Using Heap Allocation in Intel Assembly Language



Similar documents
Computer Organization and Assembly Language

CS 16: Assembly Language Programming for the IBM PC and Compatibles

Character Translation Methods

8. MACROS, Modules, and Mouse

A Tiny Guide to Programming in 32-bit x86 Assembly Language

How To Use A Computer With A Screen On It (For A Powerbook)

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

C Dynamic Data Structures. University of Texas at Austin CS310H - Computer Organization Spring 2010 Don Fussell

Faculty of Engineering Student Number:

Abysssec Research. 1) Advisory information. 2) Vulnerable version

64-Bit NASM Notes. Invoking 64-Bit NASM

Return-oriented programming without returns

by Kip Irvine. Last update: 12/11/2003

Software Fingerprinting for Automated Malicious Code Analysis

Buffer Overflows. Security 2011

Systems Design & Programming Data Movement Instructions. Intel Assembly

Analysis of Win32.Scream

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Computer Organization and Architecture

Machine-Level Programming II: Arithmetic & Control

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Assembly Language: Function Calls" Jennifer Rexford!

Complete 8086 instruction set

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

RTEMS Porting Guide. On-Line Applications Research Corporation. Edition , for RTEMS July 2015

Compiler Construction

esrever gnireenigne tfosorcim seiranib

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Lecture 11 Doubly Linked Lists & Array of Linked Lists. Doubly Linked Lists

Disassembly of False Positives for Microsoft Word under SCRAP

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

MACHINE ARCHITECTURE & LANGUAGE

COMPUTERS ORGANIZATION 2ND YEAR COMPUTE SCIENCE MANAGEMENT ENGINEERING JOSÉ GARCÍA RODRÍGUEZ JOSÉ ANTONIO SERRA PÉREZ

Client-server Sockets

Bypassing Windows Hardware-enforced Data Execution Prevention

Attacking x86 Windows Binaries by Jump Oriented Programming

Test Driven Development in Assembler a little story about growing software from nothing

Vigilante: End-to-End Containment of Internet Worms

Machine Programming II: Instruc8ons

INTRODUCTION TO PROGRAMMING THE 8086

Self Protection Techniques in Malware

PCI BIOS SPECIFICATION. Revision 2.1

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2

Recovery Principles in MySQL Cluster 5.1

x64 Cheat Sheet Fall 2015

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

1. General function and functionality of the malware

Instruction Set Architecture

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

Memory Allocation. Static Allocation. Dynamic Allocation. Memory Management. Dynamic Allocation. Dynamic Storage Allocation

Mouse Programming Mouse Interrupts Useful Mouse functions Mouselib.h Mouselib.c

W4118 Operating Systems. Junfeng Yang

Illustration 1: Diagram of program function and data flow

Introduction to Reverse Engineering

How to create/avoid memory leak in Java and.net? Venkat Subramaniam

Off-by-One exploitation tutorial

CS61: Systems Programing and Machine Organization

Stack Overflows. Mitchell Adair

Windows Assembly Programming Tutorial

Software Vulnerabilities

Unit Storage Structures 1. Storage Structures. Unit 4.3

1 The Java Virtual Machine

Linked List as an ADT (cont d.)

Intel EP80579 Software for Security Applications on Intel QuickAssist Technology Cryptographic API Reference

Windows XP SP3 Registry Handling Buffer Overflow

Understanding a Simple Operating System

Programming Interface. for. Bus Master IDE Controller. Revision 1.0

The V8 JavaScript Engine

Application Power Management for Mobility

Dynamic Behavior Analysis Using Binary Instrumentation

The C Programming Language course syllabus associate level

MS-DOS, PC-BIOS, and File I/O Chapter 13

Static detection of C++ vtable escape vulnerabilities in binary code

Leak Check Version 2.1 for Linux TM

Services. Relational. Databases & JDBC. Today. Relational. Databases SQL JDBC. Next Time. Services. Relational. Databases & JDBC. Today.

Abysssec Research. 1) Advisory information. 2) Vulnerable version

BCD (ASCII) Arithmetic. Where and Why is BCD used? Packed BCD, ASCII, Unpacked BCD. BCD Adjustment Instructions AAA. Example

Unordered Linked Lists

X86-64 Architecture Guide

Field Properties Quick Reference

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

MXSAVE XMLRPC Web Service Guide. Last Revision: 6/14/2012

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Forensic Analysis of Internet Explorer Activity Files

Violating Database - Enforced Security Mechanisms

An Analysis of Address Space Layout Randomization on Windows Vista

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

Bypassing Anti- Virus Scanners

MS Access: Advanced Tables and Queries. Lesson Notes Author: Pamela Schmidt

Creating Database Tables in Microsoft SQL Server

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

CPU performance monitoring using the Time-Stamp Counter register

Raima Database Manager Version 14.0 In-memory Database Engine

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Transcription:

Using Heap Allocation in Intel Assembly Language Copyright 2005, Kip R. Irvine. All rights reserved. Dynamic memory allocation is a feature we take for granted in high-level languages such as C++ and Java. Behind the scenes, such languages have a runtime heap manager handling program requests for storage allocation and deallocation. Generally, the heap managers work the same way: on startup, they request a large block of memory from the operating system. They create a free list of pointers to storage blocks. When an allocation request is received, the heap manager marks an appropriately sized block of memory as reserved and urns a pointer to the block. Later, when a delete request for the same block is received, the heap frees up the block, urning it to the free list. Whenever a new allocation request is received, the heap manager scans the free list, looking for the first available block large enough to grant the request. Assembly language programs can perform dynamic allocation in a couple of ways. First, they can make system calls to get blocks of memory from the operating system. Second, they can implement their own heap managers that serve requests for smaller objects. In this article, we show how to implement the first method. The second method (heap manager), will be left for another article. The example program is a 32-bit protected mode applications running under Microsoft Windows. You can request multiple blocks of memory of varying sizes from MS-Windows, using three simple Windows API functions: GetProcessHeap, HeapAlloc, and HeapFree.

2 Chapter GetProcessHeap urns a 32-bit integer handle to the program s heap area. Save this handle and use it when calling other memory-related functions. Using this function, you can request (allocate) memory without having to create your own heap. HeapAlloc urns the address of block of memory from an existing heap, identified by a heap handle. The allocated memory cannot be moved. If the memory cannot be allocated, the function urns NULL (0). HeapFree frees a block of memory previously allocated from a heap, identified by its address and heap handle. If the block is freed successfully, the urn value is nonzero. If the block cannot be freed, the function urns zero and you can call the GetLastError API function to get more information about the error. Here's a good URL to begin reading about these functions. If the URL changes, search for Memory Management Reference on the Microsoft MSDN Web site: http://www.msdn.microsoft.com/library/default.asp?url=/library/enus/memory/base/memory_management_reference.asp. Example Program Here's a short program named heaptest.asm that uses dynamic memory allocation to create and fill a 1000-byte array:.data ARRAY_SIZE = 1000 NULL = 0 parraydword? ; pointer to block of memory hheap DWORD? ; handle to the process heap dwflags DWORD HEAP_ZERO_MEMORY ; set memory bytes to all zeros str1 BYTE "Cannot allocate heap memory!",0dh,0ah,0 str2 BYTE "Writing data into the array...",0dh,0ah,0.code main PROC INVOKE GetProcessHeap mov hheap,eax ; get handle heap ; allocate the array's memory INVOKE HeapAlloc, hheap, dwflags, ARRAY_SIZE.IF eax == NULL mov edx,offset str1 ; "Cannot allocate..." call WriteString jmp quit.else mov parray,eax ; save the pointer.endif

3 ; Fill the array with all "FFh" mov edx,offset str2 ; "Writing data into..." call WriteString mov ecx,array_size mov esi,parray ; point to the array L1: mov BYTE PTR [esi],0ffh ; insert a byte in the array inc esi ; next location loop L1 ; free the array INVOKE HeapFree, hheap, dwflags, parray quit: exit main ENDP END main Linked List Example A student at Florida International University named Gabriel Perez used the Windows heap application API to create a menu-driven program that creates a linked list of names and id numbers (see LinkedList.asm). It inserts, finds, and removes list nodes, showing how dynamic allocation can be used in a more practical way than our first example. TITLE Linked List Example (LinkedList.asm) ; Uses dynamic allocation to interactively build a linked list ; of STRUCT objects. Has a nice interactive menu also. ; Written by Gabriel Perez, a Computer Science student at Florida ; International University, 11/18/2002. ; Used by permission. INCLUDE Irvine32.inc ID_MAX = 10 LASTNAME_MAX = 20 TRUE = 1 FALSE = 0 CUSTOMER STRUCT idnum BYTE ID_MAX DUP(0) lastnam BYTE LASTNAME_MAX DUP(0) nextnod DWORD 0 CUSTOMER ENDS sumofentryfields = (SIZEOF customer.lastnam + SIZEOF customer.idnum)

4 Chapter.data hheap DWORD? dwbytes DWORD? dwflags DWORD HEAP_ZERO_MEMORY progtitle BYTE "DYNAMIC MEMORY ALLOCATION VIA API CALLS",0 opta BYTE "A) DISPLAY CURRENT LIST OF CUSTOMERS",0 optb BYTE "B) SEARCH CUSTOMER",0 optc BYTE "C) ADD NEW CUSTOMER",0 optd BYTE "D) UPDATE CURRENT CUSTOMER",0 opte BYTE "E) DELETE EXISTING CUSTOMER",0 optf BYTE "F) EXIT PROGRAM",0 selection BYTE "PLEASE ENTER YOUR DESIRED SELECTION: ",0 newcusttitle BYTE " --- ENTER A NEW CUSTOMER --- ",0 createnodmsg BYTE "DO YOU WANT TO ENTER A NEW CUSTOMER? Y/N: ",0 custidmsg BYTE "ENTER THE CUST ID: ",0 custlastmsg BYTE "ENTER THE LAST NAME OF CUSTOMER: ",0 displaynothing BYTE " --- THERE ARE NO CUSTOMERS IN MEMORY ---",0 titlemsg BYTE "---- LINK LIST CONTENTS ----",0 custidinfo BYTE "CUSTOMER ID: ",0 custlnameinfo BYTE "CUSTOMER LAST NAME: ",0 spacer BYTE "-------------------------------",0 custsearchmsg BYTE " --- CUSTOMER SEARCH --- ",0 getsearchid BYTE "PLEASE ENTER THE CUST ID TO DISPLAY: ",0 foundmsg BYTE " --- CUSTOMER FOUND ---",0 deletedmsg BYTE " --- AND REMOVED ---",0 notfoundmsg BYTE "!!!! CUSTOMER NOT FOUND!!!!",0 newinfomsg BYTE " --- NEW CUSTOMER INFO ---",0 custupdtmsg BYTE " --- CUSTOMER SUCCESFULLY UPDATED --- ",0 row BYTE 0 column BYTE 24 idnumber BYTE (ID_MAX+1) DUP(0) lastname BYTE (LASTNAME_MAX+1) DUP(0) response BYTE? searchid BYTE (ID_MAX+1) DUP(0) head DWORD? tail DWORD? currnod DWORD? prevnod DWORD? nextnod DWORD? foundvar BYTE FALSE thiscust CUSTOMER {}

5.code main PROC INVOKE GetProcessHeap mov hheap,eax mov dwbytes,sizeof customer mov eax,yellow+(blue*16) call SetTextColor call createnewnode mov head,eax ENTRYPOINT: mov eax,tail mov currnod,eax call programmenu call getandcallselection cmp response, 'F' jne ENTRYPOINT call crlf call waitmsg ENDOFPROGRAM: exit main ENDP createnewnode PROC INVOKE heapalloc, hheap, dwflags, dwbytes mov tail,eax createnewnode ENDP addtwocolumn PROC add row,2 mov dl,column mov dh,row call gotoxy addtwocolumn ENDP programmenu PROC call Clrscr mov row,0 mov dl,20 mov dh,0 call Gotoxy

6 Chapter mov edx,offset progtitle call addtwocolumn mov edx,offset opta call addtwocolumn mov edx,offset optb call addtwocolumn mov edx,offset optc call addtwocolumn mov edx,offset optd call addtwocolumn mov edx,offset opte call addtwocolumn mov edx,offset optf programmenu ENDP getandcallselection PROC mov dl,0 mov dh,24 call gotoxy mov edx, OFFSET selection call readchar mov response,al INVOKE Str_ucase, ADDR response mov al,'a' mov ah,'b' mov bl,'c' mov bh,'d' mov cl,'e'.if (al == response)

7 call showcontents.elseif (ah == response) call getsearch call waitmsg.elseif (bl == response) call getdata call movetoheap call waitmsg.elseif (bh == response) call getsearch.if (foundvar == 1) call update.endif call waitmsg.elseif (cl == response) call getsearch.if (foundvar == 1) call deletenode.endif call waitmsg.endif getandcallselection ENDP showcontents PROC mov edi,head mov ebx,00h call Clrscr mov edx,offset titlemsg Call Crlf DISPLAYSTART: cmp [edi+sumofentryfields],ebx je NOMORE mov eax,[edi] mov prevnod,eax call displaycustomer add edi,sizeof thiscust.lastnam mov edi,[edi] mov currnod,edi JMP DISPLAYSTART

8 Chapter NOMORE: call waitmsg showcontents ENDP displaycustomer PROC mov edx,offset custidinfo mov edx,edi mov edx,offset custlnameinfo add edi,sizeof thiscust.idnum mov edx,edi mov edx,offset spacer displaycustomer ENDP getdata PROC call Clrscr mov edx,offset newcusttitle mov edx,offset custidmsg mov edx,offset thiscust.idnum mov ecx,id_max call readstring mov edx,offset custlastmsg mov edx,offset thiscust.lastnam mov ecx,lastname_max call readstring

9 call createnewnode mov eax,tail mov thiscust.nextnod,eax getdata ENDP movetoheap PROC mov esi,offset thiscust mov edi,currnod INVOKE Str_copy, ADDR thiscust.idnum, edi add edi,sizeof thiscust.idnum INVOKE Str_copy, ADDR thiscust.lastnam, edi add edi,sizeof thiscust.lastnam mov eax,(customer PTR [esi]).nextnod mov [edi],eax movetoheap ENDP getsearch PROC call ClrScr mov ebx,00h mov edi,head cmp [edi+sumofentryfields],ebx je NOTHING mov edx,offset custsearchmsg call writestring mov edx,offset getsearchid mov edx,offset searchid mov ecx,id_max call readstring call searchlist jmp endproc NOTHING: mov foundvar,false mov edx,offset displaynothing

10 Chapter ENDPROC: call crlf getsearch ENDP searchlist PROC call ClrScr mov edi,head mov ebx,00h mov prevnod,edi SEARCHLOOP: mov eax,[edi] INVOKE Str_compare, ADDR searchid, edi je FOUND mov prevnod,edi add edi,sumofentryfields mov edi,[edi] cmp [edi+sumofentryfields],ebx je NOTFOUND jmp SEARCHLOOP FOUND: mov foundvar,true mov currnod,edi Call Crlf mov edx,offset foundmsg call displaycustomer jmp AWAYWITHYOU NOTFOUND: mov foundvar,false mov edx,offset notfoundmsg AWAYWITHYOU: searchlist ENDP update PROC mov dl,0 mov dh,6 call Gotoxy mov edx,offset newinfomsg

11 call WriteString mov edx,offset custidmsg mov edx,offset thiscust.idnum mov ecx,id_max call readstring mov edx,offset custlastmsg mov edx,offset thiscust.lastnam call readstring mov edi,currnod INVOKE Str_copy, ADDR thiscust.idnum, edi add edi,sizeof thiscust.idnum INVOKE Str_copy, ADDR thiscust.lastnam, edi add edi,sizeof thiscust.lastnam call crlf mov edx,offset custupdtmsg call writestring call crlf update ENDP deletenodeproc mov edi,currnod add edi,sumofentryfields mov eax,[edi] mov nextnod,eax mov edi,currnod.if(edi == head).endif mov head,eax mov edi,prevnod add edi,sumofentryfields mov eax,nextnod mov [edi],eax

12 Chapter mov edi,currnod INVOKE heapfree, hheap, dwflags, edi mov edx,offset deletedmsg deletenode ENDP end main

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information