ISBN-13: 9781119745303 / Angielski / Miękka / 2023 / 600 str.
ISBN-13: 9781119745303 / Angielski / Miękka / 2023 / 600 str.
Introduction xxiPart I Arm Assembly Internals 1Chapter 1 Introduction to Reverse Engineering 3Introduction to Assembly 3Bits and Bytes 3Character Encoding 5Machine Code and Assembly 6Assembling 9Cross- Assemblers 13High- Level Languages 15Disassembling 16Decompilation 17Chapter 2 ELF File Format Internals 21Program Structure 21High- Level vs. Low- Level Languages 22The Compilation Process 24Cross- Compiling for Other Architectures 25Assembling and Linking 27The ELF File Overview 30The ELF File Header 31The ELF File Header Information Fields 32The Target Platform Fields 33The Entry Point Field 34The Table Location Fields 34ELF Program Headers 34The PHDR Program Header 36The INTERP Program Header 36The LOAD Program Headers 36The DYNAMIC Program Header 37The NOTE Program Header 37The TLS Program Header 38The GNU_EH_FRAME Program Header 38The GNU_STACK Program Header 39The GNU_RELRO Program Header 41ELF Section Headers 43The ELF Meta- Sections 45The String Table Section 46The Symbol Table Section 46The Main ELF Sections 46The .text Section 47The .data Section 47The .bss Section 47The .rodata Section 47The .tdata and .tbss Sections 48Symbols 48Global vs. Local Symbols 50Weak Symbols 50Symbol Versions 51Mapping Symbols 51The Dynamic Section and Dynamic Loading 52Dependency Loading (NEEDED) 53Program Relocations 54Static Relocations 55Dynamic Relocations 56The Global Offset Table (GOT) 57The Procedure Linkage Table (PLT) 57The ELF Program Initialization and Termination Sections 58Initialization and Termination Order 60Thread- Local Storage 60The Local- Exec TLS Access Model 65The Initial- Exec TLS Access Model 65The General- Dynamic TLS Access Model 66The Local- Dynamic TLS Access Model 67Chapter 3 OS Fundamentals 69OS Architecture Overview 69User Mode vs. Kernel Mode 70Processes 70System Calls 72Objects and Handles 77Threads 79Process Memory Management 80Memory Pages 82Memory Protections 82Anonymous and Memory- Mapped Memory 84Memory- Mapped Files and Modules 84Address Space Layout Randomization 87Stack Implementations 90Shared Memory 91Chapter 4 The Arm Architecture 93Architectures and Profiles 93The Armv8- A Architecture 95Exception Levels 96Armv8- A TrustZone Extension 97Exception Level Changes 99Armv8- A Execution States 101The AArch64 Execution State 102The A64 Instruction Set 103AArch64 Registers 104The Program Counter 106The Stack Pointer 107The Zero Register 107The Link Register 108The Frame Pointer 109The Platform Register (x18) 109The Intraprocedural Call Registers 110SIMD and Floating- Point Registers 110System Registers 111PSTATE 112The AArch32 Execution State 114A32 and T32 Instruction Sets 114The A32 Instruction Set 114The T32 Instruction Set 115Switching Between Instruction Sets 115AArch32 Registers 118The Program Counter 119The Stack Pointer 120The Frame Pointer 120The Link Register 121The Intraprocedural Call Register (IP, r12) 121The Current Program Status Register 121The Application Program Status Register 122The Execution State Registers 124The Instruction Set State Register 124The IT Block State Register (ITSTATE) 125Endianness state 126Mode and Exception Mask Bits 126Chapter 5 Data Processing Instructions 129Shift and Rotate Operations 131Logical Shift Left 132Logical Shift Right 133Arithmetic Shift Right 133Rotate Right 134Rotate Right with Extend 134Instruction Forms 135Shift by a Constant Immediate Form 136Shift by Register Form 138Bitfield Manipulation Operations 140Bitfield Move 141Sign- and Zero- Extend Operations 145Bitfield Extract and Insert 150Logical Operations 153Bitwise AND 153The TST Instruction 154Bitwise Bit Clear 155Bitwise OR 155Bitwise OR NOT 156Bitwise Exclusive OR 158The TEQ instruction 158Exclusive OR NOT 159Arithmetic Operations 159Addition and Subtraction 159Reverse Subtract 161Compare 162CMP Instruction Operation Behavior 163Multiplication Operations 165Multiplications on A64 166Multiplications on A32/T32 167Least Significant Word Multiplications 169Most Significant Word Multiplications 171Halfword Multiplications 173Vector (Dual) Multiplications 176Long (64- Bit) Multiplications 179Division Operations 186Move Operations 187Move Constant Immediate 188Move Immediate and MOVT on A32/T32 188Move Immediate, MOVZ, and MOVK on A64 189Move Register 190Move with NOT 192Chapter 6 Memory Access Instructions 195Instructions Overview 195Addressing Modes and Offset Forms 197Offset Addressing 200Constant Immediate Offset 201Register Offsets 207Pre- Indexed Mode 209Pre- Indexed Mode Example 210Post- Indexed Addressing 212Post- Indexed Addressing Example 213Literal (PC- Relative) Addressing 214Loading Constants 215Loading an Address into a Register 218Load and Store Instructions 222Load and Store Word or Doubleword 222Load and Store Halfword or Byte 224Example Using Load and Store 226Load and Store Multiple (A32) 228Example for STM and LDM 235A More Complicated Example Using STM and LDM 237Load and Store Pair (A64) 238Chapter 7 Conditional Execution 243Conditional Execution Overview 243Conditional Codes 244The NZCV Condition Flags 245Signed vs. Unsigned Integer Overflows 246Condition Codes 248Conditional Instructions 249The If- Then (IT) Instruction in Thumb 250Flag- Setting Instructions 252The Instruction "S" Suffix 253The S Suffix on Add and Subtract Instructions 253The S Suffix on Logical Shift Instructions 256The S Suffix on Multiply Instructions 257The S Suffix on Other Instructions 257Test and Comparison Instructions 257Compare (CMP) 258Compare Negative (CMN) 260Test Bits (TST) 261Test Equality (TEQ) 264Conditional Select Instructions 265Conditional Comparison Instructions 268Boolean AND Conditionals Using CCMP 269Boolean OR Conditionals Using CCMP 272Chapter 8 Control Flow 275Branch Instructions 275Conditional Branches and Loops 277Test and Compare Branches 281Table Branches (T32) 282Branch and Exchange 284Subroutine Branches 288Functions and Subroutines 290The Procedure Call Standard 291Volatile vs. Nonvolatile Registers 293Arguments and Return Values 293Passing Larger Values 295Leaf and Nonleaf Functions 298Leaf Functions 298Nonleaf Functions 299Prologue and Epilogue 299Part II Reverse Engineering 305Chapter 9 Arm Environments 307Arm Boards 308Emulation with QEMU 310QEMU User- Mode Emulation 310QEMU Full- System Emulation 314Firmware Emulation 315Chapter 10 Static Analysis 321Static Analysis Tools 322Command- Line Tools 322Disassemblers and Decompilers 322Binary Ninja Cloud 323Call- By- Reference Example 328Control Flow Analysis 334Main Function 336Subroutine 336Converting to char 341if Statement 343Quotient Division 345for Loop 347Analyzing an Algorithm 349Chapter 11 Dynamic Analysis 363Command- Line Debugging 364GDB Commands 365GDB Multiuser 366GDB Extension: GEF 368Installation 369Interface 370Useful GEF Commands 370Examine Memory 374Watch Memory Regions 376Vulnerability Analyzers 377checksec 379Radare2 381Debugging 382Remote Debugging 385Radare2 386IDA Pro 388Debugging a Memory Corruption 390Debugging a Process with GDB 398Chapter 12 Reversing arm64 macOS Malware 405Background 406macOS arm64 Binaries 407macOS Hello World (arm64) 410Hunting for Malicious arm64 Binaries 413Analyzing arm64 Malware 419Anti- Analysis Techniques 420Anti- Debugging Logic (via ptrace) 421Anti- Debugging Logic (via sysctl) 425Anti- VM Logic (via SIP Status and the Detection of VM Artifacts) 429Conclusion 435Index 437
MARIA MARKSTEDTER is the CEO and founder of Azeria Labs, offering high-quality training courses on Arm reverse engineering and exploitation. She has an extensive educational background, holding a Bachelor's degree in Corporate Security and a Master's degree in Enterprise Security, and has collaborated with Arm on exploit mitigation research. Maria's outstanding contributions to the cybersecurity industry have earned her a place on Forbes' "30 under 30" list for technology in Europe (2018) and the title of Forbes Person of the Year in Cybersecurity in 2020.
1997-2024 DolnySlask.com Agencja Internetowa