Details

Blue Fox

Blue Fox

Arm Assembly Internals and Reverse Engineering
1. Aufl.

von: Maria Markstedter

28,99 €

Verlag: Wiley
Format: PDF
Veröffentl.: 27.03.2023
ISBN/EAN: 9781119746737
Sprache: englisch
Anzahl Seiten: 480

In den Warenkorb
Als Gutschein
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

Titelbeschreibung

<p><b>Provides readers with a solid foundation in Arm assembly internals and reverse-engineering fundamentals as the basis for analyzing and securing billions of Arm devices</b> <p>Finding and mitigating security vulnerabilities in Arm devices is the next critical internet security frontier—Arm processors are already in use by more than 90% of all mobile devices, billions of Internet of Things (IoT) devices, and a growing number of current laptops from companies including Microsoft, Lenovo, and Apple. Written by a leading expert on Arm security, <i>Blue Fox: Arm Assembly Internals and Reverse Engineering</i> introduces readers to modern Armv8-A instruction sets and the process of reverse-engineering Arm binaries for security research and defensive purposes. <p>Divided into two sections, the book first provides an overview of the ELF file format and OS internals, followed by Arm architecture fundamentals, and a deep-dive into the A32 and A64 instruction sets. Section Two delves into the process of reverse-engineering itself: setting up an Arm environment, an introduction to static and dynamic analysis tools, and the process of extracting and emulating firmware for analysis. The last chapter provides the reader a glimpse into macOS malware analysis of binaries compiled for the Arm-based M1 SoC. Throughout the book, the reader is given an extensive understanding of Arm instructions and control-flow patterns essential for reverse engineering software compiled for the Arm architecture. Providing an in-depth introduction into reverse-engineering for engineers and security researchers alike, this book: <ul> <li>Offers an introduction to the Arm architecture, covering both AArch32 and AArch64 instruction set states, as well as ELF file format internals</li> <li>Presents in-depth information on Arm assembly internals for reverse engineers analyzing malware and auditing software for security vulnerabilities, as well as for developers seeking detailed knowledge of the Arm assembly language</li> <li>Covers the A32/T32 and A64 instruction sets supported by the Armv8-A architecture with a detailed overview of the most common instructions and control flow patterns</li> <li>Introduces known reverse engineering tools used for static and dynamic binary analysis </li> <li>Describes the process of disassembling and debugging Arm binaries on Linux, and using common disassembly and debugging tools </li></ul> <p><i>Blue Fox: Arm Assembly Internals and Reverse Engineering</i> is a vital resource for security researchers and reverse engineers who analyze software applications for Arm-based devices at the assembly level.

Inhaltsverzeichnis

<p>Introduction xxi</p> <p><b>Part I Arm Assembly Internals 1</b></p> <p><b>Chapter 1 Introduction to Reverse Engineering 3</b></p> <p>Introduction to Assembly 3</p> <p>Bits and Bytes 3</p> <p>Character Encoding 5</p> <p>Machine Code and Assembly 6</p> <p>Assembling 9</p> <p>Cross- Assemblers 13</p> <p>High- Level Languages 15</p> <p>Disassembling 16</p> <p>Decompilation 17</p> <p><b>Chapter 2 ELF File Format Internals 21</b></p> <p>Program Structure 21</p> <p>High- Level vs. Low- Level Languages 22</p> <p>The Compilation Process 24</p> <p>Cross- Compiling for Other Architectures 25</p> <p>Assembling and Linking 27</p> <p>The ELF File Overview 30</p> <p>The ELF File Header 31</p> <p>The ELF File Header Information Fields 32</p> <p>The Target Platform Fields 33</p> <p>The Entry Point Field 34</p> <p>The Table Location Fields 34</p> <p>ELF Program Headers 34</p> <p>The PHDR Program Header 36</p> <p>The INTERP Program Header 36</p> <p>The LOAD Program Headers 36</p> <p>The DYNAMIC Program Header 37</p> <p>The NOTE Program Header 37</p> <p>The TLS Program Header 38</p> <p>The GNU_EH_FRAME Program Header 38</p> <p>The GNU_STACK Program Header 39</p> <p>The GNU_RELRO Program Header 41</p> <p>ELF Section Headers 43</p> <p>The ELF Meta- Sections 45</p> <p>The String Table Section 46</p> <p>The Symbol Table Section 46</p> <p>The Main ELF Sections 46</p> <p>The .text Section 47</p> <p>The .data Section 47</p> <p>The .bss Section 47</p> <p>The .rodata Section 47</p> <p>The .tdata and .tbss Sections 48</p> <p>Symbols 48</p> <p>Global vs. Local Symbols 50</p> <p>Weak Symbols 50</p> <p>Symbol Versions 51</p> <p>Mapping Symbols 51</p> <p>The Dynamic Section and Dynamic Loading 52</p> <p>Dependency Loading (NEEDED) 53</p> <p>Program Relocations 54</p> <p>Static Relocations 55</p> <p>Dynamic Relocations 56</p> <p>The Global Offset Table (GOT) 57</p> <p>The Procedure Linkage Table (PLT) 57</p> <p>The ELF Program Initialization and Termination Sections 58</p> <p>Initialization and Termination Order 60</p> <p>Thread- Local Storage 60</p> <p>The Local- Exec TLS Access Model 65</p> <p>The Initial- Exec TLS Access Model 65</p> <p>The General- Dynamic TLS Access Model 66</p> <p>The Local- Dynamic TLS Access Model 67</p> <p><b>Chapter 3 OS Fundamentals 69</b></p> <p>OS Architecture Overview 69</p> <p>User Mode vs. Kernel Mode 70</p> <p>Processes 70</p> <p>System Calls 72</p> <p>Objects and Handles 77</p> <p>Threads 79</p> <p>Process Memory Management 80</p> <p>Memory Pages 82</p> <p>Memory Protections 82</p> <p>Anonymous and Memory- Mapped Memory 84</p> <p>Memory- Mapped Files and Modules 84</p> <p>Address Space Layout Randomization 87</p> <p>Stack Implementations 90</p> <p>Shared Memory 91</p> <p><b>Chapter 4 The Arm Architecture 93</b></p> <p>Architectures and Profiles 93</p> <p>The Armv8- A Architecture 95</p> <p>Exception Levels 96</p> <p>Armv8- A TrustZone Extension 97</p> <p>Exception Level Changes 99</p> <p>Armv8- A Execution States 101</p> <p>The AArch64 Execution State 102</p> <p>The A64 Instruction Set 103</p> <p>AArch64 Registers 104</p> <p>The Program Counter 106</p> <p>The Stack Pointer 107</p> <p>The Zero Register 107</p> <p>The Link Register 108</p> <p>The Frame Pointer 109</p> <p>The Platform Register (x18) 109</p> <p>The Intraprocedural Call Registers 110</p> <p>SIMD and Floating- Point Registers 110</p> <p>System Registers 111</p> <p>PSTATE 112</p> <p>The AArch32 Execution State 114</p> <p>A32 and T32 Instruction Sets 114</p> <p>The A32 Instruction Set 114</p> <p>The T32 Instruction Set 115</p> <p>Switching Between Instruction Sets 115</p> <p>AArch32 Registers 118</p> <p>The Program Counter 119</p> <p>The Stack Pointer 120</p> <p>The Frame Pointer 120</p> <p>The Link Register 121</p> <p>The Intraprocedural Call Register (IP, r12) 121</p> <p>The Current Program Status Register 121</p> <p>The Application Program Status Register 122</p> <p>The Execution State Registers 124</p> <p>The Instruction Set State Register 124</p> <p>The IT Block State Register (ITSTATE) 125</p> <p>Endianness state 126</p> <p>Mode and Exception Mask Bits 126</p> <p><b>Chapter 5 Data Processing Instructions 129</b></p> <p>Shift and Rotate Operations 131</p> <p>Logical Shift Left 132</p> <p>Logical Shift Right 133</p> <p>Arithmetic Shift Right 133</p> <p>Rotate Right 134</p> <p>Rotate Right with Extend 134</p> <p>Instruction Forms 135</p> <p>Shift by a Constant Immediate Form 136</p> <p>Shift by Register Form 138</p> <p>Bitfield Manipulation Operations 140</p> <p>Bitfield Move 141</p> <p>Sign- and Zero- Extend Operations 145</p> <p>Bitfield Extract and Insert 150</p> <p>Logical Operations 153</p> <p>Bitwise AND 153</p> <p>The TST Instruction 154</p> <p>Bitwise Bit Clear 155</p> <p>Bitwise OR 155</p> <p>Bitwise OR NOT 156</p> <p>Bitwise Exclusive OR 158</p> <p>The TEQ instruction 158</p> <p>Exclusive OR NOT 159</p> <p>Arithmetic Operations 159</p> <p>Addition and Subtraction 159</p> <p>Reverse Subtract 161</p> <p>Compare 162</p> <p>CMP Instruction Operation Behavior 163</p> <p>Multiplication Operations 165</p> <p>Multiplications on A64 166</p> <p>Multiplications on A32/T32 167</p> <p>Least Significant Word Multiplications 169</p> <p>Most Significant Word Multiplications 171</p> <p>Halfword Multiplications 173</p> <p>Vector (Dual) Multiplications 176</p> <p>Long (64- Bit) Multiplications 179</p> <p>Division Operations 186</p> <p>Move Operations 187</p> <p>Move Constant Immediate 188</p> <p>Move Immediate and MOVT on A32/T32 188</p> <p>Move Immediate, MOVZ, and MOVK on A64 189</p> <p>Move Register 190</p> <p>Move with NOT 192</p> <p><b>Chapter 6 Memory Access Instructions 195</b></p> <p>Instructions Overview 195</p> <p>Addressing Modes and Offset Forms 197</p> <p>Offset Addressing 200</p> <p>Constant Immediate Offset 201</p> <p>Register Offsets 207</p> <p>Pre- Indexed Mode 209</p> <p>Pre- Indexed Mode Example 210</p> <p>Post- Indexed Addressing 212</p> <p>Post- Indexed Addressing Example 213</p> <p>Literal (PC- Relative) Addressing 214</p> <p>Loading Constants 215</p> <p>Loading an Address into a Register 218</p> <p>Load and Store Instructions 222</p> <p>Load and Store Word or Doubleword 222</p> <p>Load and Store Halfword or Byte 224</p> <p>Example Using Load and Store 226</p> <p>Load and Store Multiple (A32) 228</p> <p>Example for STM and LDM 235</p> <p>A More Complicated Example Using STM and LDM 237</p> <p>Load and Store Pair (A64) 238</p> <p><b>Chapter 7 Conditional Execution 243</b></p> <p>Conditional Execution Overview 243</p> <p>Conditional Codes 244</p> <p>The NZCV Condition Flags 245</p> <p>Signed vs. Unsigned Integer Overflows 246</p> <p>Condition Codes 248</p> <p>Conditional Instructions 249</p> <p>The If- Then (IT) Instruction in Thumb 250</p> <p>Flag- Setting Instructions 252</p> <p>The Instruction “S” Suffix 253</p> <p>The S Suffix on Add and Subtract Instructions 253</p> <p>The S Suffix on Logical Shift Instructions 256</p> <p>The S Suffix on Multiply Instructions 257</p> <p>The S Suffix on Other Instructions 257</p> <p>Test and Comparison Instructions 257</p> <p>Compare (CMP) 258</p> <p>Compare Negative (CMN) 260</p> <p>Test Bits (TST) 261</p> <p>Test Equality (TEQ) 264</p> <p>Conditional Select Instructions 265</p> <p>Conditional Comparison Instructions 268</p> <p>Boolean AND Conditionals Using CCMP 269</p> <p>Boolean OR Conditionals Using CCMP 272</p> <p><b>Chapter 8 Control Flow 275</b></p> <p>Branch Instructions 275</p> <p>Conditional Branches and Loops 277</p> <p>Test and Compare Branches 281</p> <p>Table Branches (T32) 282</p> <p>Branch and Exchange 284</p> <p>Subroutine Branches 288</p> <p>Functions and Subroutines 290</p> <p>The Procedure Call Standard 291</p> <p>Volatile vs. Nonvolatile Registers 293</p> <p>Arguments and Return Values 293</p> <p>Passing Larger Values 295</p> <p>Leaf and Nonleaf Functions 298</p> <p>Leaf Functions 298</p> <p>Nonleaf Functions 299</p> <p>Prologue and Epilogue 299</p> <p><b>Part II Reverse Engineering 305</b></p> <p><b>Chapter 9 Arm Environments 307</b></p> <p>Arm Boards 308</p> <p>Emulation with QEMU 310</p> <p>QEMU User- Mode Emulation 310</p> <p>QEMU Full- System Emulation 314</p> <p>Firmware Emulation 315</p> <p><b>Chapter 10 Static Analysis 321</b></p> <p>Static Analysis Tools 322</p> <p>Command- Line Tools 322</p> <p>Disassemblers and Decompilers 322</p> <p>Binary Ninja Cloud 323</p> <p>Call- By- Reference Example 328</p> <p>Control Flow Analysis 334</p> <p>Main Function 336</p> <p>Subroutine 336</p> <p>Converting to char 341</p> <p>if Statement 343</p> <p>Quotient Division 345</p> <p>for Loop 347</p> <p>Analyzing an Algorithm 349</p> <p><b>Chapter 11 Dynamic Analysis 363</b></p> <p>Command- Line Debugging 364</p> <p>GDB Commands 365</p> <p>GDB Multiuser 366</p> <p>GDB Extension: GEF 368</p> <p>Installation 369</p> <p>Interface 370</p> <p>Useful GEF Commands 370</p> <p>Examine Memory 374</p> <p>Watch Memory Regions 376</p> <p>Vulnerability Analyzers 377</p> <p>checksec 379</p> <p>Radare2 381</p> <p>Debugging 382</p> <p>Remote Debugging 385</p> <p>Radare2 386</p> <p>IDA Pro 388</p> <p>Debugging a Memory Corruption 390</p> <p>Debugging a Process with GDB 398</p> <p><b>Chapter 12 Reversing arm64 macOS Malware 405</b></p> <p>Background 406</p> <p>macOS arm64 Binaries 407</p> <p>macOS Hello World (arm64) 410</p> <p>Hunting for Malicious arm64 Binaries 413</p> <p>Analyzing arm64 Malware 419</p> <p>Anti- Analysis Techniques 420</p> <p>Anti- Debugging Logic (via ptrace) 421</p> <p>Anti- Debugging Logic (via sysctl) 425</p> <p>Anti- VM Logic (via SIP Status and the Detection of VM Artifacts) 429</p> <p>Conclusion 435</p> <p>Index 437</p>

Autorenportrait

<p><B>MARIA MARKSTEDTER </B>is the CEO and founder of Azeria Labs, offering high-quality training courses on Arm reverse engineering and exploitation. She has an extensive educational background, holding a Bachelor’s degree in Corporate Security and a Master’s degree in Enterprise Security, and has collaborated with Arm on exploit mitigation research. Maria’s outstanding contributions to the cybersecurity industry have earned her a place on Forbes’ “30 under 30” list for technology in Europe (2018) and the title of Forbes Person of the Year in Cybersecurity in 2020.

Back cover copy

<p><b>Explore the core of Arm and unlock the secrets behind 90% of mobile and IoT devices through reverse engineering</b> <p>The popularity of Arm architecture in mobile and IoT devices, laptops, and servers makes it a perfect subject for anyone interested in reverse engineering. The details and intricacies of Arm assembly language offer an invaluable opportunity to stay up to date with a quickly evolving technological landscape. <p><i>Blue Fox: Arm Assembly Internals and Reverse Engineering </i>is a comprehensive guide perfect for both beginners and seasoned professionals. The book delivers an intuitive presentation of a processor language that is surging in popularity and demand. It skillfully presents material that readers need to dramatically improve their vulnerability discovery and analysis, exploit development, and malware analysis skills. <p>The book equips readers with the foundational knowledge required for effective reverse engineering. The initial chapters delve into topics such as the ELF file format, operating system fundamentals, and the Arm architecture, while subsequent chapters provide an overview of the three instruction sets: A64, A32, and T32. They offer coverage of a variety of instruction types including data processing and memory access instructions, conditional execution, and control flow patterns. <p>The second part of the book immerses readers in the world of reverse engineering, covering critical subjects, including different types of Arm environments, practical router firmware emulation, the process of static analysis, dynamic analysis and debugging of binaries during run-time, and an overview of frequently used reverse engineering tools and techniques. <p>The author also provides an in-depth chapter on reversing arm64 macOS malware, which includes the real-world anti-analysis techniques used by malware in the wild, making this book an essential resource for anyone interested in malware analysis.

Country of final manufacture

US

Diese Produkte könnten Sie auch interessieren:

Impact of Artificial Intelligence on Organizational Transformation
Impact of Artificial Intelligence on Organizational Transformation
von: S. Balamurugan, Sonal Pathak, Anupriya Jain, Sachin Gupta, Sachin Sharma, Sonia Duggal
EPUB ebook
190,99 €
The CISO Evolution
The CISO Evolution
von: Matthew K. Sharp, Kyriakos Lambros
PDF ebook
33,99 €
Fundamentals and Methods of Machine and Deep Learning
Fundamentals and Methods of Machine and Deep Learning
von: Pradeep Singh
PDF ebook
190,99 €