Linux Kernel Analysis Learning notes (i)

From today to learn NetEase cloud classroom Monensin Teacher's "Linux kernel Analysis" course, link Address: Http://mooc.study.163.com/course/USTC-1000029000#/info, record course study notes.

The first week's content mainly introduces the von Neumann architecture ,the att format of the 32-bit x86 assembly language , and a simple C program disassembly into the assembly code of the execution analysis process .

first, von Neumann architecture--Stored program computer

At the heart of the von Neumann architecture is a store program that stores data and code in memory, binary data, and a specific module that distinguishes data from code. The von Neumann architecture of the computer includes an operator, controller, memory, input unit, output unit five bulky.

Ii. 32-bit x86 assembly in ATT format1, 32-bit CPU register structureGeneral purpose Registers

8-bit registers: Ah, AL, BH, BL, CH, cl, DH, DL

16-bit registers: AX, BX, CX, DX, BP, Si, Di, sp

32-bit registers: eax, ebx, ECX, edx, EBP, EDI, ESI, esp

Attention:

1, 8-bit registers and 16-bit registers are independent, such as low 8-bit register AL operation structure overflow does not affect the high 8-bit register Ah, the same 16-bit register AX does not affect the 32-bit register EAX high 16 bits

2, usually eax as the accumulator, ebx as the base register, ECX as a counter, edx as a data register, EBP as the stack base pointer register (stack), ESI, EDI as the variable address register, esp as the stack top pointer register.

Segment Register

CS Code Segment Register

DS Data Segment Register

SS Stack Segment Register

ES expansion Segment Register

GS, FS additional segment register

Flag Register

2, severalatt assembly Instructions

mov: data transmission, can be divided into Movb, MOVW, movl three kinds, respectively, send a byte, a word, two words.

PUSHL : into the stack, PUSHL%eax equivalent to:

                      SUBL $4,%esp                      movl%eax, (%ESP)

popl: Out of the stack, POPL%eax equivalent:

                      MOVL (%ESP),%eax                      add $4,%esp            

Call: Call F: equivalent

                      PUSHL%eip                      movl F,%eip

ret: ret equals:

               POPL%eip    

Enter: equivalent to:

                       PUSHL%ebp                       movl%esp,%EBP

leave: equivalent to:

                       movl%ebp,%esp                       pop %EBP

Attention:

Intel assembler and ATT assembly in the number of operands, the order of the operands listed is reversed.

Although the PUSHL and popl in the face of the interpretation of the EIP, in practice, the programmer can not manually directly manipulate the EIP, may be indirectly modified by other directives.

A city simple C program disassembly analysis

Lab Environment: https://www.shiyanlou.com/courses/running/555

1. Test phase

Write C code:

Compile generated assembly code:

Gcc–s–o main.s Main.c–m32

Observation and Analysis Assembly code

After removing extraneous information, assemble code MAIN.S:

2. Analysis of function call stack of experimental analysis

Observing each function of the assembly code above, Main, F, and G found, the beginning and end of each function is the same:

        pushl%ebp        movl%esp,%ebp        leave        ret

The above two instructions are equivalent to enter, used to construct a function stack frame, leave means exiting the current frame, analyzed as follows:

Initial state before entering the function:

Enter function Enter:

After a series of other operations in the middle, execute the Leave:

Finally reverts to the state before the function is entered

Analyzing assembly code for C programs

As with the C program starting with the main function, the assembly code executes from the main tag:

　　　　　　　　

① starting from 18 lines to 22:

Remove 22 lines of code call F,%eip = 23

② executes 22 lines of call F, first the current EIP (23) into the stack, and then the address of F into the EIP

PUSHL%eipmovl F,%eip

③ enters F, constructs the stack frame of F and executes to 11 rows:

Perform

8 (%EBP),%eaxmovl%eax,  (%ESP)

At this point%eax = 8

④ executes call G, enters G and constructs a stack frame for G:

Execution to line 6:%eax = 11

Execute POPL%EBP, destroy G stack frame:

After performing ret i.e. popl%eip,%eip = 15

⑤ continues to execute 15 rows of leave, destroying the stack frame of f:

PUSHL%EBP,%esppopl%EBP

Perform a 16-line RET:

At this point%eip = 23

Execute 23 Lines,%eax = 12

⑥ executes 24 rows,leave, destroying main's stack frame:

Back to the initial state, and the return value of the function is stored by default in%eax, which is%eax = 12,

Back ret, revert to the state before entering main.

At this point, the above C program assembly code analysis is complete.

Linux Kernel Analysis Learning notes (i)