a l l 1 9 2 s y s _ m m a p 2 1 1 8 s y s _ f s y n c 1 4 3 s y s _ f l o c k 1 6 8 s y s _ p o l l 1 9 3 s y s _ t r u n c a t e 6 4 1 1 9 s y s _ s i g r e t u r n 1 4 4 s y s _ m s y n c 1 6 9 s y s _ n f s s e r v c t l 1 9 4 s y s _ f t r u n c a t e 6 4 1 2 0 s y s _ c l o n e 1 4 5 s y s _ r e a d v 1 7 0 s y s _ s e t r e s g i d 1 6 1 9 5 s y s _ s t a t 6 4 1 2 1 s y s _ s e t d o m a i n n a m e 1 4 6 s y s _ w r i t e v 1 7 1 s y s _ g e t r e s g i d 1 6 1 9 6 s y s _ l s t a t 6 4 1 2 2 s y s _ n e w u n a m e 1 4 7 s y s _ g e t s i d 1 7 2 s y s _ p r c t l 1 9 7 s y s _ f s t a t 6 4 1 2 3 s y s _ m o d i f y _ l d t 1 4 8 s y s _ f d a t a s y n c 1 7 3 s y s _ r t _ s i g r e t u r n 1 9 8 s y s _ l c h o w n 1 2 4 s y s _ a d j t i m e x 1 4 9 s y s _ s y s c t l 1 7 4 s y s _ r t _ s i g a c t i o n 1 9 9 s y s _ g e t u i d
* l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 2 0 0 - 2 9 3 / 2 9 3 ) 2 0 0 s y s _ g e t g i d 2 2 5 s y s _ r e a d a h e a d 2 5 0 s y s _ f a d v i s e 6 4 2 7 5 s y s _ g e t _ m e m p o l i c y 2 0 1 s y s _ g e t e u i d 2 2 6 s y s _ s e t x a t t r 2 5 1 s y s _ n i _ s y s c a l l 2 7 6 s y s _ s e t _ m e m p o l i c y 2 0 2 s y s _ g e t e g i d 2 2 7 s y s _ l s e t x a t t r 2 5 2 s y s _ e x i t _ g r o u p 2 7 7 s y s _ m q _ o p e n 2 0 3 s y s _ s e t r e u i d 2 2 8 s y s _ f s e t x a t t r 2 5 3 s y s _ l o o k u p _ d c o o k i e 2 7 8 s y s _ m q _ u n l i n k 2 0 4 s y s _ s e t r e g i d 2 2 9 s y s _ g e t x a t t r 2 5 4 s y s _ e p o l l _ c r e a t e 2 7 9 s y s _ m q _ t i m e d s e n d 2 0 5 s y s _ g e t g r o u p s 2 3 0 s y s _ l g e t x a t t r 2 5 5 s y s _ e p o l l _ c t l 2 8 0 s y s _ m q _ t i m e d r e c e i v e 2 0 6 s y s _ s e t g r o u p s 2 3 1 s y s _ f g e t x a t t r 2 5 6 s y s _ e p o l l _ w a i t 2 8 1 s y s _ m q _ n o t i f y 2 0 7 s y s _ f c h o w n 2 3 2 s y s _ l i s t x a t t r 2 5 7 s y s _ r e m a p _ f i l e _ p a g e s 2 8 2 s y s _ m q _ g e t s e t a t t r 2 0 8 s y s _ s e t r e s u i d 2 3 3 s y s _ l l i s t x a t t r 2 5 8 s y s _ s e t _ t i d _ a d d r e s s 2 8 3 s y s _ k e x e c _ l o a d 2 0 9 s y s _ g e t r e s u i d 2 3 4 s y s _ f l i s t x a t t r 2 5 9 s y s _ t i m e r _ c r e a t e 2 8 4 s y s _ w a i t i d 2 1 0 s y s _ s e t r e s g i d 2 3 5 s y s _ r e m o v e x a t t r 2 6 0 s y s _ t i m e r _ s e t t i m e 2 8 5 s y s _ n i _ s y s c a l l 2 1 1 s y s _ g e t r e s g i d 2 3 6 s y s _ l r e m o v e x a t t r 2 6 1 s y s _ t i m e r _ g e t t i m e 2 8 6 s y s _ a d d _ k e y 2 1 2 s y s _ c h o w n 2 3 7 s y s _ f r e m o v e x a t t r 2 6 2 s y s _ t i m e r _ g e t o v e r r u n 2 8 7 s y s _ r e q u e s t _ k e y 2 1 3 s y s _ s e t u i d 2 3 8 s y s _ t k i l l 2 6 3 s y s _ t i m e r _ d e l e t e 2 8 8 s y s _ k e y c t l 2 1 4 s y s _ s e t g i d 2 3 9 s y s _ s e n d f i l e 6 4 2 6 4 s y s _ c l o c k _ s e t t i m e 2 8 9 s y s _ i o p r i o _ s e t 2 1 5 s y s _ s e t f s u i d 2 4 0 s y s _ f u t e x 2 6 5 s y s _ c l o c k _ g e t t i m e 2 9 0 s y s _ i o p r i o _ g e t 2 1 6 s y s _ s e t f s g i d 2 4 1 s y s _ s c h e d _ s e t a f f i n i t y 2 6 6 s y s _ c l o c k _ g e t r e s 2 9 1 s y s _ i n o t i f y _ i n i t 2 1 7 s y s _ p i v o t _ r o o t 2 4 2 s y s _ s c h e d _ g e t a f f i n i t y 2 6 7 s y s _ c l o c k _ n a n o s l e e p 2 9 2 s y s _ i n o t i f y _ a d d _ w a t c h 2 1 8 s y s _ m i n c o r e 2 4 3 s y s _ s e t _ t h r e a d _ a r e a 2 6 8 s y s _ s t a t f s 6 4 2 9 3 s y s _ i n o t i f y _ r m _ w a t c h 2 1 9 s y s _ m a d v i s e 2 4 4 s y s _ g e t _ t h r e a d _ a r e a 2 6 9 s y s _ f s t a t f s 6 4 2 2 0 s y s _ g e t d e n t s 6 4 2 4 5 s y s _ i o _ s e t u p 2 7 0 s y s _ t g k i l l 2 2 1 s y s _ f c n t l 6 4 2 4 6 s y s _ i o _ d e s t r o y 2 7 1 s y s _ u t i m e s 2 2 2 s y s _ n i _ s y s c a l l 2 4 7 s y s _ i o _ g e t e v e n t s 2 7 2 s y s _ f a d v i s e 6 4 _ 6 4 2 2 3 s y s _ n i _ s y s c a l l 2 4 8 s y s _ i o _ s u b m i t 2 7 3 s y s _ n i _ s y s c a l l 2 2 4 s y s _ g e t t i d 2 4 9 s y s _ i o _ c a n c e l 2 7 4 s y s _ m b i n d
How to make P e r l - r e g e x - b a s e d J I T x 8 6 C o m p i l e r
0x90 = nop (no operation) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l z s h : s e g m e n t a t i o n f a u l t p e r l i n t 3 j i t . p l
0xc3 = ret (return) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l o k
Perl regex x86 JIT compiler (INT 3) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % e n v P E R L _ S I G N A L S = u n s a f e p e r l i n t 3 j i t . p l zsh: segmentation fault perl int3jit.pl
$SIG{TRAP} = sub {…}; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % e n v P E R L _ S I G N A L S = u n s a f e p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
$ENV{PERL_SIGNALS}=“unsafe”; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
Perl regex x86 JIT compiler (INT 3 == 0xcc) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x c c ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
INT 3 doesnʼt work on Windows system.
UD2 (x86 Official UnDefined) => $SIG{ILL} # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x 0 f ¥ x 0 b quot; ; $ S I G { I L L } = s u b { $ x 8 6 = ~ s / ¥ x 0 f ¥ x 0 b / ¥ x c 3 ¥ x 9 0 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l u d 2 j i t . p l J I T a t u d 2 j i t . p l l i n e 4 . o k
64bit OS u s e x 8 6 _ 6 4 ;
Hello, Linux/x86_64 world! # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ s = quot; quot; . quot; ¥ x 4 8 ¥ x b 8 quot; . ( quot; 1 2 3 4 5 6 7 8 quot; ) # m o v $ 0 x 3 8 3 7 3 6 3 5 3 4 3 3 3 2 3 1 , % r a x . quot; ¥ x 5 0 quot; # p u s h % r a x . quot; ¥ x 4 8 ¥ x 8 9 ¥ x e 6 quot; # m o v % r s p , % r s i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 7 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r d i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 2 ¥ x 0 8 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 8 , % r d x . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 0 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 5 8 quot; # p o p % r a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k ( quot; L quot; , p a c k ( quot; P * quot; , $ s ) ) ) ; & X ( ) ; p r i n t quot; o k ¥ n quot; ; % p e r l x 8 6 _ 6 4 . p l 1 2 3 4 5 6 7 8 o k
syscall (AMD64 ABI) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x = quot; quot; . quot; ¥ x 4 8 ¥ x b 8 quot; . quot; H e l l o 6 4 ! quot; # m o v ' H e l l o 6 4 ! ' , % r a x . quot; ¥ x 5 0 quot; # p u s h % r a x . quot; ¥ x 4 8 ¥ x 8 9 ¥ x e 6 quot; # m o v % r s p , % r s i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 7 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r d i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 2 ¥ x 0 8 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 8 , % r d x . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 0 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 4 8 ¥ x 8 9 ¥ x f 8 quot; # m o v % r d i , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 5 8 quot; # p o p % r a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k ( quot; L quot; , p a c k ( quot; P * quot; , $ x ) ) ) ; X ( ) ; p r i n t quot; o k ¥ n quot; ; % p e r l x 8 6 _ 6 4 . p l H e l l o 6 4 ! H e l l o 6 4 ! o k
CPUID (get your cpu processor name) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; s u b P r o c e s s o r B r a n d S t r i n g { m y $ c p u = quot; ¥ 0 quot; x 4 8 ; m y $ x 8 6 = quot; quot; . quot; S ¥ x b f quot; . p a c k ( quot; P quot; , $ c p u ) . quot; ¥ x b 8 ¥ x 0 2 ¥ x 0 0 ¥ x 0 0 ¥ x 8 0 quot; . ( quot; P ¥ x 0 f ¥ x a 2 ¥ x 8 9 ¥ x 0 7 ¥ x 8 9 _ ¥ x 0 4 ¥ x 8 9 O ¥ x 0 8 ¥ x 8 9 W ¥ x 0 c ¥ x 8 d ¥ x 7 f ¥ x 1 0 X ¥ x 8 d ¥ @ ¥ x 0 1 quot; x 3 ) . quot; [ ¥ x c 3 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; $ c p u = ~ s / ¥ 0 + / / g ; $ c p u = ~ s / ^ + / / ; $ c p u ; } p r i n t P r o c e s s o r B r a n d S t r i n g , quot; ¥ n quot; ; %p e r l c p u i d . p l AMD Opteron(tm) Processor 240 EE
$> perl ./cpuid.pl 1 . W i n d o w s X P ( 3 2 b i t ) - D E L L I n t e l ( R ) P e n t i u m ( R ) 4 C P U 3 . 4 0 G H z 2 . C e n t O S 5 . 2 ( i 3 8 6 ) - w a f f u l . o r g I n t e l ( R ) X e o n ( R ) C P U E 5 4 3 0 @ 2 . 6 6 G H z 3 . C e n t O S 4 . 4 ( x 8 6 _ 6 4 ) - L i n u x / A M D 6 4 A M D O p t e r o n ( t m ) P r o c e s s o r 2 4 0 E E 4 . F r e e B S D ( i 3 8 6 ) + j a i l I n t e l ( R ) P e n t i u m ( R ) 4 C P U 3 . 2 0 G H z
CPUID (eax = 0x80000002) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 0 0 5 3 p u s h e b x 0 0 0 0 0 0 0 1 B F x x x x x x x x m o v e d i , 0 x X X X X X X X X 0 0 0 0 0 0 0 6 B 8 0 2 0 0 0 0 8 0 m o v e a x , 0 x 8 0 0 0 0 0 0 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 0 B 5 0 p u s h e a x 0 0 0 0 0 0 0 C 0 F A 2 c p u i d 0 0 0 0 0 0 0 E 8 9 0 7 m o v [ e d i ] , e a x 0 0 0 0 0 0 1 0 8 9 5 F 0 4 m o v [ e d i + 0 x 4 ] , e b x 0 0 0 0 0 0 1 3 8 9 4 F 0 8 m o v [ e d i + 0 x 8 ] , e c x 0 0 0 0 0 0 1 6 8 9 5 7 0 C m o v [ e d i + 0 x c ] , e d x 0 0 0 0 0 0 1 9 8 D 7 F 1 0 l e a e d i , [ e d i + 0 x 1 0 ] 0 0 0 0 0 0 1 C 5 8 p o p e a x 0 0 0 0 0 0 1 D 8 D 4 0 0 1 l e a e a x , [ e a x + 0 x 1 ] - - - - - - - - - - - - - - - - - 3 回繰り返し - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 4 A 5 B p o p e b x 0 0 0 0 0 0 4 B C 3 r e t - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Inline/x86.pm p a c k a g e I n l i n e : : x 8 6 ; u s e D y n a L o a d e r ( ) ; u s e E x p o r t e r ; o u r @ I S A = q w ( E x p o r t e r ) ; o u r @ E X P O R T = q w ( x 8 6 _ s u b ) ; s u b x 8 6 _ s u b { m y ( $ f u n c , $ x 8 6 ) = @ _ ; i f ( $ ^ O e q quot; l i n u x quot; ) { r e q u i r e ' s y s c a l l . p h ' ; m y $ s i z e = i n t ( 2 + l e n g t h ( $ x 8 6 ) / 4 0 9 6 ) * 4 0 9 6 ; s y s c a l l ( & S Y S _ m p r o t e c t , ( u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) & ~ 4 0 9 5 , $ s i z e , 7 ) ; } D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( c a l l e r ( 0 ) . quot; : : $ f u n c quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; } u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b f u n c t i o n 1 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; } ;
man 2 mprotect M P R O T E C T ( 2 ) L i n u x P r o g r a m m e r ’ s M a n u a l M P R O T E C T ( 2 ) N A M E m p r o t e c t - c o n t r o l a l l o w a b l e a c c e s s e s t o a r e g i o n o f m e m o r y S Y N O P S I S # i n c l u d e < s y s / m m a n . h > i n t m p r o t e c t ( c o n s t v o i d * a d d r , s i z e _ t l e n , i n t p r o t ) ; D E S C R I P T I O N T h e f u n c t i o n m p r o t e c t ( ) s p e c i f i e s t h e d e s i r e d p r o t e c t i o n f o r t h e m e m o r y p a g e ( s ) c o n t a i n i n g p a r t o r a l l o f t h e i n t e r v a l [ a d d r , a d d r + l e n - 1 ] . I f a n a c c e s s i s d i s a l l o w e d b y t h e p r o t e c t i o n g i v e n i t , t h e p r o g r a m r e c e i v e s a S I G S E G V . p r o t i s a b i t w i s e - o r o f t h e f o l l o w i n g v a l u e s : P R O T _ N O N E T h e m e m o r y c a n n o t b e a c c e s s e d a t a l l . P R O T _ R E A D T h e m e m o r y c a n b e r e a d . P R O T _ W R I T E T h e m e m o r y c a n b e w r i t t e n t o . P R O T _ E X E C T h e m e m o r y c a n c o n t a i n e x e c u t i n g c o d e . T h e n e w p r o t e c t i o n r e p l a c e s a n y e x i s t i n g p r o t e c t i o n . F o r e x a m p l e , i f t h e m e m o r y h a d p r e v i o u s l y b e e n m a r k e d P R O T _ R E A D , a n d m p r o t e c t ( ) i s t h e n c a l l e d w i t h p r o t P R O T _ W R I T E , i t w i l l n o l o n g e r b e r e a d a b l e . R E T U R N V A L U E O n s u c c e s s , m p r o t e c t ( ) r e t u r n s z e r o . O n e r r o r , - 1 i s r e t u r n e d , a n d e r r n o i s s e t a p p r o p r i a t e l y .
use Inline::x86 qw(x86_sub); u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b ( quot; f u n c t i o n 1 quot; , quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ) ; x 8 6 _ s u b quot; f u n c t i o n 2 quot; , q q | ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 | ; x 8 6 _ s u b f u n c t i o n 3 = > q q { ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 } ; x 8 6 _ s u b f u n c t i o n 4 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ; } ; x 8 6 _ s u b f u n c t i o n 5 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 quot; . # n o p x 3 quot; ¥ x c 3 quot; ; # r e t } ;
Debug Hacks#66: how to check 64bit mode u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b c h e c k _ x 8 6 _ 6 4 = > d o { u s e v a r s q w ( $ x 8 6 _ 6 4 ) ; # O U T P U T : $ x 8 6 _ 6 4 B E G I N { $ x 8 6 _ 6 4 = quot; ? quot; } # quot; 0 quot; = > 3 2 b i t , quot; 1 quot; = > 6 4 b i t quot; ¥ x b 8 ¥ x 3 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; . # m o v e a x , 0 x 3 1 quot; ¥ x 4 8 quot; . # d e c e a x / / 6 4 b i t R E X P R E F I X quot; ¥ x a 2 quot; . p a c k ( quot; P quot; , $ x 8 6 _ 6 4 ) . # m o v [ $ x 8 6 _ 6 4 ] , a l quot; ¥ x c 3 quot; ; # r e t } ; c h e c k _ x 8 6 _ 6 4 ( ) ; w a r n $ x 8 6 _ 6 4 ; # quot; 0 quot; = > 3 2 b i t , quot; 1 quot; = > 6 4 b i t
sub parse_objdump {…} m y ( $ c a l l b a c k , $ o b j d u m p ) = @ _ ; m y ( $ b a s e a d d r , $ m a n g l e d ) ; m y $ r e t = quot; quot; ; f o r e a c h m y $ l i n e ( s p l i t / ¥ n / , $ o b j d u m p ) { n e x t i f ( $ l i n e = ~ / ^ ¥ s * $ / ) ; n e x t i f ( $ l i n e = ~ / ^ ¥ s * ; / ) ; n e x t i f ( $ l i n e = ~ / ^ ¥ s * ¥ . + s * $ / ) ; i f ( $ l i n e = ~ / ^ ¥ s * 0 * ( [ 0 - 9 a - f A - F ] * ) ¥ s * < ( . * ) > : / ) { $ b a s e a d d r = $ 1 ; $ m a n g l e d = $ 2 ; n e x t ; } i f ( $ l i n e = ~ / ^ ¥ s * 0 * ( . * ? ) : ¥ s + ( ( ? : [ 0 - 9 a - f A - F ] { 2 } ¥ s ) + ) ( ¥ s * ) ( . * ) $ / ) { m y ( $ a d d r , $ b i n , $ s p a c e , $ a s m ) = ( $ 1 , $ 2 , $ 3 , $ 4 ) ; m y $ d b = j o i n ( quot; , quot; , m a p { quot; 0 x $ _ quot; } s p l i t / ¥ s + / , $ b i n ) ; ( m y $ h = $ b i n ) = ~ s / ¥ s / / g ; m y $ x = q u o t e p a c k quot; H * quot; , $ h ; $ r e t . = $ c a l l b a c k - > ( $ a d d r , $ b i n , $ s p a c e , $ a s m , $ d b , $ x , $ b a s e a d d r , $ m a n g l e d ) ; } e l s e { p r i n t S T D E R R quot; E R R O R : $ l i n e ¥ n quot; ; } } r e t u r n $ r e t ;
n o P e r l ; u s e x 8 6 ;
thank you!

Recommandé

Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...
Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...
Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...Computer Science Club
 
Starr 57301 concept03
Starr 57301 concept03Starr 57301 concept03
Starr 57301 concept03rstarr1212
 
Matlab ung dung
Matlab ung dungMatlab ung dung
Matlab ung dungengineertrongbk
 
Carta Pizzeria Puerto Santa María 2012
Carta Pizzeria Puerto Santa María 2012Carta Pizzeria Puerto Santa María 2012
Carta Pizzeria Puerto Santa María 2012enrris
 
Thi thử toán lê xoay vp 2012 lần 1 k a
Thi thử toán lê xoay vp 2012 lần 1 k aThi thử toán lê xoay vp 2012 lần 1 k a
Thi thử toán lê xoay vp 2012 lần 1 k aThế Giới Tinh Hoa
 
YAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing CeremonyYAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing Ceremonytakesako
 
HTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-fallHTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-falltakesako
 
Perl6 Regex Programming with Rakudo
Perl6 Regex Programming with RakudoPerl6 Regex Programming with Rakudo
Perl6 Regex Programming with Rakudotakesako
 

Recommandé

Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...
Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...
Юрий Владимирович Матиясевич. Десятая проблема Гильберта. Решение и применени...Computer Science Club
 
Starr 57301 concept03
Starr 57301 concept03Starr 57301 concept03
Starr 57301 concept03rstarr1212
 
Matlab ung dung
Matlab ung dungMatlab ung dung
Matlab ung dungengineertrongbk
 
Carta Pizzeria Puerto Santa María 2012
Carta Pizzeria Puerto Santa María 2012Carta Pizzeria Puerto Santa María 2012
Carta Pizzeria Puerto Santa María 2012enrris
 
Thi thử toán lê xoay vp 2012 lần 1 k a
Thi thử toán lê xoay vp 2012 lần 1 k aThi thử toán lê xoay vp 2012 lần 1 k a
Thi thử toán lê xoay vp 2012 lần 1 k aThế Giới Tinh Hoa
 
YAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing CeremonyYAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing Ceremonytakesako
 
HTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-fallHTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-falltakesako
 
Perl6 Regex Programming with Rakudo
Perl6 Regex Programming with RakudoPerl6 Regex Programming with Rakudo
Perl6 Regex Programming with Rakudotakesako
 
SECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催についてSECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催についてtakesako
 
Acme minechan
Acme minechanAcme minechan
Acme minechantakesako
 
Acme::MineChan LT demo
Acme::MineChan LT demoAcme::MineChan LT demo
Acme::MineChan LT demotakesako
 
Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programmingtakesako
 
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithmtakesako
 
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTtakesako
 
再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validator再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validatortakesako
 
正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一takesako
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to ustakesako
 
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)takesako
 
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglottakesako
 
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyotakesako
 
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtypetakesako
 
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digesttakesako
 
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser DetectionShibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detectiontakesako
 
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnecttakesako
 

Contenu connexe

Plus de takesako

SECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催についてSECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催についてtakesako
 
Acme minechan
Acme minechanAcme minechan
Acme minechantakesako
 
Acme::MineChan LT demo
Acme::MineChan LT demoAcme::MineChan LT demo
Acme::MineChan LT demotakesako
 
Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programmingtakesako
 
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithmtakesako
 
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTtakesako
 
再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validator再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validatortakesako
 
正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一takesako
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to ustakesako
 
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)takesako
 
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglottakesako
 
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyotakesako
 
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtypetakesako
 
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digesttakesako
 
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser DetectionShibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detectiontakesako
 
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnecttakesako
 

Plus de takesako (16)

SECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催についてSECCON CTF セキュリティ競技会コンテスト開催について
SECCON CTF セキュリティ競技会コンテスト開催について
 
Acme minechan
Acme minechanAcme minechan
Acme minechan
 
Acme::MineChan LT demo
Acme::MineChan LT demoAcme::MineChan LT demo
Acme::MineChan LT demo
 
Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programming
 
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithm
 
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
 
再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validator再帰的 正規表現JSON Validator
再帰的 正規表現JSON Validator
 
正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一正規表現‐もう一つのバベルの塔‐木村浩一
正規表現‐もう一つのバベルの塔‐木村浩一
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
 
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
 
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglot
 
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyo
 
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtype
 
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digest
 
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser DetectionShibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection
 
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnect
 

Perl x86 JIT Programming

  • 1. Perl で学ぶ x86 アセンブラ⼊⾨ CybozuLabs, Inc. ”TAKESAKO” <takesako@shibuya.pl>
  • 2. MS-DOS 時代の 16bit アセンブラ入門
  • 3. MS-DOS 16bit (int 21H) ; N A S M H e l l o W o r l d ( M S - D O S 1 6 b i t x 8 6 C O M ) ; ; $ n a s m w – f b i n h e l l o 1 6 . a s m - o h e l l o 1 6 . c o m ; $ n d i s a s m w h e l l o 1 6 . c o m > h e l l o 1 6 . t x t o r g 1 0 0 h s e c t i o n . t e x t s t a r t : m o v a x , c s m o v d s , a x ; コードセグメント( c s ) とデータセグメント( d s ) を同一に p r i n t : m o v d x , m s g m o v a h , 0 9 H i n t 2 1 H ; m s g から' $ ' まで標準出力に表示する( a h = 0 9 H ) e x i t : m o v a h , 4 c H m o v a l , 0 0 H i n t 2 1 H ; ステータス( a l = 0 ) で終了する( a h = 4 c H ) s e c t i o n . d a t a m s g d b ' H e l l o , w o r l d ! ' , 0 d H , 0 a H , ' $ ' s e c t i o n . b s s
  • 6. disasm hello16.com 0 0 0 0 0 0 0 0 8 C C 8 m o v a x , c s 0 0 0 0 0 0 0 2 8 E D 8 m o v d s , a x 0 0 0 0 0 0 0 4 B A 1 4 0 1 m o v d x , 0 x 1 1 4 0 0 0 0 0 0 0 7 B 4 0 9 m o v a h , 0 x 9 0 0 0 0 0 0 0 9 C D 2 1 i n t 0 x 2 1 0 0 0 0 0 0 0 B B 4 4 C m o v a h , 0 x 4 c 0 0 0 0 0 0 0 D B 0 0 0 m o v a l , 0 x 0 0 0 0 0 0 0 0 F C D 2 1 i n t 0 x 2 1 0 0 0 0 0 0 1 1 0 0 0 0 a d d [ b x + s i ] , a l 0 0 0 0 0 0 1 3 0 0 4 8 6 5 H e a d d [ b x + s i + 0 x 6 5 ] , c l 0 0 0 0 0 0 1 6 6 C l i n s b 0 0 0 0 0 0 1 7 6 C l i n s b 0 0 0 0 0 0 1 8 6 F o o u t s w 0 0 0 0 0 0 1 9 2 C 2 0 , s u b a l , 0 x 2 0 0 0 0 0 0 0 1 B 7 7 6 F w o j a 0 x 8 c 0 0 0 0 0 0 1 D 7 2 6 C r l j c 0 x 8 b 0 0 0 0 0 0 1 F 6 4 2 1 0 D d ! ¥ r a n d [ f s : d i ] , c x 0 0 0 0 0 0 2 2 0 A 2 4 ¥ n $ o r a h , [ s i ]
  • 8. Hello, Win32API world ; N A S M H e l l o W o r l d ( W i n 3 2 A P I x 8 6 P E ) u s i n g A L I N K ; ; $ n a s m w - f w i n 3 2 h e l l o 3 2 x . a s m ; $ a l i n k - o P E h e l l o 3 2 x c : ¥ n a s m ¥ w i n 3 2 . l i b - e n t r y m a i n e x t e r n M e s s a g e B o x A s e c t i o n . t e x t g l o b a l m a i n m a i n : p u s h d w o r d 0 p u s h d w o r d t i t l e p u s h d w o r d t e x t p u s h d w o r d 0 c a l l M e s s a g e B o x A r e t s e c t i o n . d a t a t i t l e : d b ' M e s s a g e ' , 0 t e x t : d b ' H e l l o , W o r l d ! ' , 0
  • 9. PE Golf (Win32 x86) - 1/2 B I T S 3 2 ; h t t p : / / f i r e w o o d . t x t - n i f t y . c o m / b b c / f i l e s / h e l l o . a s m O R G 0 ; h t t p : / / d . h a t e n a . n e . j p / f i r e w o o d / 2 0 0 6 1 1 2 0 / 1 1 6 3 9 5 7 0 2 9 W r i t e F i l e e q u 0 x 7 c 8 1 0 d 8 7 ; V a r i e s d e p e n d i n g o n e n v i r o n m e n t s I m a g e B a s e e q u 0 x 0 0 4 0 0 0 0 0 f i l e a l i g n e q u 4 s e c t a l i g n e q u 4 ; m u s t b e 4 b e c a u s e o f e _ l f a n e w % d e f i n e r o u n d ( n , r ) ( ( ( n + ( r - 1 ) ) / r ) * r ) d w quot; M Z quot; d w 0 p e _ h d r d d quot; P E quot; ; S i g n a t u r e d w 0 x 0 1 4 C ; C P U : i 3 8 6 d w 1 ; N u m b e r o f S e c t i o n s h e l l o d b quot; H e l l o , w o r l d quot; h e l l o _ e d b 0 d w 4 ; o f f s e t b e t w e e n s e c t i o n s a n d o p t h d r d w 0 x 0 1 0 3 ; C h a r a c t e r i s t i c s : R E L O C S _ S T R I P P E D | E X E C U T A B L E | 3 2 B I o p t h d r : d w 0 x 0 1 0 B ; M a g i c c o d e 1 : m o v e d x , h e l l o + I m a g e B a s e p u s h e a x p u s h e b x j m p s h o r t c o d e 2 d b 0 ; n o t u s e d d d c o d e s i z e d d c o d e 1 ; d d c o d e s i z e d d c o d e 1 ; E n t r y P o i n t d d I m a g e B a s e ; I m a g e B a s e A d d r e s s
  • 10. PE Golf (Win32 x86) - 2/2 s e c t b l : d d 4 ; P E h d r / S e c t i o n A l i g n m e n t d d 4 ; F i l e A l i g n m e n t c o d e 2 : p u s h b y t e h e l l o _ e - h e l l o p u s h e d x p u s h b y t e 7 ; s t d o u t h a n d l e j m p s h o r t c o d e 3 d b 0 ; n o t u s e d d w 4 ; S u b s y s M a j o r V e r c o d e 3 : c a l l W r i t e F i l e - I m a g e B a s e r e t d d r o u n d ( h d r s i z e , s e c t a l i g n ) + r o u n d ( c o d e s i z e , s e c t a l i g n ) ; S i z e O f I m a g e d d r o u n d ( h d r s i z e , f i l e a l i g n ) ; S i z e O f H e a d e r s d d 0 d b 3 ; S u b s y s t e m : c o n s o l e c o d e s i z e e q u $ - c o d e 1 h d r s i z e e q u $ - $ $ f i l e s i z e e q u $ - $ $ Tiny PE - Creating the smallest possible PE executable http://www.phreedom.org/solar/code/tinype/
  • 12. N o B i n a r y ; u s e P e r l ;
  • 13.
  • 14. Win32::API u s e P e r l ;
  • 15. use Win32::API; # ! / u s r / b i n / p e r l u s e W i n 3 2 : : A P I ; m y $ M e s s a g e B o x = W i n 3 2 : : A P I - > n e w ( quot; u s e r 3 2 quot; , quot; M e s s a g e B o x A quot; , quot; N P P N quot; , quot; N quot; ) ; $ M e s s a g e B o x - > C a l l ( 0 , quot; H e l l o , W o r l d ! ¥ n quot; , quot; M e s s a g e quot; , 0 ) ;
  • 16. DynaLoader u s e x 8 6 ;
  • 17. no Win32::API; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; s u b G e t P r o c A d d r e s s { m y ( $ D L L , $ A P I ) = @ _ ; m y $ p a t h = quot; $ E N V { S y s t e m R o o t } ¥ ¥ s y s t e m 3 2 ¥ ¥ $ D L L quot; ; m y $ l i b r e f = D y n a L o a d e r : : d l _ l o a d _ f i l e ( $ p a t h ) ; p a c k quot; L quot; , D y n a L o a d e r : : d l _ f i n d _ s y m b o l ( $ l i b r e f , $ A P I ) ; } m y $ x 8 6 = quot; quot; . quot; h quot; . quot; ¥ 0 ¥ 0 ¥ 0 ¥ 0 quot; # p u s h 0 ( ' h ' = = ' ¥ x 6 8 ' ) . quot; h quot; . p a c k ( quot; P quot; , quot; M e s s a g e quot; ) # p u s h $ t i t l e . quot; h quot; . p a c k ( quot; P quot; , quot; H e l l o , W o r l d ! ¥ n quot; ) # p u s h $ m e s s a g e . quot; h quot; . p a c k ( quot; L quot; , 0 ) # p u s h 0 . quot; ¥ x b 8 quot; . G e t P r o c A d d r e s s ( quot; u s e r 3 2 . d l l quot; , quot; M e s s a g e B o x A quot; ) # m o v e a x . quot; ¥ x f f ¥ x d 0 quot; # c a l l e a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ( ) ;
  • 19. DEP (Data Execution Prevention) on Windows
  • 20. Linux x86 E L F G o l f
  • 21. Linux system call (int 80H) ; N A S M H e l l o W o r l d ( L i n u x x 8 6 E L F ) u s i n g g c c ; ; $ n a s m w h e l l o . a s m – f e l f – o h e l l o . o ; $ g c c h e l l o . o – o h e l l o s e c t i o n . d a t a m s g d b ' H e l l o , w o r l d ! ' , 0 x 0 A l e n e q u $ - m s g ; m a i n : m o v e a x , 4 ; s y s t e m c a l l n u m b e r ( s y s _ w r i t e ) m o v e b x , 1 ; f i l e d e s c r i p t o r ( s t d o u t ) m o v e c x , m s g ; m e s s a g e t o w r i t e m o v e d x , l e n ; m e s s a g e l e n g t h i n t 0 x 8 0 ; c a l l k e r n e l m o v e a x , 1 ; s y s t e m c a l l n u m b e r ( s y s _ e x i t ) i n t 0 x 8 0 ; c a l l k e r n e l ; s y s _ w r i t e ( s t d o u t , m s g , l e n ) ; ; s y s _ e x i t ; s e c t i o n . t e x t
  • 22. * l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 0 - 9 9 / 2 9 3 ) 0 s y s _ r e s t a r t _ s y s c a l l 2 5 s y s _ s t i m e 5 0 s y s _ g e t e g i d 1 6 7 5 s y s _ s e t r l i m i t 1 s y s _ e x i t 2 6 s y s _ p t r a c e 5 1 s y s _ a c c t 7 6 s y s _ o l d _ g e t r l i m i t 2 s y s _ f o r k 2 7 s y s _ a l a r m 5 2 s y s _ u m o u n t 7 7 s y s _ g e t r u s a g e 3 s y s _ r e a d 2 8 s y s _ f s t a t 5 3 s y s _ n i _ s y s c a l l 7 8 s y s _ g e t t i m e o f d a y 4 s y s _ w r i t e 2 9 s y s _ p a u s e 5 4 s y s _ i o c t l 7 9 s y s _ s e t t i m e o f d a y 5 s y s _ o p e n 3 0 s y s _ u t i m e 5 5 s y s _ f c n t l 8 0 s y s _ g e t g r o u p s 1 6 6 s y s _ c l o s e 3 1 s y s _ n i _ s y s c a l l 5 6 s y s _ n i _ s y s c a l l 8 1 s y s _ s e t g r o u p s 1 6 7 s y s _ w a i t p i d 3 2 s y s _ n i _ s y s c a l l 5 7 s y s _ s e t p g i d 8 2 o l d _ s e l e c t 8 s y s _ c r e a t 3 3 s y s _ a c c e s s 5 8 s y s _ n i _ s y s c a l l 8 3 s y s _ s y m l i n k 9 s y s _ l i n k 3 4 s y s _ n i c e 5 9 s y s _ o l d u n a m e 8 4 s y s _ l s t a t 1 0 s y s _ u n l i n k 3 5 s y s _ n i _ s y s c a l l 6 0 s y s _ u m a s k 8 5 s y s _ r e a d l i n k 1 1 s y s _ e x e c v e 3 6 s y s _ s y n c 6 1 s y s _ c h r o o t 8 6 s y s _ u s e l i b 1 2 s y s _ c h d i r 3 7 s y s _ k i l l 6 2 s y s _ u s t a t 8 7 s y s _ s w a p o n 1 3 s y s _ t i m e 3 8 s y s _ r e n a m e 6 3 s y s _ d u p 2 8 8 s y s _ r e b o o t 1 4 s y s _ m k n o d 3 9 s y s _ m k d i r 6 4 s y s _ g e t p p i d 8 9 o l d _ r e a d d i r 1 5 s y s _ c h m o d 4 0 s y s _ r m d i r 6 5 s y s _ g e t p g r p 9 0 o l d _ m m a p 1 6 s y s _ l c h o w n 1 6 4 1 s y s _ d u p 6 6 s y s _ s e t s i d 9 1 s y s _ m u n m a p 1 7 s y s _ n i _ s y s c a l l 4 2 s y s _ p i p e 6 7 s y s _ s i g a c t i o n 9 2 s y s _ t r u n c a t e 1 8 s y s _ s t a t 4 3 s y s _ t i m e s 6 8 s y s _ s g e t m a s k 9 3 s y s _ f t r u n c a t e 1 9 s y s _ l s e e k 4 4 s y s _ n i _ s y s c a l l 6 9 s y s _ s s e t m a s k 9 4 s y s _ f c h m o d 2 0 s y s _ g e t p i d 4 5 s y s _ b r k 7 0 s y s _ s e t r e u i d 1 6 9 5 s y s _ f c h o w n 1 6 2 1 s y s _ m o u n t 4 6 s y s _ s e t g i d 1 6 7 1 s y s _ s e t r e g i d 1 6 9 6 s y s _ g e t p r i o r i t y 2 2 s y s _ o l d u m o u n t 4 7 s y s _ g e t g i d 1 6 7 2 s y s _ s i g s u s p e n d 9 7 s y s _ s e t p r i o r i t y 2 3 s y s _ s e t u i d 1 6 4 8 s y s _ s i g n a l 7 3 s y s _ s i g p e n d i n g 9 8 s y s _ n i _ s y s c a l l 2 4 s y s _ g e t u i d 1 6 4 9 s y s _ g e t e u i d 1 6 7 4 s y s _ s e t h o s t n a m e 9 9 s y s _ s t a t f s
  • 23. * l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 1 0 0 - 1 9 9 / 2 9 3 ) 1 0 0 s y s _ f s t a t f s 1 2 5 s y s _ m p r o t e c t 1 5 0 s y s _ m l o c k 1 7 5 s y s _ r t _ s i g p r o c m a s k 1 0 1 s y s _ i o p e r m 1 2 6 s y s _ s i g p r o c m a s k 1 5 1 s y s _ m u n l o c k 1 7 6 s y s _ r t _ s i g p e n d i n g 1 0 2 s y s _ s o c k e t c a l l 1 2 7 s y s _ n i _ s y s c a l l 1 5 2 s y s _ m l o c k a l l 1 7 7 s y s _ r t _ s i g t i m e d w a i t 1 0 3 s y s _ s y s l o g 1 2 8 s y s _ i n i t _ m o d u l e 1 5 3 s y s _ m u n l o c k a l l 1 7 8 s y s _ r t _ s i g q u e u e i n f o 1 0 4 s y s _ s e t i t i m e r 1 2 9 s y s _ d e l e t e _ m o d u l e 1 5 4 s y s _ s c h e d _ s e t p a r a m 1 7 9 s y s _ r t _ s i g s u s p e n d 1 0 5 s y s _ g e t i t i m e r 1 3 0 s y s _ n i _ s y s c a l l 1 5 5 s y s _ s c h e d _ g e t p a r a m 1 8 0 s y s _ p r e a d 6 4 1 0 6 s y s _ n e w s t a t 1 3 1 s y s _ q u o t a c t l 1 5 6 s y s _ s c h e d _ s e t s c h e d u l e r 1 8 1 s y s _ p w r i t e 6 4 1 0 7 s y s _ n e w l s t a t 1 3 2 s y s _ g e t p g i d 1 5 7 s y s _ s c h e d _ g e t s c h e d u l e r 1 8 2 s y s _ c h o w n 1 6 1 0 8 s y s _ n e w f s t a t 1 3 3 s y s _ f c h d i r 1 5 8 s y s _ s c h e d _ y i e l d 1 8 3 s y s _ g e t c w d 1 0 9 s y s _ u n a m e 1 3 4 s y s _ b d f l u s h 1 5 9 s y s _ s c h e d _ g e t _ p r i o r i t y _ m a x 1 8 4 s y s _ c a p g e t 1 1 0 s y s _ i o p l 1 3 5 s y s _ s y s f s 1 6 0 s y s _ s c h e d _ g e t _ p r i o r i t y _ m i n 1 8 5 s y s _ c a p s e t 1 1 1 s y s _ v h a n g u p 1 3 6 s y s _ p e r s o n a l i t y 1 6 1 s y s _ s c h e d _ r r _ g e t _ i n t e r v a l 1 8 6 s y s _ s i g a l t s t a c k 1 1 2 s y s _ n i _ s y s c a l l 1 3 7 s y s _ n i _ s y s c a l l 1 6 2 s y s _ n a n o s l e e p 1 8 7 s y s _ s e n d f i l e 1 1 3 s y s _ v m 8 6 o l d 1 3 8 s y s _ s e t f s u i d 1 6 1 6 3 s y s _ m r e m a p 1 8 8 s y s _ n i _ s y s c a l l 1 1 4 s y s _ w a i t 4 1 3 9 s y s _ s e t f s g i d 1 6 1 6 4 s y s _ s e t r e s u i d 1 6 1 8 9 s y s _ n i _ s y s c a l l 1 1 5 s y s _ s w a p o f f 1 4 0 s y s _ l l s e e k 1 6 5 s y s _ g e t r e s u i d 1 6 1 9 0 s y s _ v f o r k 1 1 6 s y s _ s y s i n f o 1 4 1 s y s _ g e t d e n t s 1 6 6 s y s _ v m 8 6 1 9 1 s y s _ g e t r l i m i t 1 1 7 s y s _ i p c 1 4 2 s y s _ s e l e c t 1 6 7 s y s _ n i _ s y s c a l l 1 9 2 s y s _ m m a p 2 1 1 8 s y s _ f s y n c 1 4 3 s y s _ f l o c k 1 6 8 s y s _ p o l l 1 9 3 s y s _ t r u n c a t e 6 4 1 1 9 s y s _ s i g r e t u r n 1 4 4 s y s _ m s y n c 1 6 9 s y s _ n f s s e r v c t l 1 9 4 s y s _ f t r u n c a t e 6 4 1 2 0 s y s _ c l o n e 1 4 5 s y s _ r e a d v 1 7 0 s y s _ s e t r e s g i d 1 6 1 9 5 s y s _ s t a t 6 4 1 2 1 s y s _ s e t d o m a i n n a m e 1 4 6 s y s _ w r i t e v 1 7 1 s y s _ g e t r e s g i d 1 6 1 9 6 s y s _ l s t a t 6 4 1 2 2 s y s _ n e w u n a m e 1 4 7 s y s _ g e t s i d 1 7 2 s y s _ p r c t l 1 9 7 s y s _ f s t a t 6 4 1 2 3 s y s _ m o d i f y _ l d t 1 4 8 s y s _ f d a t a s y n c 1 7 3 s y s _ r t _ s i g r e t u r n 1 9 8 s y s _ l c h o w n 1 2 4 s y s _ a d j t i m e x 1 4 9 s y s _ s y s c t l 1 7 4 s y s _ r t _ s i g a c t i o n 1 9 9 s y s _ g e t u i d
  • 24. * l i n u x - 2 . 6 . 1 4 / a r c h / i 3 8 6 / k e r n e l / s y s c a l l _ t a b l e . S ( 2 0 0 - 2 9 3 / 2 9 3 ) 2 0 0 s y s _ g e t g i d 2 2 5 s y s _ r e a d a h e a d 2 5 0 s y s _ f a d v i s e 6 4 2 7 5 s y s _ g e t _ m e m p o l i c y 2 0 1 s y s _ g e t e u i d 2 2 6 s y s _ s e t x a t t r 2 5 1 s y s _ n i _ s y s c a l l 2 7 6 s y s _ s e t _ m e m p o l i c y 2 0 2 s y s _ g e t e g i d 2 2 7 s y s _ l s e t x a t t r 2 5 2 s y s _ e x i t _ g r o u p 2 7 7 s y s _ m q _ o p e n 2 0 3 s y s _ s e t r e u i d 2 2 8 s y s _ f s e t x a t t r 2 5 3 s y s _ l o o k u p _ d c o o k i e 2 7 8 s y s _ m q _ u n l i n k 2 0 4 s y s _ s e t r e g i d 2 2 9 s y s _ g e t x a t t r 2 5 4 s y s _ e p o l l _ c r e a t e 2 7 9 s y s _ m q _ t i m e d s e n d 2 0 5 s y s _ g e t g r o u p s 2 3 0 s y s _ l g e t x a t t r 2 5 5 s y s _ e p o l l _ c t l 2 8 0 s y s _ m q _ t i m e d r e c e i v e 2 0 6 s y s _ s e t g r o u p s 2 3 1 s y s _ f g e t x a t t r 2 5 6 s y s _ e p o l l _ w a i t 2 8 1 s y s _ m q _ n o t i f y 2 0 7 s y s _ f c h o w n 2 3 2 s y s _ l i s t x a t t r 2 5 7 s y s _ r e m a p _ f i l e _ p a g e s 2 8 2 s y s _ m q _ g e t s e t a t t r 2 0 8 s y s _ s e t r e s u i d 2 3 3 s y s _ l l i s t x a t t r 2 5 8 s y s _ s e t _ t i d _ a d d r e s s 2 8 3 s y s _ k e x e c _ l o a d 2 0 9 s y s _ g e t r e s u i d 2 3 4 s y s _ f l i s t x a t t r 2 5 9 s y s _ t i m e r _ c r e a t e 2 8 4 s y s _ w a i t i d 2 1 0 s y s _ s e t r e s g i d 2 3 5 s y s _ r e m o v e x a t t r 2 6 0 s y s _ t i m e r _ s e t t i m e 2 8 5 s y s _ n i _ s y s c a l l 2 1 1 s y s _ g e t r e s g i d 2 3 6 s y s _ l r e m o v e x a t t r 2 6 1 s y s _ t i m e r _ g e t t i m e 2 8 6 s y s _ a d d _ k e y 2 1 2 s y s _ c h o w n 2 3 7 s y s _ f r e m o v e x a t t r 2 6 2 s y s _ t i m e r _ g e t o v e r r u n 2 8 7 s y s _ r e q u e s t _ k e y 2 1 3 s y s _ s e t u i d 2 3 8 s y s _ t k i l l 2 6 3 s y s _ t i m e r _ d e l e t e 2 8 8 s y s _ k e y c t l 2 1 4 s y s _ s e t g i d 2 3 9 s y s _ s e n d f i l e 6 4 2 6 4 s y s _ c l o c k _ s e t t i m e 2 8 9 s y s _ i o p r i o _ s e t 2 1 5 s y s _ s e t f s u i d 2 4 0 s y s _ f u t e x 2 6 5 s y s _ c l o c k _ g e t t i m e 2 9 0 s y s _ i o p r i o _ g e t 2 1 6 s y s _ s e t f s g i d 2 4 1 s y s _ s c h e d _ s e t a f f i n i t y 2 6 6 s y s _ c l o c k _ g e t r e s 2 9 1 s y s _ i n o t i f y _ i n i t 2 1 7 s y s _ p i v o t _ r o o t 2 4 2 s y s _ s c h e d _ g e t a f f i n i t y 2 6 7 s y s _ c l o c k _ n a n o s l e e p 2 9 2 s y s _ i n o t i f y _ a d d _ w a t c h 2 1 8 s y s _ m i n c o r e 2 4 3 s y s _ s e t _ t h r e a d _ a r e a 2 6 8 s y s _ s t a t f s 6 4 2 9 3 s y s _ i n o t i f y _ r m _ w a t c h 2 1 9 s y s _ m a d v i s e 2 4 4 s y s _ g e t _ t h r e a d _ a r e a 2 6 9 s y s _ f s t a t f s 6 4 2 2 0 s y s _ g e t d e n t s 6 4 2 4 5 s y s _ i o _ s e t u p 2 7 0 s y s _ t g k i l l 2 2 1 s y s _ f c n t l 6 4 2 4 6 s y s _ i o _ d e s t r o y 2 7 1 s y s _ u t i m e s 2 2 2 s y s _ n i _ s y s c a l l 2 4 7 s y s _ i o _ g e t e v e n t s 2 7 2 s y s _ f a d v i s e 6 4 _ 6 4 2 2 3 s y s _ n i _ s y s c a l l 2 4 8 s y s _ i o _ s u b m i t 2 7 3 s y s _ n i _ s y s c a l l 2 2 4 s y s _ g e t t i d 2 4 9 s y s _ i o _ c a n c e l 2 7 4 s y s _ m b i n d
  • 25. How to make P e r l - r e g e x - b a s e d J I T x 8 6 C o m p i l e r
  • 26. 0x90 = nop (no operation) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l z s h : s e g m e n t a t i o n f a u l t p e r l i n t 3 j i t . p l
  • 27. 0xc3 = ret (return) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l o k
  • 28. Perl regex x86 JIT compiler (INT 3) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % e n v P E R L _ S I G N A L S = u n s a f e p e r l i n t 3 j i t . p l zsh: segmentation fault perl int3jit.pl
  • 29. $SIG{TRAP} = sub {…}; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % e n v P E R L _ S I G N A L S = u n s a f e p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
  • 30. $ENV{PERL_SIGNALS}=“unsafe”; # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x c d ¥ x 0 3 ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
  • 31. Perl regex x86 JIT compiler (INT 3 == 0xcc) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x c c ¥ x 9 0 quot; ; $ S I G { T R A P } = s u b { $ x 8 6 = ~ s / ¥ x 9 0 / ¥ x c 3 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l i n t 3 j i t . p l JIT at int3jit.pl line 4. ok
  • 32. INT 3 doesnʼt work on Windows system.
  • 33. UD2 (x86 Official UnDefined) => $SIG{ILL} # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; $ E N V { P E R L _ S I G N A L S } | | ( $ E N V { P E R L _ S I G N A L S } = quot; u n s a f e quot; , e x e c $ ^ X , $ 0 , @ A R G V ) ; m y $ x 8 6 = quot; ¥ x 0 f ¥ x 0 b quot; ; $ S I G { I L L } = s u b { $ x 8 6 = ~ s / ¥ x 0 f ¥ x 0 b / ¥ x c 3 ¥ x 9 0 / ; w a r n quot; J I T quot; } ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; p r i n t quot; o k ¥ n quot; ; % p e r l u d 2 j i t . p l J I T a t u d 2 j i t . p l l i n e 4 . o k
  • 34. 64bit OS u s e x 8 6 _ 6 4 ;
  • 35. Hello, Linux/x86_64 world! # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ s = quot; quot; . quot; ¥ x 4 8 ¥ x b 8 quot; . ( quot; 1 2 3 4 5 6 7 8 quot; ) # m o v $ 0 x 3 8 3 7 3 6 3 5 3 4 3 3 3 2 3 1 , % r a x . quot; ¥ x 5 0 quot; # p u s h % r a x . quot; ¥ x 4 8 ¥ x 8 9 ¥ x e 6 quot; # m o v % r s p , % r s i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 7 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r d i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 2 ¥ x 0 8 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 8 , % r d x . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 0 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 5 8 quot; # p o p % r a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k ( quot; L quot; , p a c k ( quot; P * quot; , $ s ) ) ) ; & X ( ) ; p r i n t quot; o k ¥ n quot; ; % p e r l x 8 6 _ 6 4 . p l 1 2 3 4 5 6 7 8 o k
  • 36. syscall (AMD64 ABI) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; m y $ x = quot; quot; . quot; ¥ x 4 8 ¥ x b 8 quot; . quot; H e l l o 6 4 ! quot; # m o v ' H e l l o 6 4 ! ' , % r a x . quot; ¥ x 5 0 quot; # p u s h % r a x . quot; ¥ x 4 8 ¥ x 8 9 ¥ x e 6 quot; # m o v % r s p , % r s i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 7 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r d i . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 2 ¥ x 0 8 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 8 , % r d x . quot; ¥ x 4 8 ¥ x c 7 ¥ x c 0 ¥ x 0 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; # m o v $ 0 x 1 , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 4 8 ¥ x 8 9 ¥ x f 8 quot; # m o v % r d i , % r a x . quot; ¥ x 0 f ¥ x 0 5 quot; # s y s c a l l . quot; ¥ x 5 8 quot; # p o p % r a x . quot; ¥ x c 3 quot; # r e t ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k ( quot; L quot; , p a c k ( quot; P * quot; , $ x ) ) ) ; X ( ) ; p r i n t quot; o k ¥ n quot; ; % p e r l x 8 6 _ 6 4 . p l H e l l o 6 4 ! H e l l o 6 4 ! o k
  • 37. CPUID (get your cpu processor name) # ! / u s r / b i n / p e r l u s e D y n a L o a d e r ; s u b P r o c e s s o r B r a n d S t r i n g { m y $ c p u = quot; ¥ 0 quot; x 4 8 ; m y $ x 8 6 = quot; quot; . quot; S ¥ x b f quot; . p a c k ( quot; P quot; , $ c p u ) . quot; ¥ x b 8 ¥ x 0 2 ¥ x 0 0 ¥ x 0 0 ¥ x 8 0 quot; . ( quot; P ¥ x 0 f ¥ x a 2 ¥ x 8 9 ¥ x 0 7 ¥ x 8 9 _ ¥ x 0 4 ¥ x 8 9 O ¥ x 0 8 ¥ x 8 9 W ¥ x 0 c ¥ x 8 d ¥ x 7 f ¥ x 1 0 X ¥ x 8 d ¥ @ ¥ x 0 1 quot; x 3 ) . quot; [ ¥ x c 3 quot; ; D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( quot; X quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; & X ; $ c p u = ~ s / ¥ 0 + / / g ; $ c p u = ~ s / ^ + / / ; $ c p u ; } p r i n t P r o c e s s o r B r a n d S t r i n g , quot; ¥ n quot; ; %p e r l c p u i d . p l AMD Opteron(tm) Processor 240 EE
  • 38. $> perl ./cpuid.pl 1 . W i n d o w s X P ( 3 2 b i t ) - D E L L I n t e l ( R ) P e n t i u m ( R ) 4 C P U 3 . 4 0 G H z 2 . C e n t O S 5 . 2 ( i 3 8 6 ) - w a f f u l . o r g I n t e l ( R ) X e o n ( R ) C P U E 5 4 3 0 @ 2 . 6 6 G H z 3 . C e n t O S 4 . 4 ( x 8 6 _ 6 4 ) - L i n u x / A M D 6 4 A M D O p t e r o n ( t m ) P r o c e s s o r 2 4 0 E E 4 . F r e e B S D ( i 3 8 6 ) + j a i l I n t e l ( R ) P e n t i u m ( R ) 4 C P U 3 . 2 0 G H z
  • 39. CPUID (eax = 0x80000002) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 0 0 5 3 p u s h e b x 0 0 0 0 0 0 0 1 B F x x x x x x x x m o v e d i , 0 x X X X X X X X X 0 0 0 0 0 0 0 6 B 8 0 2 0 0 0 0 8 0 m o v e a x , 0 x 8 0 0 0 0 0 0 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 0 B 5 0 p u s h e a x 0 0 0 0 0 0 0 C 0 F A 2 c p u i d 0 0 0 0 0 0 0 E 8 9 0 7 m o v [ e d i ] , e a x 0 0 0 0 0 0 1 0 8 9 5 F 0 4 m o v [ e d i + 0 x 4 ] , e b x 0 0 0 0 0 0 1 3 8 9 4 F 0 8 m o v [ e d i + 0 x 8 ] , e c x 0 0 0 0 0 0 1 6 8 9 5 7 0 C m o v [ e d i + 0 x c ] , e d x 0 0 0 0 0 0 1 9 8 D 7 F 1 0 l e a e d i , [ e d i + 0 x 1 0 ] 0 0 0 0 0 0 1 C 5 8 p o p e a x 0 0 0 0 0 0 1 D 8 D 4 0 0 1 l e a e a x , [ e a x + 0 x 1 ] - - - - - - - - - - - - - - - - - 3 回繰り返し - - - - - - - - - - - - - - - - - 0 0 0 0 0 0 4 A 5 B p o p e b x 0 0 0 0 0 0 4 B C 3 r e t - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • 40. Inline/x86.pm p a c k a g e I n l i n e : : x 8 6 ; u s e D y n a L o a d e r ( ) ; u s e E x p o r t e r ; o u r @ I S A = q w ( E x p o r t e r ) ; o u r @ E X P O R T = q w ( x 8 6 _ s u b ) ; s u b x 8 6 _ s u b { m y ( $ f u n c , $ x 8 6 ) = @ _ ; i f ( $ ^ O e q quot; l i n u x quot; ) { r e q u i r e ' s y s c a l l . p h ' ; m y $ s i z e = i n t ( 2 + l e n g t h ( $ x 8 6 ) / 4 0 9 6 ) * 4 0 9 6 ; s y s c a l l ( & S Y S _ m p r o t e c t , ( u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) & ~ 4 0 9 5 , $ s i z e , 7 ) ; } D y n a L o a d e r : : d l _ i n s t a l l _ x s u b ( c a l l e r ( 0 ) . quot; : : $ f u n c quot; , u n p a c k quot; L quot; , p a c k quot; P quot; , $ x 8 6 ) ; } u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b f u n c t i o n 1 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; } ;
  • 41. man 2 mprotect M P R O T E C T ( 2 ) L i n u x P r o g r a m m e r ’ s M a n u a l M P R O T E C T ( 2 ) N A M E m p r o t e c t - c o n t r o l a l l o w a b l e a c c e s s e s t o a r e g i o n o f m e m o r y S Y N O P S I S # i n c l u d e < s y s / m m a n . h > i n t m p r o t e c t ( c o n s t v o i d * a d d r , s i z e _ t l e n , i n t p r o t ) ; D E S C R I P T I O N T h e f u n c t i o n m p r o t e c t ( ) s p e c i f i e s t h e d e s i r e d p r o t e c t i o n f o r t h e m e m o r y p a g e ( s ) c o n t a i n i n g p a r t o r a l l o f t h e i n t e r v a l [ a d d r , a d d r + l e n - 1 ] . I f a n a c c e s s i s d i s a l l o w e d b y t h e p r o t e c t i o n g i v e n i t , t h e p r o g r a m r e c e i v e s a S I G S E G V . p r o t i s a b i t w i s e - o r o f t h e f o l l o w i n g v a l u e s : P R O T _ N O N E T h e m e m o r y c a n n o t b e a c c e s s e d a t a l l . P R O T _ R E A D T h e m e m o r y c a n b e r e a d . P R O T _ W R I T E T h e m e m o r y c a n b e w r i t t e n t o . P R O T _ E X E C T h e m e m o r y c a n c o n t a i n e x e c u t i n g c o d e . T h e n e w p r o t e c t i o n r e p l a c e s a n y e x i s t i n g p r o t e c t i o n . F o r e x a m p l e , i f t h e m e m o r y h a d p r e v i o u s l y b e e n m a r k e d P R O T _ R E A D , a n d m p r o t e c t ( ) i s t h e n c a l l e d w i t h p r o t P R O T _ W R I T E , i t w i l l n o l o n g e r b e r e a d a b l e . R E T U R N V A L U E O n s u c c e s s , m p r o t e c t ( ) r e t u r n s z e r o . O n e r r o r , - 1 i s r e t u r n e d , a n d e r r n o i s s e t a p p r o p r i a t e l y .
  • 42. use Inline::x86 qw(x86_sub); u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b ( quot; f u n c t i o n 1 quot; , quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ) ; x 8 6 _ s u b quot; f u n c t i o n 2 quot; , q q | ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 | ; x 8 6 _ s u b f u n c t i o n 3 = > q q { ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 } ; x 8 6 _ s u b f u n c t i o n 4 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 ¥ x c 3 quot; ; } ; x 8 6 _ s u b f u n c t i o n 5 = > d o { quot; ¥ x 9 0 ¥ x 9 0 ¥ x 9 0 quot; . # n o p x 3 quot; ¥ x c 3 quot; ; # r e t } ;
  • 43. Debug Hacks#66: how to check 64bit mode u s e I n l i n e : : x 8 6 ; x 8 6 _ s u b c h e c k _ x 8 6 _ 6 4 = > d o { u s e v a r s q w ( $ x 8 6 _ 6 4 ) ; # O U T P U T : $ x 8 6 _ 6 4 B E G I N { $ x 8 6 _ 6 4 = quot; ? quot; } # quot; 0 quot; = > 3 2 b i t , quot; 1 quot; = > 6 4 b i t quot; ¥ x b 8 ¥ x 3 1 ¥ x 0 0 ¥ x 0 0 ¥ x 0 0 quot; . # m o v e a x , 0 x 3 1 quot; ¥ x 4 8 quot; . # d e c e a x / / 6 4 b i t R E X P R E F I X quot; ¥ x a 2 quot; . p a c k ( quot; P quot; , $ x 8 6 _ 6 4 ) . # m o v [ $ x 8 6 _ 6 4 ] , a l quot; ¥ x c 3 quot; ; # r e t } ; c h e c k _ x 8 6 _ 6 4 ( ) ; w a r n $ x 8 6 _ 6 4 ; # quot; 0 quot; = > 3 2 b i t , quot; 1 quot; = > 6 4 b i t
  • 44. sub parse_objdump {…} m y ( $ c a l l b a c k , $ o b j d u m p ) = @ _ ; m y ( $ b a s e a d d r , $ m a n g l e d ) ; m y $ r e t = quot; quot; ; f o r e a c h m y $ l i n e ( s p l i t / ¥ n / , $ o b j d u m p ) { n e x t i f ( $ l i n e = ~ / ^ ¥ s * $ / ) ; n e x t i f ( $ l i n e = ~ / ^ ¥ s * ; / ) ; n e x t i f ( $ l i n e = ~ / ^ ¥ s * ¥ . + s * $ / ) ; i f ( $ l i n e = ~ / ^ ¥ s * 0 * ( [ 0 - 9 a - f A - F ] * ) ¥ s * < ( . * ) > : / ) { $ b a s e a d d r = $ 1 ; $ m a n g l e d = $ 2 ; n e x t ; } i f ( $ l i n e = ~ / ^ ¥ s * 0 * ( . * ? ) : ¥ s + ( ( ? : [ 0 - 9 a - f A - F ] { 2 } ¥ s ) + ) ( ¥ s * ) ( . * ) $ / ) { m y ( $ a d d r , $ b i n , $ s p a c e , $ a s m ) = ( $ 1 , $ 2 , $ 3 , $ 4 ) ; m y $ d b = j o i n ( quot; , quot; , m a p { quot; 0 x $ _ quot; } s p l i t / ¥ s + / , $ b i n ) ; ( m y $ h = $ b i n ) = ~ s / ¥ s / / g ; m y $ x = q u o t e p a c k quot; H * quot; , $ h ; $ r e t . = $ c a l l b a c k - > ( $ a d d r , $ b i n , $ s p a c e , $ a s m , $ d b , $ x , $ b a s e a d d r , $ m a n g l e d ) ; } e l s e { p r i n t S T D E R R quot; E R R O R : $ l i n e ¥ n quot; ; } } r e t u r n $ r e t ;
  • 45. n o P e r l ; u s e x 8 6 ;