Programming for Wanabes X. File details in asm

We have already wrote code to scan a single folder and in this instalment we are going to extend it to scan complete folder trees and also get the details from the files so our malware can decide which file is interesting or not.

This is going to be pretty short as we already know everything needed to implement this extension.

Refresher… the code so far

In the previous instalment, towards the end I mentioned that using an ascending loop will have some benefits in this specific case so, I will include this modification in the base code.

You can check it as an exercise. It does exactly the same than the previous version, but counts from zero to the number of bytes returned by getdents, instead of decreasing that value until we get to zero.

This is the code.

	global mfw_select_target
	extern mfw_puts
	extern mfw_putln
	extern mfw_openat
	extern mfw_newfstatat
	extern mfw_getdents
	extern mfw_close

	section .text
	
mfw_select_target:
	BUF_SIZE  EQU     0x400
	STAT_SIZE EQU     0x144
  	FD	      EQU     0x08
 	BUF       EQU     (FD   + BUF_SIZE)
	ST        EQU     (BUF + STAT_SIZE)
	STE       EQU     BUF
	D_NAME    EQU     0x12
	D_RECLEN  EQU     0x10
	ST_MODE   EQU     0x18
	
	;; Create Stack Frame
	push  rbp
	mov   rbp, rsp
	sub   rsp, STE
	
	;; Open Directory
	;; RDI and RSI should be all set
	mov  rdx, 0q200000 	;O_RDONLY | O_DIRECTORY
	call mfw_openat
	test al,al
	js   done1		; Exit if we cannot open the folder. Likely permission denied error
	
	mov  QWORD [rbp-FD], rax ;Store fd in local var
loop0:
	mov  rdi, QWORD [rbp-FD]
	lea  rsi, [rbp-BUF]
	mov  rdx, BUF_SIZE
	call mfw_getdents
	
	test ax,ax
	jz   done		    ; 0 means we are done reading the folder
	js   loop0 		    ; <0 means error.... we just try again

	mov r9, rax		    ; Loop limit
	lea r8, [rbp-BUF] 	; Points to struct linux_dirent record
	xor r14,r14 		; Loop counter = 0

loop1:
	lea   rdi, [r8 + r14  + D_NAME] ; Offset to current dirent name

;; ***********************************************
;; All new code goes here
;; *****************************************************
	;;  For the time being just print file name
	mov  rdi, rsi
	call mfw_putln

next:
	movzx rdx, WORD [r8 + r14 + D_RECLEN] ; Get Record len | Same size thqan mov
	add r14,rdx
	cmp r14, r9
	jge loop0                ; If it is zero, get more data
	jmp loop1
	
done:	
	;; Close directory
	mov rdi, QWORD [rbp-FD]
	call mfw_close
done1:	
	leave     		; Set RSP=RBP and pops RBP
	ret

Before continuing, you may have noticed the use of movzx instruction. This is new and we haven’t talked about it before. This instruction and also it counterpart movsx allows us to read a value into a register that is smaller than the target register. Let’s check the instruction

	movzx rdx, WORD [r8 + r14 + D_RECLEN]

In this case we are moving a memory word (16 bits) into a 64 bits register. The movZx instruction will complete the target with zeros while the movSx will extend the sign. In this example, the value we want is 2 bytes, but we want to use it on the 64bits register for the arithmetic operations (actually the edx will likely be enough, but we would have to use the instruction in any case).

The difference between this instruction and a single move is that the last will not update the higher word on the register, and we should set the register to zero before copying only the lower 16bits.

In the same way, if we are dealing with negative numbers…

Negative numbers

So far we haven’t care much about negative numbers… in a sense, we kind of magically assumed that they just work as it happens on C or any other high level language, however, there is a few things we need to know about number representation and its associated arithmetic.

Let’s start thinking on a single byte (8 bits or 8 ones or zeros). As we know with 8 bits we can represent 256 values (from 0 to 255). That’s perfect for natural numbers, but what happens if we need negative numbers?.. And we need then, I can already told you that.

Well, in that case we need to encode the number differently. First thing is to store the sign of the number, and, that will take a bit… I mean, it cannot take less… at least not without over-complicating the solution. Then if 1 bit is reserved for the sign, we have 7 bits to represent the actual number and that is 128 values. let’s print a few of those numbers

8 => 0 000 1000        -8 => 1 000 1000
7 => 0 000 0111        -7 => 1 000 0111
....
1 => 0 000 0001        -1 => 1 000 0001
0 => 0 000 0000         0 => 1 000 0000

So, we see a few problems with this representation. The first one is that we have two representations for the number zero. That is not convenient as can make computations ambiguous and we are also loosing the opportunity to represent one extra number.

The second problem of this representation is that multiplication is kind of easy, but addition is kind of a hell.

Fortunately for us, some smart people long ago come up with a better representation for the negative numbers…

Two’s complement

This representation of the numbers also uses the most significant bit to indicate the sign, but the value of the number is encoded in a smarter way. Let’s see our table of numbers again and then let’s explore the benefits of this representation:

8 => 0 000 1000        -8 => 1 110 1000
7 => 0 000 0111        -7 => 1 111 1001
....
2 => 0 000 0010        -2 => 1 111 1110
1 => 0 000 0001        -1 => 1 111 1111
0 => 0 000 0000         

As we can see now there is one single representation for zero, that is actually zero (all bits zero). This has a consecuence… zero is somehow a positive number, because the most significant bit is 0 (that is our sign bit). This is why a signed char can take values from -128 to 127 (because the zero is part of the positives)

In addition to the sign, the rest of the number is constructed counting upward as usual for the positive numbers, and backwards for the negative ones…

Actually the way to change the sign of a number, or if you prefer, calculate the two’s complement is as follows:

  • Invert all bits in the number (this is the so called one’s complement)
  • Add 1

Let’s use as example the number 5 and let’s calculate the two’s complement of it, or in other words, let’s determine the bit representation of -5.

Number 5   ->  00000101
NOT(5)     ->  11111010
NOT(5) + 1 ->  11111011

The other big advantage of this representation is that basic arithmetic operation will just work. Just add the 5 and -5 above and it will result in zero. Substraction and multiplication also works out of the box. I won’t go further into this topic. The interested reader shall read the Wikipedia page, and if you are really into maths and scientific SW you also need to read this.

Back to movsx

So, now that we know how a negative number is represented we can come back to the movSx where S stands for sign. This instruction works the same than movzx but performing what is know as sign extension.

Sign extension happens when copying some value of a specific datatype into another value but of a bigger datatype. Imagine you want to copy the value 7 in a byte in memory, into the 32 bits register EDX.

EDX                                     Memory Byte
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX     00000111
                                           |  (mov edx, BYTE [mem]
XXXXXXXX XXXXXXXX XXXXXXXX 00000111 <------+

In the diagram above X means any value. It may be zero or one. When we move the byte into EDX we will just update the less significant byte… Anything else in the register will remind. However, when we use movzx we are forcing zeros in all the other bits in the register… and when using movsz we are forcing the sign bit. Let’s change the byte memory to some negative value

EDX                                     Memory Byte
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX     11111110  (-2)
                                           |  (movzx edx, BYTE [mem]
00000000 00000000 00000000 11111110 <------+
                                           |  (movsx edx, BYTE [mem]
11111111 11111111 11111111 11111110 <------+

In the first case we copy the byte in the lower part of the register (actually dl) and then we set everything else to 0. En the second case we set everything else to the sign bit. This way, the result of the first case is 254 while in the second case it is still -2.

Calling statat

Now we can just write the loop to call statat and check the file type. Let’s split this in two parts. First the call to statat and then the check of the file.

The first part is pretty straight forward:


loop1:
	lea   rdi, [r8 + r14  + D_NAME] ; Offset to current dirent name
	
	;; Skip . and .. names
	;; ---------------------------
	cmp WORD [rdi], 0x002e  ; '.',0x00
	je next
	cmp WORD [rdi], 0x2e2e  ;  '..'
	jne check_file
	cmp BYTE [rdi+2], 0      
	je next
	
	;; Check file type and permissions
check_file:	
	lea    rsi, [rdi]	    ; Par2 : name
	mov    rdi, [RBP - FD]  ; Par1 : fd
	lea    rdx, [RBP - ST]  ; Par3 : struct stat
	xor    rcx, rcx		    ; Par4 : flags
	call   mfw_newfstatat
	
	test   al,al
	js     next		; Silently skip this file on error. Likely Permission denied
	
	;; ********************************
	;; Here the code to check the file
	;; *********************************
run_payload:
	;;  For the time being just print file name
	mov  rdi, rsi
	call mfw_putln

next:
	movzx rdx, WORD [r8 + r14 + D_RECLEN] ; Get Record len | Same size thqan mov
	(...)

The first part of the code just checks the file name and skips it in case it is . or ‘…’ in order to avoid infinite loops. The check is done comparing against the ascii values (0x0023 and 0x002323) of both strings. For the second case, I first tried to read a DWORD to just do a comparison, but it looks like the size of .. is exactly three and I was getting some randon stuff in the most significant byte… any other way to do the check I thought about just ended in longer code… but let me know in the comments if you found a better way.

Then we just found the call to newfstatat. Nothing special here, we have already used this from C, we just set the second parameter first, because we already have that value in rdi, so we just do that assignment fist before overwriting rdi and we take advantage of moving data between registers.

Finally we check if the syscall failed and silently continue in that case.

Checking file type

Now we need to check the file type. As we did in C, we are going to look for executable files. Note that this is a basic check and in the real world you may need to do further checks. For instance, a virus will need to check that the file is also an ELF binary and not just a bash script… both are executable files but their structures are pretty different. Even when it is possible to infect a bash file that is something you do not really need special skills to do.

This part of the code also performs the recursive call that allows us to scan the whole filesystem tree.

	;; Check if it is a directory
	mov  eax, DWORD [rdx + ST_MODE]
	and  eax, 0q0170000
	cmp  eax, 0q0040000
	jz   scan_folder	; If it is a directory... scan recursively
	cmp  eax, 0q0100000 
	jnz  next           ; If it is not a regular file.... skip it
	
	;; If we got a regular file then let's check permissions
	mov  eax, DWORD [rdx + ST_MODE]
	and  eax, 0q00111	; Execution permisions
	jz   next		    ; If no execution permision set... skip the file
	jmp  run_payload	; Otherwise run the payload on it
	
scan_folder:
	;; Before the recursive call we need to store current state in the stack
	;; File descruptor and getents are already there. We just store the registers
	;; This way, we only use the memory when scanning a subfolder
	push  r8 		; Current getdents buffer
	push  r9		; Number of bytes in getents buffer
	push  r14       ; Current getendts buffer ofsset 

	call  mfw_select_target ; RDI and RSI already set to the right parameters
	;; Restore evertything and keep going
	pop   r14		; PUSH/POP are 2 bytes long... mov reg, [bp-XX] is 4
	pop   r9
	pop   r8
	jmp   next		; Continue

The first thing we do us to get the st_mode field from the struct stat returned by newfstatat. Then we mask the __S_IFM value that we have found when developing our C version and then we check if we are looking to a directory or a regular file. If the entry is a directory we jump to scan_folder to perform the recursive traversal of the just found subfolder, otherwise we check the permissions and if they don’t match we just discard this entry and do on to process the next one.

When we call ourselves recursively to traverse the subfolders we need to store in the stack the local variables we are holding on registers for efficiency. These are r8 (the getents buffer we are processing), r9 (the number of bytes in that buffer) and r14 (the current offset in the buffer of the entry we are processing right now).

We could declare extra local variables in the stack as we did for the FD, but in this case we decided to just push and pop the values just before the call. This way, the code is shorter and we only perform that operation (saving to memory) only when it is necessary. Note that a mov is principle more efficient (faster) but it produces a bit longer code (4 bytes vs the 2 bytes required by the push/pop).

The final code

As usually, this is the final code of our select_target function:

	global mfw_select_target
	extern mfw_puts
	extern mfw_putln
	extern mfw_openat
	extern mfw_newfstatat
	extern mfw_getdents
	extern mfw_close

	section .text
	
mfw_select_target:
	BUF_SIZE  EQU     0x400
	STAT_SIZE EQU     0x144
  	FD	      EQU     0x08
 	BUF       EQU     (FD   + BUF_SIZE)
	ST        EQU     (BUF + STAT_SIZE)
	STE       EQU     BUF
	D_NAME    EQU     0x12
	D_RECLEN  EQU     0x10
	ST_MODE   EQU     0x18
	
	;; Create Stack Frame
	push  rbp
	mov   rbp, rsp
	sub   rsp, STE
	
	;; Open Directory
	;; RDI and RSI should be all set
	mov  rdx, 0q200000 	;O_RDONLY | O_DIRECTORY
	call mfw_openat
	test al,al
	js   done1		; Exit if we cannot open the folder. Likely permission denied error
	
	mov  QWORD [rbp-FD], rax ;Store fd in local var
loop0:
	mov  rdi, QWORD [rbp-FD]
	lea  rsi, [rbp-BUF]
	mov  rdx, BUF_SIZE
	call mfw_getdents
	
	test ax,ax
	jz   done		; 0 means we are done reading the folder
	js   loop0 		; <0 means error.... we just try again

	mov r9, rax		    ; Loop limit
	lea r8, [rbp-BUF] 	; Points to struct linux_dirent record
	xor r14,r14 		; Loop counter = 0

loop1:
	lea   rdi, [r8 + r14  + D_NAME] ; Offset to current dirent name
	
	;; Skip . and .. names
	;; ---------------------------
	cmp WORD [rdi], 0x002e
	je next
	cmp WORD [rdi], 0x2e2e
	jne check_file
	cmp BYTE [rdi+2], 0
	je next
	
	;; Check file type and permissions
check_file:	
	lea    rsi, [rdi]	    ; Par2 : name
	mov    rdi, [RBP - FD]  ; Par1 : fd
	lea    rdx, [RBP - ST]  ; Par3 : struct stat
	xor    rcx, rcx		    ; Par4 : flags
	call   mfw_newfstatat
	
	test   al,al
	js     next		; Silently skip this file on error. Likely Permission denied
	
	;; Check if it is a directory
	mov  eax, DWORD [rdx + ST_MODE]
	and  eax, 0q0170000
	cmp  eax, 0q0040000
	jz   scan_folder	; If it is a directory... scan recursively
	cmp  eax, 0q0100000 
	jnz  next               ; If it is not a regular file.... skip it
	
	;; If we got a regular file then let's check permissions
	mov  eax, DWORD [rdx + ST_MODE]
	and  eax, 0q00111	; Execution permisions
	jz   next		    ; If no execution permision set... skip the file
	jmp  run_payload	; Otherwise run the payload on it
	
scan_folder:
	;; Before the recursive call we need to store current state in the stack
	;; File descriptor and getents are already there. We just store the registers
	;; This way, we only use the memory when scanning a subfolder
	push  r8 		; Current getdents buffer
	push  r9		; Number of bytes in getents buffer
	push  r14       ; Current getendts buffer ofsset 

	call  mfw_select_target ; RDI and RSI already set to the right parameters
	;; Restore evertything and keep going
	pop   r14		; PUSH/POP are 2 bytes long... mov reg, [bp-XX] is 4
	pop   r9
	pop   r8
	jmp   next		; Continue
	
run_payload:
	;;  For the time being just print file name
	mov  rdi, rsi
	call mfw_putln

next:
	movzx rdx, WORD [r8 + r14 + D_RECLEN] ; Get Record len | Same size thqan mov
	add r14,rdx
	cmp r14, r9
	jge loop0                ; If it is zero, get more data
	jmp loop1
	
done:	
	;; Close directory
	mov rdi, QWORD [rbp-FD]
	call mfw_close
done1:	
	leave     		; Set RSP=RBP and pops RBP
	ret

Conclusions

As I said this was very short, we already know a lot of assembler and system programming to code this part so this was just work we had to do. We took the chance to talk a little bit about number representation, and we got a recursive function working in assembly… which is not that hard once we learned what that involves in the previous instalments.

For the next instalment we should start looking into some payload… I envision a first theoretical instalment to introduce the related concepts before jumping in to the code…

So, now it is time for you to decide:

  • VIRUS
  • RANSOMWARE
  • SPYWARE
  • RAT

0 voters

Read the whole series here

Part IX. Finding Files in asm
Part VIII, File Details
Part VII. Finding files
Part VI. Malware Introduction
Part V. A dropper
Part IV. The stack
Part III. Your first Shell Code
Part II and a Half. Part II for ARM and MIPS
Part II. Shrinking your program
Part I. Getting Started

3 Likes

Someone’s suddenly found a lot of free time. What’s your secret?

2 Likes

Hey mate!..As you said I have some free time available right now. I’m getting older so I have to take notes of what I do… so I just share them. Actually some other stuff have just popped up and I have to take care of it. Next instalment will take longer to be released…

2 Likes