CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D.

CHARLES UNIVERSITY IN PRAGUE http://d3s.mff.cuni.cz/~jezek faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D. pavel.jezek@d3s.mff.cuni.cz

Selected Faults/Traps/Exceptions of x86 ISA CPU ExceptionInterrupt vector (all push IP of faulting instruction) Invalid opcode6 Divide by zero (DIV0)0 Alignment check17 ($11) General Protection Fault13 ($0D) Page Fault14 ($0E)

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image...... call P.EXE entrypoint...... main program of P.EXE...

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images (A.DLL, B.DLL)... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... main program of P.EXE...

Dependency Walker (depends.exe)

Process Explorer www.sysinternals.com

Really Dynamic DLL Loading Example

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data 7 6 5A code 4 3 2 1 PT... → call procedure at address 4000 (= in page 3 for 1kB pages) Non-present Kernel/Supervisor User Read/Only User Read/Write → read variable at address 8200 (= in page 8 for 1kB pages) A’s entrypoint

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data (guard) 7 6 5A code (guard) 4 3 2 1A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write A’s entrypoint

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data (guard) 7 6 5A code (guard) 4 3 2 1A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write A’s entrypoint → call procedure at address 4000 (= in page 3 for 1kB pages) page fault

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data (guard) 7 6 5A code (guard) 4 3A code 2A code (guard) 1A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write A’s entrypoint → call procedure at address 4000 (= in page 3 for 1kB pages)

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data (guard) 7 6 5A code (guard) 4 3A code 2A code (guard) 1A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write A’s entrypoint → call procedure at address 4000 (= in page 3 for 1kB pages) → read variable at address 8200 (= in page 8 for 1kB pages) page fault

... kernel data IVT proc table... page tbl kernel code stack guard page free...free...free...free 9 8A data 7A data (guard) 6 5A code (guard) 4 3A code 2A code (guard) 1A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write A’s entrypoint → call procedure at address 4000 (= in page 3 for 1kB pages) → read variable at address 8200 (= in page 8 for 1kB pages) page fault

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images (A.DLL, B.DLL)... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... main program of P.EXE...

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images (A.DLL, B.DLL)... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources)...... (never here = rest of P.EXE main program)...... ret goto

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images (A.DLL, B.DLL)... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources)... ret... should not get here...... ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec Exit syscall arguments SP → return address Exit → P main... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images (A.DLL, B.DLL)... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources)... ret... P.EXE’s main program continues...... ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec SP → Exit syscall arguments return address Exit → P main... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)...... ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec Exit syscall arguments SP → return address Exit → P main... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)...... ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments SP → return address P main → Exec Exit syscall arguments return address Exit → P main... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images... call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)...... ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell SP → P.EXE ’s entrypoint arguments return address P main → Exec Exit syscall arguments return address Exit → P main... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID ret goto context switch

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... AllocMem → for currentPID = 1 repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID (1) currentPID := AllocateNewPID; (2) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... AllocMem → for currentPID = 2 call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID (1) ret goto context switch to PID 2 context switch back to PID 1 1)Allocated memory (pages)

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... AllocMem → for currentPID = 1 repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID (1) currentPID := AllocateNewPID; (2) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... AllocMem → for currentPID = 2 call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID (1) ret goto context switch to PID 2 context switch back to PID 1 1)Allocated memory (pages) 2)CPU fault → kernel interrupt handler → call procTable[currentPID].faultHandlers[faultID]

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... AllocMem → for currentPID = 1 repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID (1) currentPID := AllocateNewPID; (2) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... AllocMem → for currentPID = 2 call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID (1) ret goto context switch to PID 2 context switch back to PID 1 1)Allocated memory (pages) 2)CPU fault → kernel interrupt handler → call procTable[currentPID].faultHandlers[faultID] 3)Open files – e.g. ReadFile(fileDesc,...): read from procTable[currentPID].fileDescTable[fileDesc]

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... AllocMem → for currentPID = 1 repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID (1) currentPID := AllocateNewPID; (2) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... AllocMem → for currentPID = 2 call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID (1) ret goto context switch to PID 2 context switch back to PID 1 1)Allocated memory (pages) 2)CPU fault → kernel interrupt handler → call procTable[currentPID].faultHandlers[faultID] 3)Open files – e.g. ReadFile(fileDesc,...): read from procTable[currentPID].fileDescTable[fileDesc] 4)Current path – e.g. OpenFile(path,...) if path startsWith ‘/’ or ‘\’ then open file at (path) else open file at (procTable[currentPID].workingDir + path)

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... AllocMem → for currentPID = 1 repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID (1) currentPID := AllocateNewPID; (2) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint...... AllocMem → for currentPID = 2 call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID (1) ret goto context switch to PID 2 context switch back to PID 1 1)Allocated memory (pages) 2)CPU fault → kernel interrupt handler → call procTable[currentPID].faultHandlers[faultID] 3)Open files – e.g. ReadFile(fileDesc,...): read from procTable[currentPID].fileDescTable[fileDesc] 4)Current path – e.g. OpenFile(path,...) if path startsWith ‘/’ or ‘\’ then open file at (path) else open file at (procTable[currentPID].workingDir + path) 5)List of loaded DLLs

Further Options How to Take Advantage of Processes …

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of P.EXE main program)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit shell local & temporary variables Exec syscall arguments return address Exec → shell Exec local & temporary variables P.EXE ’s entrypoint arguments SP → return address P main → Exec ??? SP → P main local & temporary variables Exit syscall arguments return address Exit → P main SP → Exit local & temporary variables...

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments SP → return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments SP → return address f2 → f1 Exit syscall arguments return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := SP + sizeof(Exit stack frame) ret... (never here = rest of f2)... f1 execution continues... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main SP → f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; procTable[currentPID].oldSP := SP call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := procTable[currentPID].oldSP ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments SP → return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; procTable[currentPID].oldSP := SP call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := procTable[currentPID].oldSP ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments SP → return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; procTable[currentPID].oldSP := SP – sizeof(entrypoint’s stack frame) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := procTable[currentPID].oldSP ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments SP → return address Exit → f2... IP

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; procTable[currentPID].oldSP := SP – sizeof(entrypoint’s stack frame) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := procTable[currentPID].oldSP ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID ret goto... shell ’s entrypoint arguments return address shell → kernelInit Exec syscall arguments return address Exec → shell P.EXE ’s entrypoint arguments SP → return address P main → Exec f1 in P.EXE function arguments return address f1 → P main f2 in P.EXE function arguments return address f2 → f1 Exit syscall arguments return address Exit → f2... IP

... kernel data IVT proc table... page tbl kernel code stack guard page free A data A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write

... kernel data IVT proc table... page tbl kernel code stack guard page free A heap A data A code PT... → Pascal runtime’s call of syscall (OS API) AllocMem Non-present Kernel/Supervisor User Read/Only User Read/Write

... kernel data IVT proc table... page tbl kernel code stack guard page free A heap A data A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write

... kernel data IVT proc table... page tbl kernel code stack guard page free B heap B data B code A heap A data A code PT... Non-present Kernel/Supervisor User Read/Only User Read/Write

CPU (x86/IA-32)... kernel data... proc table B page tbl A page tbl kernel code stack guard page free B heap B data B code A heap A data A code A PT...B PT 31 0 EIP 31 0 ESP 31 page table base 0 CR3 Non-present Kernel/Supervisor User Read/Only User Read/Write

kernel init call Exec(‘shell.exe’) load shell.exe call shell.exe entrypoint... repeat... until key <> ENTER call Exec(‘P.EXE’) load P.EXE load & relocate EXE image load & relocate DLL images push currentPID currentPID := AllocateNewPID; procTable[currentPID].pageTable := InitilizeNewPageTable; CR3 := procTable[currentPID].pageTable; procTable[currentPID].oldSP := SP – sizeof(entrypoint’s stack frame) call A.DLL entrypoint call B.DLL entrypoint call P.EXE entrypoint... call f1 in P.EXE... call f2 in P.EXE... call Exit clean up (release resources) SP := procTable[currentPID].oldSP ret... (never here = rest of f2)...... (never here = rest of f1)... pop currentPID CR3 := procTable[currentPID].pageTable; ret goto context switch back to PID 1 context switch to PID 2 1)Allocated memory (pages) 2)CPU fault → kernel interrupt handler call procTable[currentPID].faultHandlers[faultID] 3)Open files – e.g. ReadFile(fileDesc,...): read from procTable[currentPID].fdt[fileDesc] 4)Current path – e.g. OpenFile(path,...) if path startsWith ‘/’ or ‘\’ then open file at (path) else open file at (procTable[currentPID].workingDir + path) 5)List of loaded DLLs 6)Page table (state of the address space)

CPU (x86/IA-32)... kernel data... proc table B page tbl A page tbl kernel code stack guard page free B heap B data B code A heap A data A code A PT...B PT 31 0 EIP 31 0 ESP 31 page table base 0 CR3 Non-present Kernel/Supervisor User Read/Only User Read/Write nil = address 0 = pointer(0) nil = address 0 = pointer(0)

CPU (x86/IA-32)... kernel data... proc table B page tbl A page tbl kernel code stack guard page free B heap B data B code A heap A data A code A PTpage 0B PT 31 0 EIP 31 0 ESP 31 page table base 0 CR3 Non-present Kernel/Supervisor User Read/Only User Read/Write nil = address 0 = pointer(0) nil = address 0 = pointer(0)

How a Debugger Works? Visual Studio 2015 Community Visual Studio 2015 Enterprise google: mff dreamspark

... $01000000... 00 6A$00B9100C 00 B9 10 1A 68$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER

... 685B10B90068... $01000000... 00 6A$00B9100C 00 B9 10 1A 68$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code

... 685B10B90068...$0100FFF0... $01000000... 00 6A$00B9100C 00 B9 10 1A 01$00B91007 00 FF F0 15 FF$00B91002 40 6A$00B91000... push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function call [0100FFF0h] JMP to entrypoint

... 685B10B90068...$0100FFF0... $01000000... 00 6A$00B9100C 00 B9 10 1A 01$00B91007 00 FF F0 15 FF$00B91002 40 6A$00B91000... push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function call [0100FFF0h] JMP to entrypoint EIP

... 685B10B90068...$0100FFF0... $01000000... 00 6A$00B9100C 00 B9 10 1A 01$00B91007 00 FF F0 15 FF$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function call [0100FFF0h] JMP to entrypoint EIP

... 685B10B90068...$0100FFF0... $01000000... 00 6A$00B9100C 00 B9 10 1A 68$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function JMP to entrypoint EIP

... 681A10B9006A...$0100FFF0... $01000000... 00 6A$00B9100C 00 B9 10 1A 68$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function JMP to entrypoint EIP

... 681A10B9006A...$0100FFF0... $01000000... 00 01$00B9100C 00 FF F0 15 FF$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function JMP to entrypoint EIP call [0100FFF0h]

... 681A10B9006A...$0100FFF0 RET... $01000000... 00 01$00B9100C 00 FF F0 15 FF$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function JMP to entrypoint EIP call [0100FFF0h] restore state of application & jump back

... 681A10B9006A...$0100FFF0 RET... $01000000... 00 01$00B9100C 00 FF F0 15 FF$00B91007 00 B9 10 5B 68$00B91002 40 6A$00B91000... Execute main debugger loop ( Update / Dra w cycle to display UI) save state of application (e.g. push all registers to stack) push dword ptr [00B9105Bh] push dword 40h push dword ptr [00B9105Bh] push dword 0 code and data of debugged application (= debugee) code and data of DEBUGGER variable holding copy of original app’s code variable address of debugger step function JMP to entrypoint call [0100FFF0h] restore state of application & jump back EIP

Stepping in Higher Level Programming Language (e.g. Pascal) A.pas C1 C2 C3 A.exe I1 I2 I3 I4 I5 I6

Typical ISA Arithmetic Instructions MIPS: a := b op c x86, 6502: a := a op b

6502 Registers (Accumulator Architecture) 7 0 A X Y 0000 00017 0 S P 15 0 PC 7 0

Load Value Into Register (6502) LDA #$xx LDA $xxxx A := xx A := ($xxxx)^

Load Value Into Accumulator LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDA ($xx,X) LDA ($xx),Y A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ A := ( (^word($00xx + X))^ )^ A := ( (^word($00xx))^ + Y )^

Load Value Into Register LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr

& Store Value From Register LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr STA $xxxx STA $xxxx,X STA $xxxx,Y STX addr STY addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr ($xxxx)^ := A ($xxxx + X)^ := A ($xxxx + Y)^ := A addr := X addr := Y

Move (Transfer) Value Between Registers LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr STA $xxxx STA $xxxx,X STA $xxxx,Y STX addr STY addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr ($xxxx)^ := A ($xxxx + X)^ := A ($xxxx + Y)^ := A addr := X addr := Y TAX TXA TAY TYA TSX TXS X := A A := X Y := A A := Y X := S S := X

Push To Stack & Pop (Pull) From Stack LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr STA $xxxx STA $xxxx,X STA $xxxx,Y STX addr STY addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr ($xxxx)^ := A ($xxxx + X)^ := A ($xxxx + Y)^ := A addr := X addr := Y TAX TXA TAY TYA TSX TXS X := A A := X Y := A A := Y X := S S := X PHP PLP PHA PLA push P (flags) pop P (flags) push A pop A

Setting Flags LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr STA $xxxx STA $xxxx,X STA $xxxx,Y STX addr STY addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr ($xxxx)^ := A ($xxxx + X)^ := A ($xxxx + Y)^ := A addr := X addr := Y TAX TXA TAY TYA TSX TXS X := A A := X Y := A A := Y X := S S := X PHP PLP PHA PLA push P (flags) pop P (flags) push A pop A P.Negative := target.7 if target = 0 then P.Zero := 1 else P.Zero := 0; P N.....Z. 7654 3210

Setting Flags LDA #$xx LDA $xxxx LDA $xxxx,X LDA $xxxx,Y LDX imm/addr LDY imm/addr STA $xxxx STA $xxxx,X STA $xxxx,Y STX addr STY addr A := xx A := ($xxxx)^ A := ($xxxx + X)^ A := ($xxxx + Y)^ X := imm/addr ($xxxx)^ := A ($xxxx + X)^ := A ($xxxx + Y)^ := A addr := X addr := Y TAX TXA TAY TYA TSX TXS X := A A := X Y := A A := Y X := S S := X PHP PLP PHA PLA push P (flags) pop P (flags) push A pop A P.Negative := target.7 if target = 0 then P.Zero := 1 else P.Zero := 0; CLC SEC P.Carry := 0 P.Carry := 1 P N.....Z. 7654 3210

Bitwise Operations ORA imm/addr AND imm/addr EOR imm/addr ? NOT ASL A LSR A A := A BitwiseOr imm/addr A := A BitwiseAnd imm/addr A := A BitwiseXor imm/addr EOR #$FF A := A shl 1 A := A shr 1 P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0;

Oring 16-bit Numbers (e.g. Little Endian) A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000MSB of B stored at $B001 or = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000MSB of C stored at $C001

Oring 16-bit Numbers (e.g. Little Endian) A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000MSB of B stored at $B001 or = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000MSB of C stored at $C001 or = LDA $A000 ORA $B000 STA $C000 LDA $A001 ORA $B001 STA $C001

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Integer Operations ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; P N.....ZC 7654 3210

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Integer Operations (Adding 8-bit Numbers) ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; P N.....ZC 7654 3210 A7A6A5A4A3A2 A1 A0 LSB of A stored at $A000 B7B6B5B4B3B2 B1 B0 LSB of B stored at $B000 + = C7C6C5C4C3C2 C1 C0 LSB of C stored at $C000 C8 carry 0 carry + = LDA $A000 CLC ADC $B000 STA $C000

Adding 16-bit Numbers (e.g. Little Endian) A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000MSB of B stored at $B001 + = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000MSB of C stored at $C001 result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0;

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Adding 16-bit Numbers (e.g. Little Endian) ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; A7A6A5A4A3A2 A1 A0 LSB of A stored at $A000 B7B6B5B4B3B2 B1 B0 LSB of B stored at $B000 + = C7C6C5C4C3C2 C1 C0 LSB of C stored at $C000 C8 carry 0 carry + =

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Adding 16-bit Numbers (e.g. Little Endian) ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; A7A6A5A4A3A2 A1 A0 LSB of A stored at $A000 B7B6B5B4B3B2 B1 B0 LSB of B stored at $B000 + = C7C6C5C4C3C2 C1 C0 LSB of C stored at $C000 C8 carry 0 carry + = LDA $A000 CLC ADC $B000 STA $C000

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Adding 16-bit Numbers (e.g. Little Endian) ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000 MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000 MSB of B stored at $B001 + = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000 MSB of C stored at $C001 C8 carry + = 0 carry + = C16 carry = LDA $A000 CLC ADC $B000 STA $C000 +

result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 Adding 16-bit Numbers (e.g. Little Endian) ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000 MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000 MSB of B stored at $B001 + = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000 MSB of C stored at $C001 C8 carry + = 0 carry + = C16 carry = LDA $A000 CLC ADC $B000 STA $C000 LDA $A001 ADC $B001 STA $C001 +

Adding 16-bit Numbers (e.g. Little Endian) LDA $A000 CLC ADC $B000 STA $C000 LDA $A001 ADC $B001 STA $C001 A7A6A5A4A3A2 A1 A0 A15A14A13A12A11A10 A9 A8 LSB of A stored at $A000MSB of A stored at $A001 B7B6B5B4B3B2 B1 B0 B15B14B13B12B11B10 B9 B8 LSB of B stored at $B000MSB of B stored at $B001 + = C7C6C5C4C3C2 C1 C0 C15C14C13C12C11C10 C9 C8 LSB of C stored at $C000MSB of C stored at $C001 result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 ADC imm/addr P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0;

Integer Operations – Subtraction? Via Two’s Complement ADC imm/addr result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; A := value – A ↓ INC A NOT A ADD value A := value – A ↓ CLC ADC #1 EOR #$FF CLC ADC value

Integer Operations – Subtraction? Subtract with Borrow ADC imm/addr SBC imm/addr result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 result := A – imm/addr – not(P.Carry) P.Carry := not(result.7) A := result.7 … result.0 P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0;

Other Integer Operations ADC imm/addr SBC imm/addr INX INY DEX DEY result := A + imm/addr + P.Carry P.Carry := result.8 A := result.7 … result.0 result := A – imm/addr – not(P.Carry) P.Carry := not(result.7) A := result.7 … result.0 X := X + 1 Y := Y + 1 X := X – 1 Y := Y - 1 P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; P.Negative := A.7 if A = 0 then P.Zero := 1 else P.Zero := 0; P.Negative := X/Y.7 if X/Y = 0 then P.Zero := 1 else P.Zero := 0;

CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D.

Similar presentations

Presentation on theme: "CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D.

Similar presentations

Presentation on theme: "CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Principles of Computers 17 th Lecture Pavel Ježek, Ph.D."— Presentation transcript:

Similar presentations

About project

Feedback