X86 useful Assembly instructions and registers for hacking
We can say x86 is the most common architecture among users. For hacking and exploitation, there is lots of juicy information that can be found just by reading registers. Also from an exploit writer point of view, there are interesting instructions in x86. In this article I am going to review these registers and instructions.
X86 useful ASSEMBLY registers for hacking
Before starting the discussion I need to remind that accessing some of these registers needs the Ring 1 privilege which is the default privilege for the kernel. Let’s start our discussion with segment selectors.
In x86 ECS, EDS and etc are known as segment selector registers. You may have learned in your assembly courses that these are filled in order with Code Segment, Data Segment and etc. and their combination with the EIP forms the final virtual address! Of course this was true in 8086 architecture but in a modern architectures like x86 these registers are not used for this purpose anymore. Most operating systems use Physical Address Extension (PAE) mode and use paging. So operating systems generally zero ECS and EDS but occasionally use them as the base address. EFS however, is used for an interesting purpose in 32 bit versions of windows. It is used to save the Kernel Processor Control Region (KPCR). You may have seen how we use that in Kernel Shellcode article. On 64 bit versions of windows the same reference is saved in GS register.
Control registers in x86 are saved in Cr0-Cr7 (in 64 bit version there is more). These registers are interesting from the exploitation point of view because their information can be leveraged in malicious scenarios. For example CR3 is filled with the page table address. A malicious attacker can read this address and manipulates the page table entries e.g. changing the RWX (Read, Write and Executable) status of a page table entry. Another instance is the manipulation of the WP (write protected) flag in the CR0.
X86 useful ASSEMBLY instructions for hacking
Two important tables are Interrupt Descriptor Table (IDT) and Global Descriptor Table (GDT). Sidt idt and sgdt gdt are two instructions to load these tables’ addresses respectively. Modification of these tables’ entries to an address you have control gives you the ability to intercept requests and play with them. Of course modification of these entries needs Ring 0 or Ring 1 privileges so you can do it after a privilege escalation.
Wrmsr instruction on windows is used to load an address to the MSR registers. The address then is used to handle the system calls. Using this instruction you can hook system calls.
IRET (IRETQ on 64 bit versions) is another useful instruction which is used to return from kernel land. As you may have seen in the Kernel Shellcode article you cannot return to user-land by a simple Ret instruction. Instead IRET does the returning safely and load critical register values like EIP, ESP, FLAGS and etc.