Upload File

03-amd64-1

57
Crash Dump Analysis AMD64 Jakub Jermář Martin Děcký

Upload: achilles7

Post on 23-Nov-2015

2 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

  • Crash Dump AnalysisAMD64

    Jakub JermMartin Dck

  • CrashDumpAnalysisMFFUKAMD64 2

    AMD64Overview

    NaturalextensionofIA32

    OriginallycreatedbyAMD(thusAMD64) LateralsoadoptedbyIntel(asIA32e,IA64t,Intel64)

    Vendorneutralnamesx8664,x64

    ManypropertiesofIA32applyalsotoAMD64 Keydifferences

    64bitarchitecture 16GPRs(14practicallyusable) Segmentationalmosteliminated(excepttworemainingsimplifiedsegments)

  • CrashDumpAnalysisMFFUKAMD64 3

    AMD64Manuals

    AMD64ArchitectureProgrammer'sManual

    Volume1:ApplicationProgramming

    Volume2:SystemProgramming

    Volume3:GeneralPurposeandSystemInstructions

    SoftwareOptimizationGuideforAMD64Processorswww.amd.com/usen/Processors/TechnicalResources/0,,30_182_739_7044,00.html

  • CrashDumpAnalysisMFFUKAMD64 4

    AMD64Manuals(2)

    Intel64andIA32ArchitecturesSoftwareDeveloper'sManual

    Volume1:BasicArchitecture

    Volume2A+2B:InstructionSetReference

    Volume3A+3B:SystemProgrammingGuide Intel64andIA32ArchitecturesOptimizationReferenceManual

    http://www.intel.com/products/processor/manuals

  • CrashDumpAnalysisMFFUKAMD64 5

    AMD64ABI

    SystemVApplicationBinaryInterface,AMD64ArchitectureProcessorSupplement

    Thisistheauthoritativesourceofinformation AtleastforsystemsusingGNUGCCtoolchain(GNU/Linux,*BSD,mostUnixes,etc.)

    Wewilluseandpresentasimplifiedviewwhichissufficientforsimpleintegercases

    www.x8664.org/documentation/abi.pdf

  • CrashDumpAnalysisMFFUKAMD64 6

    AMD64RegistersAH AL

    AXEAX

    RAX

    BH BLBX

    EBXRBX

    CH CLCX

    ECXRCX

    DH DLDX

    EDXRDX

    DILDI

    EDIRDI

    SILSI

    ESIRSI

    BPLBP

    EBPRBP

    SPLSP

    ESPRSP

  • CrashDumpAnalysisMFFUKAMD64 7

    AMD64Registers(2)R8B

    R8WR8D

    R8

    R9BR9W

    R9DR9

    R10B

    R10WR10D

    R10

    R11B

    R11WR11D

    R11

    R12B

    R12WR12D

    R12

    R13B

    R13WR13D

    R13

    R14B

    R14WR14D

    R14

    R15B

    R15WR15D

    R15

  • CrashDumpAnalysisMFFUKAMD64 8

    AMD64Registers(3)

    CS DS ES SS FS GS

    FLAGSEFLAGS

    RFLAGS

    IPEIP

    RIP

  • CrashDumpAnalysisMFFUKAMD64 9

    ABIinaNutshell

    Firstsixintegerargumentspassedinregisters

    RDI,RSI,RDX,RCX,R8,R9

    More/complexargumentspassedonstack

    Inreverseorder(thelastargumentispushedfirst)

    Returnvalue

    ForsimpleintegertypesinRAX Otherwiseonthestack

    Implicitstack(RSP)andframe(RBP)pointer

  • CrashDumpAnalysisMFFUKAMD64 10

    ABIinaNutshell(2)

    Volatile(scratch,callersaved)registers

    RAX,RCX,RDX,RDI,RSI,R8,R9,R10,R11

    Nonvolatile(preserved,calleesaved)registers

    RBX,RBP,RSP,R12,R13,R14,R15

    Stackalignedon8Bboundary,butnot16Balignedonfunction'sentrypoint

    Thuseachstackframeis16Baligned SupportforeasyspillingofFPUandSSEregisters

    SomeGCCbuildsignorethisrule

  • CrashDumpAnalysisMFFUKAMD64 11

    ABIinaNutshell(3)

    128BredzoneatRSP128

    Optimization Functionsdonotneedtoallocatestackspace

    Signalandinterrupthandlersshouldavoidthisarea

    Sometimestheredzoneisdisabledgcc -mno-red-zone

  • CrashDumpAnalysisMFFUKAMD64 12

    AMD64Instructions

    SameinstructionshavethesamesyntaxasinIA32

    Notabledifferences

    Newregisters

    Newoperandsizeq(quad,64bits)

    EffectiveaddresscanuseRIP Example:cmpq+0x305f9e(%rip),%r13

  • CrashDumpAnalysisMFFUKAMD64 13

    FunctionPrologue

    pushq%rbp

    movq%rsp,%rbp

    subq$imm,%rsp

    movq%rdi,8(%rbp)#savethefirstargumentonstack

    pushq%r12#savethepreservedregister

    ...

  • CrashDumpAnalysisMFFUKAMD64 14

    FunctionPrologue(2)

    Somecompilersgeneratecodewhichsavesargumentspassedinregistersalsointothestackframe

    Goodfordebugging

    Badforperformance

    gcc -msave-args

    suncc -Wu,-save_args

  • CrashDumpAnalysisMFFUKAMD64 15

    FunctionEpilogue

    popq%r13

    movq8(rsp),%r12

    movq%rbp,%rsp

    popq%rbp

    ret

    popq%r13

    movq8(rsp),%r12

    leave

    ret

  • CrashDumpAnalysisMFFUKAMD64 16

    StackandCodeExample

    Rememberthefoo(),bar()andfoobar()frompreviousslides?

    Compileusinggcc -O1 -m64

    Disassembleandsinglestepmain()andfoo()

    Observethestack

  • CrashDumpAnalysisMFFUKAMD64 17

    StackandCodeExample(2)

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

  • CrashDumpAnalysisMFFUKAMD64 18

    StackandCodeExample(2)

    Initialstate

    Noinstructionsexecuted

    Inheritedstackpointerfrommain()'scaller

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    0xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 19

    StackandCodeExample(2)

    Savepreviousframepointeronthestack

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 20

    StackandCodeExample(2)

    Establishanew,fixedframepointerinRBP

    Itpointstowherewesavedthepreviousone

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 21

    StackandCodeExample(2)

    Callfoo()

    TheargumentispassedinRDI

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret 0xfffffd7fffdffbe8: main+9

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 22

    StackandCodeExample(2)

    Savethepreviousframepointertothestack

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

    0xfffffd7fffdffbe0: 0xfffffd7fffdffbf00xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 23

    StackandCodeExample(2)

    EstablishanewframepointerinRBP

    Itpointstotheaddresswherethepreviousoneisstored

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

    0xfffffd7fffdffbe0: 0xfffffd7fffdffbf00xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 24

    StackandCodeExample(2)

    ZeroEAXandsignextendtotheupperpartofRAX

    ClearsthewholeRAX

    Notneeded

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

    0xfffffd7fffdffbe0: 0xfffffd7fffdffbf00xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 25

    StackandCodeExample(2)

    Callbar()

    TheargumentisstillinRDI

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

    0xfffffd7fffdffbd8: foo+0xe0xfffffd7fffdffbe0: 0xfffffd7fffdffbf00xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 26

    StackandCodeExample(2)

    Stepthroughandreturnfrombar()

    bar()'sreturnvalueisinRAX

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leave foo+0xf: ret

    0xfffffd7fffdffbe0: 0xfffffd7fffdffbf00xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 27

    StackandCodeExample(2)

    Destroyfoo()'sstackframe

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leavefoo+0xf: ret

    0xfffffd7fffdffbe8: main+90xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 28

    StackandCodeExample(2)

    Returnbacktomain()

    ReturnvalueisagaininRAX

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movl $0x0,%eaxfoo+9: call +0x2 foo+0xe: leavefoo+0xf: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 29

    StackandCodeExample(2)

    Destroymain()'sstackframe

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    0xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 30

    StackandCodeExample(2)

    Returnfrommain()

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

  • CrashDumpAnalysisMFFUKAMD64 31

    StackandCodeExample(2)

    Returnfrommain()

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: call -0x2c main+9: leave main+0xa: ret

    BORE

    DOM

    Zzzzz.

    ...

  • CrashDumpAnalysisMFFUKAMD64 32

    StackandCodeExample(3)

    Let'strythesameexamplewithdifferentcompileroptions

    Compileusinggcc -O0 -m64 -msave-args

    Disassembleandsinglestepmain()andfoo()

    Observethestack

  • CrashDumpAnalysisMFFUKAMD64 33

    StackandCodeExample(4)

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

  • CrashDumpAnalysisMFFUKAMD64 34

    StackandCodeExample(4)

    Initialstate

    Noinstructionsexecuted

    0xfffffd7fffdffbf8: _start+0x6c

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

  • CrashDumpAnalysisMFFUKAMD64 35

    StackandCodeExample(4)

    Savepreviousframepointeronthestack

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 36

    StackandCodeExample(4)

    Establishanew,fixedframepointerinRBP

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 37

    StackandCodeExample(4)

    Savethesecondargumenttothestack

    Usingtheredzone

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 38

    StackandCodeExample(4)

    Savethefirstargumenttothestack

    Usingtheredzone

    0xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

  • CrashDumpAnalysisMFFUKAMD64 39

    StackandCodeExample(4)

    Allocatespaceonthestack

    Wecanseethearguments

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbd0: 0xfffffd7fffdffc000xfffffd7fffdffbd8: _start+0x63 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 40

    StackandCodeExample(4)

    Saveawaythefirstargumentoncemore

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbd0: 0xfffffd7fffdffc000xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 41

    StackandCodeExample(4)

    Saveawaythesecondargumentoncemore

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 42

    StackandCodeExample(4)

    Justforsure,readthefirstargumentbacktoEDI

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 43

    StackandCodeExample(4)

    Callfoo()

    TheargumentispassedinRDI

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

    0xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 44

    StackandCodeExample(4)

    Savethepreviousframepointertothestack

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 45

    StackandCodeExample(4)

    EstablishanewframepointerinRBP

    Itpointstotheaddresswherethepreviousoneisstored

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 46

    StackandCodeExample(4)

    Savetheargumentonthestack

    Usingtheredzone

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 47

    StackandCodeExample(4)

    Allocatestackspace

    Wecanseetheargument

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0 0xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 48

    StackandCodeExample(4)

    Saveawaythefirstargumentonceagain

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0x1000000000xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 49

    StackandCodeExample(4)

    Justforsure,readthefirstargumentbacktoEDI

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0x1000000000xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 50

    StackandCodeExample(4)

    ZeroEAXandsignextendtotheupperpartofRAX

    ClearsthewholeRAX

    Notneeded

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0x1000000000xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 51

    StackandCodeExample(4)

    Callbar()

    TheargumentisstillinRDI

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffb98: foo+0x1c0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0x1000000000xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 52

    StackandCodeExample(4)

    Stepthroughandreturnfrombar()

    bar()'sreturnvalueisinRAX

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffba0: 0 0xfffffd7fffdffba8: 0x1000000000xfffffd7fffdffbb0: 0 0xfffffd7fffdffbb8: 10xfffffd7fffdffbc0: 0xfffffd7fffdffbf00xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 53

    StackandCodeExample(4)

    Destroyfoo()'sstackframe

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffbc8: main+0x1f0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 54

    StackandCodeExample(4)

    Returnbacktomain()

    ReturnvalueisagaininRAX

    foo: pushq %rbpfoo+1: movq %rsp,%rbpfoo+4: movq %rdi,-0x8(%rbp)foo+8: subq $0x20,%rspfoo+0xc: movl %edi,-0x14(%rbp)foo+0xf: movl -0x14(%rbp),%edifoo+0x12: movl $0x0,%eaxfoo+0x17: call +0x2 foo+0x1c: leave foo+0x1d: ret

    0xfffffd7fffdffbd0: 0xfffffd7fffdffc180xfffffd7fffdffbd8: 0x100400eb3 0xfffffd7fffdffbe0: 0xfffffd7fffdffc180xfffffd7fffdffbe8: 10xfffffd7fffdffbf0: 0xfffffd7fffdffc000xfffffd7fffdffbf8: _start+0x6c

  • CrashDumpAnalysisMFFUKAMD64 55

    StackandCodeExample(4)

    Destroymain()'sstackframe

    0xfffffd7fffdffbf8: _start+0x6c

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

  • CrashDumpAnalysisMFFUKAMD64 56

    StackandCodeExample(4)

    Returnfrommain()

    main: pushq %rbpmain+1: movq %rsp,%rbpmain+4: movq %rsi,-0x10(%rbp)main+8: movq %rdi,-0x8(%rbp)main+0xc: subq $0x20,%rspmain+0x10: movl %edi,-0x14(%rbp)main+0x13: movq %rsi,-0x20(%rbp)main+0x17: movl -0x14(%rbp),%edimain+0x1a: call -0x6b main+0x1f: leave main+0x20: ret

  • CrashDumpAnalysisMFFUKAMD64 57

    AMD64ABICheatSheet

    RAX returnvalueRBXRCXRDXRSIRDIRBP framepointerRSP stackpointerR8R9R10R11R12R13R14R15

    nonvolatileregistersvolatileregisters

    4thargument3rdargument2ndargument1stargument

    5thargument6thargument

    Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57


AMD64 Architecture Programmer’s Manual, Volume 1 ...developer.amd.com/wordpress/media/2012/10/24592_APM_v11.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

Porting GCC to the AMD64 architecturehubicka/papers/amd64.pdfIn this paper we describe our experience from porting GCC to the AMD64 architecture and the AMD Opteron processor. Our

AMD64 Architecture Programmer’s Manual, Volume 4: … · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 4: 128-Bit Media Instructions Publication

AMD64 Architecture Programmer’s Manual, … › ~porter › courses › cse506 › s16 › ref › ...AMD64 Architecture Programmer’s Manual Volume 2: System Programming Publication

AMD64 Architecture Programmer’s Manual, Volume 2: System ...developer.amd.com/wordpress/media/2012/10/24593_APM_v2.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture

Gentoo Minimal Amd64

Patch for Ubuntu - User's Guide · 2020-05-29 · Ubuntu 14.04 LTS x86 and AMD64 Patches for Ubuntu 1404 Ubuntu 16.04 LTS x86 and AMD64 Patches for Ubuntu 1604 Ubuntu 18.04 LTS AMD64

AMD64 Architecture Programmer’s Manual, Volume 4: …developer.amd.com/wordpress/media/2012/10/26568_APM_v41.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture

AMD64 Architecture Programmer’s Manual, Volume 1 ...csong/cs153/refs/amd64-vol1-app.pdf · AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 1: Application Programming

AMD64 Architecture Programmer’s Manual, Volume 1 ...students.mimuw.edu.pl/~zbyszek/asm/amd/24592.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture Programmer’s Manual, Volume 3 ...developer.amd.com/wordpress/media/2012/10/24594_APM_v3.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture Programmer’s Manual, Volume 3 ...csong/seclab/17/refs/amd64-vol3-inst.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual

AMD64 Architecture Programmer’s Manual, Volume 2, … · AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 2: System Programming Publication No. Revision Date 24593

AMD64 Architecture Programmer’s Manual, Volume 1

Gentoo Install AMD64

AMD64 Architecture Programmer’s Manual, Volume 2: …students.mimuw.edu.pl/~zbyszek/asm/amd/24593.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture Programmer’s Manual, Volume 4: …wr0.wr.inf.h-brs.de/wr/hardware/wr9/amd/APM_v4.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture Programmer’s Manual, Volume 5: 64 … · 1 64-Bit Media Instruction Reference ... This book is part of a multivolume work entitled the AMD64 Architecture Programmer

AMD64 Architecture Programmer’s Manual, Volume 4: …csong/seclab/17/refs/amd64-vol4-media.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual

AMD64 Architecture Programmer’s Manual, Volume 2 ...nhonarmand/courses/sp...Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 2: System Programming

AMD64 Architecture Programmer's Manual Volume 1 Application Programming 24592

Gentoo Linux AMD64 Handbook

AMD64 Architecture Programmer’s Manual, Volume 2: …csong/seclab/17/refs/amd64-vol2-sys.pdf · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual

AMD64 Architecture Programmer’s Manual, Volume 1 ...kib.kiev.ua/x86docs/AMD64/24592_APM_v1-r3.15.pdf · AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 1: Application

Linux Standard Base Core Specification for AMD64 3 · AMD64 Architecture Programmer's Manual, Volume 5 AMD64 Architecture Programmer's Manual, Volume 5: 64-bit Media and …

AMD64 Architecture Programmer’s Manual, Volume 2: System ... · Advanced Micro Devices Publication No. Revision Date 24593 3.30 September 2018 AMD64 Technology AMD64 Architecture

AMD64 Architecture Programmer’s Manual, Volume … Technology AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions Publication No. Revision

AMD64 Architecture Programmer’s Manual, Volume 3: General ... · Advanced Micro Devices Publication No. Revision Date 24594 3.26 May 2018 AMD64 Technology AMD64 Architecture Programmer’s

AMD64 Architecture Programmer’s Manual, Volume ... - … · Advanced Micro Devices AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System

AMD64 Architecture Programmer’s Manual, Volume 5, … · AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 5: 64-Bit Media and x87 Floating-Point Instructions Publication

IA-32 & AMD64 - D3S – Department of Distributed and …d3s.mff.cuni.cz/.../slides/02-ia32-amd64.pdf · 2016-03-02 · Crash Dump Analysis 2015/2016 IA-32 & AMD64 7 Intel Manuals

AMD x86-64 Architecture Programmer’s Manual, Volume …yasm/reference/arch/amd64/AMD64-Vol-3-3.03.pdf · AMD64 Technology AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose

AMD64 Architecture Programmer’s Manual, Volume 4: 128-Bit ... · Advanced Micro Devices Publication No. Revision Date 26568 3.23 February 2019 AMD64 Technology AMD64 Architecture

AMD64 Architecture Programmer’s Manual, Volume 2: System ...csong/cs153/refs/amd64-vol2-sys.pdf · AMD64 Technology 24593—Rev. 3.17—June 2010 Trademarks AMD, the AMD arrow logo,