Computer Memory
In simplest terms, computer memory is an electronic mechanism that has the ability to store and retrieve data.
Segmentation of Memory
Each process needs to have access to its own areas in memory.
Memory is broken down into small segments and handed out to processes as needed.
Offset registers are used to keep track of where in the segment the critical pieces of data are kept.
Segments such as the code segment, data segment, and stack segment are intentionally allocated in different regions of the virtual address space within a process to prevent collisions and to allow for the ability to set permissions accordingly.
Programs in Memory
.text section
Also called code segment, basically corresponds to the .text portion of the binary executable file.
Contains the machine instructions
Marked as readable and executable and will cause an access violation if a write attempt is made
Size is fixed at runtime
Should only be marked as readable
.data section
Used to store global initialized variables
Size fixed at runtime
Should only be marked as readable
.bss section
below stack section (.bss) stores certain types of global uninitialized variables
Size is fixed at runtime
Needs to be readable and writable but should not be executable
Heap section
Stores dynamically allocated variables and grows from the lower addressed memory to the higher-addressed memory
Allocation of memory is controls through malloc(), realloc(), free()
Should be readable and writable but should not be executable
Attacker who gains control of a process could easily perform shellcode execution in regions such as the stack and heap
Stack section
Used to keep track of function calls (recursively) and grows from the higher-addressed memory to the lower-addressed memory on most systems
Stack grows from high memory toward low memory allows the subject of buffer overflows to exist
Local variables exist in the stack section
Environment/Arguments Section
Used to store a copy of system-level variables that may be required by the process during runtime
Command-line arguments are stored in this area
Buffers
A storage place used to receive and hold data until it can be handled by a process
Memory is allocated within the .data or .bss section of the process's memory
String in Memory
Strings are just continuous arrays of charater data in memory
Pointers
Pieces of memory that hold the address of other pieces of memory
Registers
Used to store data temporarily
Can be divided into four categories
General registers
RAX, RBX, RCX,RDX,R8-R15
EAX,EBX,ECX,EDX
Used to manipulate data.
AX, BX, CX, DX
16-bit versions of the preceding entry.
AH, BH, CH, DH, AL, BL, CL, DL
8-bit high- and low-order bytes of the previous entry.
Segment registers
CS, SS, DS, ES, FS, GS
16-bit. Used to hold the first part of a memory address, as well as pointers to code, stack, and extra data segments
Offset registers
Used to indicate an offset related to segment registers
RBP (base pointer). 64-bit use of the base pointer depends on frame pointer omission, language support, and usage of registers R8-R15
EBP
Points to the bottom of the stack frame, the beginning of the local environment on the stack for a function.
RSI (source index)
ESI
Used to hold the data source offset in an operation using a memory block.
RDI (destination index)
EDI
Used to hold the destination data offset in an operation using a memory block.
RSP (stack pointer)
ESP
Used to point to the top of the stack.
Special registers
Only used by the CPU
RFLAGS
EFLAGS
Used by the CPU to track results of logic and the state of the processor. Key flags to know are ZF=zero flag, IF=interrupt enable flag, and SF=sign flag.
RIP (instruction pointer)
32-bit: EIP
Used to point to the address of the next instruction to be executed.
Last updated