Assembly Language Patterns - Gr00t's Security Research Lab

# Assembly Language Patterns: A Beginner's Guide to Program Behavior Ever looked at assembly code and thought it looked like ancient hieroglyphics? Don't worry - you're not alone! While assembly language might seem intimidating at first, it's actually telling us exactly what a program is doing... if you know how to read the signs. Think of it like learning to read sheet music - at first it's just dots and lines, but once you understand the patterns, you can "hear" the music just by looking at it. ## Before We Dive In... If you're new to this, you might want to check out [[CPU Registers Building Blocks]] and [[Register Operations in Assembly]] first. They'll give you the foundation you need to really get the most out of this guide. ## What's Assembly Language Anyway? Assembly language is like the CPU's native tongue - it's the lowest level of programming that's still readable by humans (well, mostly readable!). Every instruction in assembly corresponds directly to something your CPU can understand. It's like having a direct conversation with your computer's brain. ### A Quick Note About Endianness Before we jump into the deep end, let's talk about something that often trips up newcomers - endianness. Specifically, we're dealing with little-endian in x86 systems. Think about how you write numbers: 123 means "one hundred and twenty-three" because we read left to right. But in little-endian systems, it's like reading from right to left! So if you see the number 0x12345678 in memory, it's actually stored as 78 56 34 12. > [!tip] > Think of it like stacking pancakes - the first one you put down (78) ends up at the bottom of the memory "plate", even though it's the least significant part of the number! ## Common Patterns to Watch For Just like how certain chord progressions pop up in lots of songs, certain patterns appear frequently in assembly code. Let's look at some of the greatest hits: ### The Building Blocks: Segments Assembly code is organised into segments, kind of like chapters in a book: ```nasm section .text ; Where the actual code lives section .data ; Where initialised variables hang out section .bss ; Where uninitialised variables go section .rodata ; Where read-only data lives (like text strings) ``` ### The Workers: Registers Think of registers as the CPU's workbench - they're where all the actual work happens. Different registers have different specialties: | Register | Nickname | What it's good at | |----------|----------|-------------------| | EAX | The Calculator | Math operations and returning function results | | ECX | The Counter | Keeping track of loops (think "C" for Counter) | | ESP | The Stack Pointer | Keeping track of where we are in the program's stack | | EIP | The Instruction Pointer | Remember what to do next (like your finger following a recipe) | > [!note] > These are just some examples - check out [[CPU Registers Building Blocks]] for the full family reunion of registers! ### Function Prologues: The Welcome Mat Every function starts with a few housekeeping instructions. It's like when you visit someone's house and they tell you where to put your shoes and coat: ```nasm push ebp ; Save the old base pointer (like remembering where you came from) mov ebp, esp ; Set up new base pointer (make yourself at home) sub esp, X ; Make room for local variables (clear some space for your stuff) ``` ### String Operations: The Assembly Line Workers Assembly has some really efficient ways to handle strings. It's like having specialised tools instead of trying to do everything with a Swiss Army knife: ```nasm cld ; Clear direction flag (work left to right) rep movsb ; Copy bytes from ESI to EDI rep stosb ; Fill memory with bytes ``` > [!tip] > The Direction Flag (DF) controls whether string operations increment (CLD = Clear Direction) or decrement (STD = Set Direction) their pointers after each operation. When cleared with CLD: > >- ESI/EDI will increase after each operation (move toward higher addresses) >- Think of it as moving forward through memory > >This is different from the right-to-left convention in assembly instruction syntax! ## Malware's Greatest Hits: Common Patterns in Malicious Code Now here's where things get interesting! Malware authors often use certain patterns that can help us spot them: ### API Resolution on the Fly Instead of importing functions normally (which is easy to spot), malware often looks them up at runtime: ```nasm ; Simplified example of finding kernel32.dll mov eax, fs:[30h] ; Get PEB mov eax, [eax + 0Ch] ; Get PEB_LDR_DATA mov eax, [eax + 14h] ; Get InMemoryOrderModuleList ``` Just seeing `mov eax, [eax + 14h]` alone doesn't mean it's accessing InMemoryOrderModuleList! This offset: - Could be accessing any structure member - Might be completely unrelated to PEB walking - Could even be coincidental math Always look at the full context and instruction sequence to confirm PEB walking patterns. To read more about PEB walking dive into [[Advanced Register Techniques]]. > [!warning] > If you see code walking through memory structures like this, especially looking for DLLs or functions, it might be trying to hide its intentions! ### Self-Modifying Code: The Shape-Shifter Some malware can change its own code while running - pretty sneaky... Look for code that writes to its own memory sections: ```nasm ; Example of self-modifying code mov byte [some_address], 90h ; Overwrite an instruction with NOP ``` ## Tools of the Trade When you're analysing assembly patterns, you'll want some good tools in your toolkit: 1. **Disassemblers** (like IDA Pro, Ghidra, or x64dbg) - These turn raw machine code back into readable assembly - They can identify common patterns and functions 2. **Debuggers** - Let you watch code execute step by step - Great for understanding what tricky code is actually doing 3. **Pattern Matching Tools** - YARA rules for finding specific patterns - Signature-based detection tools ## Want to Learn More? Check out these related articles for more insights: - [[Windows API Basics]] - See how programs interact with Windows - [[PE File Format Foundations]] - Understand how programs are structured - [[Advanced Register Techniques]] - Dive deeper into register usage - [[Azure Malware Lab Design]] - Set up a safe environment for analysis Remember, reading assembly is a skill that improves with practice. Don't get discouraged if it seems overwhelming at first - even the most complex patterns become familiar with time!