HACK TO LEARN,NOT LEARN TO HACK”
What Is Port Scanner?
A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to compromise it. To port scan a host is to scan for multiple listening ports on a single target host. To port sweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service.
How A Scanner Works ?Each time you send or receive data through the Internet, your mail (or web, chat, or whatever) program must connect to a remote port of a remote host. Some of the services are ftp21-file transfer protocol,telnet23_Telnet,smtp25-simple mail transfer etc.
In fact, the list of services/ports is greater than the above and includes three different ports ranges:port range utilization0 - 1023 well known ports, which includes the most common services, like smtp, pop3, ftp, etc. 1024 - 49151 registered ports, which are assigned by the IANA organization49152 - 65535 dynamic and/or private ports, which can be freely used
The TCP/IP protocol is based on the OSI (Open Systems Interconnection) model, developed between 1977 and 1984. That model uses a proposal of the ISO (International Organization for Standardization), so it is well known as the ISO/OSI model also. The ISO/OSI architecture divides the network into various layers (application, presentation, session, transport, network, data-link and phisical).
The IP and TCP protocols are the ground of data transfer. The IP protocol, which works at network layer, handles the transfer of raw data between computers. At this level, each packet contains the data which must be transferred and the ip address of the sender and the receiver. The TCP protocol works at the transport layer, but the principle is the same. TCP replaces the ip address concept with the port concept. Each transferred packet contains the data and the port number, where the port number is associated with a service instead of a computer.In other words, the IP protocol moves the raw data from one computer to other, using the ip address to identify each computer of the network. Well, but when the data arrives to the destination computer, where must be leaved ? Are you browsing the WEB ? If so, the TCP protocol redirects the incoming data through the port used by the HTTP service (80). Are you using an FTP client ? The TCP protocol redirects the incoming data through the port used by the service (21), and so on.As you can see, the port and service concepts are the basic principles used during data transfer through the Internet. Now you can understand which is the main purpose of a TCP/IP scanner. If you want to know what are the services currently running on a remote host, you must scan its ports.
Monday, June 30, 2008
How Port Scanner Work
Port Scanning Basic TechniquesThe simplest port scan tries (i.e., sends a carefully constructed packet with a chosen destination port number) each of the ports from 0 to 65535 on the victim to see which ones are open.TCP connect():- The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn’t reachable.Strobe -A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.The ident protocol allows for the disclosure of the username of the owner of any process connected via TCP, even if that process didn’t initiate the connection. So, e.g., one can connect to port 80 and then use identd to find out whether the HTTP server is running as root.Port Scanning Advanced TechniquesOne problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan techniques to avoid this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Obviously, this is a race between the hacker and firewall vendors - what are considered stealth scans now may not be so in a few months once the firewall vendor becomes aware of such techniques.Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique. Another stealth scanning technique is “inverse mapping”, where you try to find out all hosts on a network by generating “host unreachable” ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).Fragmented packet Port ScanThe scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments, but many networks cannot afford the performance loss caused by the queuing.SYN scanThis technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.FIN scanThe typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior.If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn’t a very effective scan.Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.Bounce ScanThe ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems they can bounce their attacks through.FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. It requires support for proxy ftp connections. This bouncing through an FTP server hides where the attacker comes from. This technique is similar to IP spoofing in that it hides where the attacker comes from. For example, badwebsitexyz.com establishes a control connection to the FTP server-PI (protocol interpreter) of say, badspiderbites.com, then requests that the server-PI initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.A port scanner can exploit this to scan TCP ports from a proxy ftp server. Thus you could connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked (e.g., port 139). If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that many FTP server implementations have finally disabled the proxy “feature”.FingerMost finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as “rob@foo@bar” will ask “bar” to resolve “rob@foo”, causing “bar” to query “foo”. This technique can be used to hide the original source of the request.E-mail: Spammers try to relay their spam through SMTP servers. As a result, probes for SMTP are commonly seen by machines on the Internet.SOCKS Allows almost any protocol to be tunneled through the intermediate machine. As a result, attackers probing for SOCKS is common scan seen on the Internet.HTTP proxy: Most web servers support proxying so that all web traffic can be directed to a single server for filtering as well as caching to improve performance. A lot of these servers are misconfigured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web sites through a third party. Probes for HTTP proxies are one of the more common scans seen today.IRC BNC: Attackers love to hide their IRC identities by bouncing their connections through other machines. A particular program called “BNC” is used for this purpose on compromised machines.UDP ScanningPort scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an “ICMP Port Unreachable” message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.Some people think UDP scanning is pointless - not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn’t matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can.ICMP ScanThis isn’t really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. ICMP scanning can be done in parallel, so it can be quite fast.Fingerprinting an OS:The last scanning method is called Fingerprinting. Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. Unusual combinations of data are sent to the system in order to trigger these responses. Systems respond the same with correct data, but they rarely respond the same way for wrong data.
Machine Level Program On Windows
Learn How To Do Simple Machine Level Program On Computer
Machine Level Program are those program,which are directly understandable by the Machine.The Machine read those program and directly acts according to that.For Example,if we have to switch off a machine when its temprature is more then 100 degree celsius and keep the Machine working if temprature is below 100 degree celsius,for this we need the Machine Level programming.So,Machine Level programming is as important as other languages programms are like java programming,c++,c,perl,asp & jsp and all other.
In Machine Level programming,all the data are stored in register memory.Accumulator and Base register are most frequently used in this operations.here,they are represented by AX,and Bx.
How to move a data in register:
mov AX,0032
This,above syntax will move the Hexadecimal number 0032 in accumulator AX.
sub AX,0032
This,above syntax will subtract the Hexadecimal number 0032 from accumulator AX.
Program for converting the Farenheit temp into celsius:
formula for conversion:
c=[(c-32)*5]/9
/* open run and type cmd in it.command prompt will open.type “debug”type “a” /this will take us in assembler mode/*/
Program code:
mov AX,0098sub AX,0032mov BX,05mul BX /multiply content of BX with AX/mov BX,0009div BX /divide content of AX by BX/p /compile the program/t /show the result in AX/
*NOTE:All the value will be in Hexadecimal.
Machine Level Program are those program,which are directly understandable by the Machine.The Machine read those program and directly acts according to that.For Example,if we have to switch off a machine when its temprature is more then 100 degree celsius and keep the Machine working if temprature is below 100 degree celsius,for this we need the Machine Level programming.So,Machine Level programming is as important as other languages programms are like java programming,c++,c,perl,asp & jsp and all other.
In Machine Level programming,all the data are stored in register memory.Accumulator and Base register are most frequently used in this operations.here,they are represented by AX,and Bx.
How to move a data in register:
mov AX,0032
This,above syntax will move the Hexadecimal number 0032 in accumulator AX.
sub AX,0032
This,above syntax will subtract the Hexadecimal number 0032 from accumulator AX.
Program for converting the Farenheit temp into celsius:
formula for conversion:
c=[(c-32)*5]/9
/* open run and type cmd in it.command prompt will open.type “debug”type “a” /this will take us in assembler mode/*/
Program code:
mov AX,0098sub AX,0032mov BX,05mul BX /multiply content of BX with AX/mov BX,0009div BX /divide content of AX by BX/p /compile the program/t /show the result in AX/
*NOTE:All the value will be in Hexadecimal.
What Is VIRUS?
In Computers world,a virus is defined as a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document and infect the computer without permission or knowledge of the user.
Transmission of Virus
Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you’ve received is usually unaware that it contains a virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect (”Happy Birthday, Ludwig!”) and some can be quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm.
Classes Of Viruses:
1)File infectors:-Some file infector viruses attach themselves to program files, usually selected ‘.COM’ or ‘.EXE’ files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note.
2)System or boot-record infectors:– These viruses infect executable code found in certain system areas on a disk. They attach to the DOS boot sector on diskettes or the Master Boot Record on hard disks. A typical scenario (familiar to the author) is to receive a diskette from an innocent source that contains a boot disk virus. When your operating system is running, files on the diskette can be read without triggering the boot disk virus. However, if you leave the diskette in the drive, and then turn the computer off or reload the operating system, the computer will look first in your A drive, find the diskette with its boot disk virus, load it, and make it temporarily impossible to use your hard disk.
3)Macro viruses:– These are among the most common viruses, and they tend to do the least damage. Macro viruses infect your Microsoft Word application and typically insert unwanted words or phrases.
First Ever Virus:
The program code called “Elk Cloner”,created in “in the wild”, that is, outside the single computer or lab,is credited with being the first computer virus to appear. Written by Richard Skrenta, in 1982,it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by the high school student and put onto a game. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The computer would then be infected.The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005[citation needed]. This virus utilises cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.
digg story
read more
Transmission of Virus
Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you’ve received is usually unaware that it contains a virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect (”Happy Birthday, Ludwig!”) and some can be quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm.
Classes Of Viruses:
1)File infectors:-Some file infector viruses attach themselves to program files, usually selected ‘.COM’ or ‘.EXE’ files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note.
2)System or boot-record infectors:– These viruses infect executable code found in certain system areas on a disk. They attach to the DOS boot sector on diskettes or the Master Boot Record on hard disks. A typical scenario (familiar to the author) is to receive a diskette from an innocent source that contains a boot disk virus. When your operating system is running, files on the diskette can be read without triggering the boot disk virus. However, if you leave the diskette in the drive, and then turn the computer off or reload the operating system, the computer will look first in your A drive, find the diskette with its boot disk virus, load it, and make it temporarily impossible to use your hard disk.
3)Macro viruses:– These are among the most common viruses, and they tend to do the least damage. Macro viruses infect your Microsoft Word application and typically insert unwanted words or phrases.
First Ever Virus:
The program code called “Elk Cloner”,created in “in the wild”, that is, outside the single computer or lab,is credited with being the first computer virus to appear. Written by Richard Skrenta, in 1982,it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by the high school student and put onto a game. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The computer would then be infected.The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005[citation needed]. This virus utilises cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.
digg story
read more
CRYPTOGRAPHY-II
MODERN CRYPTOGRAPHY
Hi Friends,in the last post we have discussed about the Traditional Cryptography.Now we’ll discuss about the Modern Cryptography.
Before Discussing this let’s know about “One-Time Pads”.
One-Time Pads
In this One-Time Pads technique,first we choose random bit string as key.Then convert the plaintext into a bit string.Finally,compute the EXCLUSIVE OR of these two strings,bit by bit.The resulting ciphertext can’t be broken,because every possible plaintext is an equally probable candidate.The ciphertext gives the cryptanalyst no information at all.
Modern Cryptography uses the same basic ideas as Traditional Cryptography,transposition and substitution,but its emphasis is different.Traditionally,cryptographers have used simple algorithms and relied on very long keys for their security.Nowadays,reverse is true:the object is to make the encryption algorithm so complex and involuted that even if the cryptanalyst acquires the encrypted data,he we’ll not be able to make any sense of it.
Secret-Key Algorithms:
With secret key cryptography, a single key is used for both encryption and decryption. As shown in Figure, the sender uses the key (or some set of rules) to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key (or ruleset) to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key.Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.
Secret key cryptography algorithms that are in use today include:
Data Encryption Standard (DES): The most common SKC scheme used today, DES was designed by IBM in the 1970s and adopted by the National Bureau of Standards (NBS) [now the National Institute for Standards and Technology (NIST)] in 1977 for commercial and unclassified government applications. DES is a block-cipher employing a 56-bit key that operates on 64-bit blocks. DES has a complex set of rules and transformations that were designed specifically to yield fast hardware implementations and slow software implementations, although this latter point is becoming less significant today since the speed of computer processors is several orders of magnitude faster today than twenty years ago.
Advanced Encryption Standard (AES): In 1997, NIST initiated a very public, 4-1/2 year process to develop a new secure cryptosystem for U.S. government applications. The result, the Advanced Encryption Standard, became the official successor to DES in December 2001. AES uses an SKC scheme called Rijndael, a block cipher designed by Belgian cryptographers Joan Daemen and Vincent Rijmen. The algorithm can use a variable block length and key length; the latest specification allowed any combination of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits.
International Data Encryption Algorithm (IDEA): Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. Also available internationally.The basic structure resembles of DES in that 64-bit plaintext input blocks are mangled in a sequence of parametarized iterations to produce 64-bit ciphertext output blocks.
Secure and Fast Encryption Routine (SAFER): Secret-key crypto scheme designed for implementation in software. Versions have been defined for 40-, 64-, and 128-bit keys.
Blowfish: A symmetric 64-bit block cipher invented by Bruce Schneier; optimized for 32-bit processors with large data caches, it is significantly faster than DES on a Pentium/PowerPC-class machine. Key lengths can vary from 32 to 448 bits in length. Blowfish, available freely and intended as a substitute for DES or IDEA, is in use in over 80 products.
Public-Key Cryptography
Public-key cryptography has been said to be the most significant new development in cryptography in the last 300-400 years. Modern PKC was first described publicly by Stanford University professor Martin Hellman and graduate student Whitfield Diffie in 1976. Their paper described a two-key crypto system in which two parties could engage in a secure communication over a non-secure communications channel without having to share a secret key.PKC depends upon the existence of so-called one-way functions, or mathematical functions that are easy to computer whereas their inverse function is relatively difficult to compute.Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. The important point here is that it does not matter which key is applied first, but that both keys are required for the process to work (Figure 1B). Because a pair of keys are required, this approach is also called asymmetric cryptography.In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party. It is straight forward to send messages under this scheme.
Public-key cryptography algorithms that are in use today for key exchange or digital signatures include:
RSA: The first, and still most common, PKC implementation, named for the three MIT mathematicians who developed it — Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA today is used in hundreds of software products and can be used for key exchange, digital signatures, or encryption of small blocks of data. RSA uses a variable size encryption block and a variable size key. The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure. (Some descriptions of PKC erroneously state that RSA’s safety is due to the difficulty in factoring large prime numbers. In fact, large prime numbers, like small prime numbers, only have two factors!) The ability for computers to factor large numbers, and therefore attack schemes such as RSA, is rapidly improving and systems today can find the prime factors of numbers with more than 200 digits. Nevertheless, if a large number is created from two prime factors that are roughly the same size, there is no known factorization algorithm that will solve the problem in a reasonable amount of time; a 2005 test to factor a 200-digit number took 1.5 years and over 50 years of compute time (see the Wikipedia article on integer factorization.) Regardless, one presumed protection of RSA is that users can easily increase the key size to always stay ahead of the computer processing curve. As an aside, the patent for RSA expired in September 2000 which does not appear to have affected RSA’s popularity one way or the other.
Hash Functions
Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key (Figure 1C). Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file’s contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.
google_ad_client = "pub-9306317050997018";
google_ad_width = 468;
google_ad_height = 15;
google_ad_format = "468x15_0ads_al";
google_ad_channel = "9008475602+7081782465";
google_color_border = "FFFFCC";
google_color_bg = "FFFFCC";
google_color_link = "000033";
google_color_text = "000000";
google_color_url = "008000";
AVG Internet Security Home Edition Released
Newark, Notts – May 1, 2007-The official business partner of GRISOFT, AVG UK & Ireland, makers of AVG Internet Security software, announced the immediate availability of AVG Internet Security Home Edition. This special promotion version of the flagship AVG Internet Security product is available to home users and provides complete protection against viruses, spyware, spam and unauthorised access to home computers for up to three PCs.
Users of other products in the AVG family can cross-upgrade to the new AVG IS Home Edition.
AVG Internet Security Home Edition is available online at http://www.avguk.com/ and to resellers, retailers and computer shops in the form of shrink-wrap retail box or as space saving DVD case.AVG Internet Security Home Edition has a recommended retail price (RRP) of £59.99 for a two-year licence.
About AVG UK & Irelandwww.avguk.com
GRISOFT is a leading provider of antivirus, firewall protection and security solutions for consumers and SMEs. It is one of the fastest growing companies in the industry with more than 50 million protected computers around the world.Established in 1991, GRISOFT employs some of the world’s leading experts in antivirus software, specifically in the areas of virus analysis and detection, software development, and antivirus support. GRISOFT award-winning products are distributed globally through resellers and the Internet as well as via AVG Anti-Virus Software Developer’s Kit (SDK) to interested partners.http://www.grisoft.com/
Users of other products in the AVG family can cross-upgrade to the new AVG IS Home Edition.
AVG Internet Security Home Edition is available online at http://www.avguk.com/ and to resellers, retailers and computer shops in the form of shrink-wrap retail box or as space saving DVD case.AVG Internet Security Home Edition has a recommended retail price (RRP) of £59.99 for a two-year licence.
About AVG UK & Irelandwww.avguk.com
GRISOFT is a leading provider of antivirus, firewall protection and security solutions for consumers and SMEs. It is one of the fastest growing companies in the industry with more than 50 million protected computers around the world.Established in 1991, GRISOFT employs some of the world’s leading experts in antivirus software, specifically in the areas of virus analysis and detection, software development, and antivirus support. GRISOFT award-winning products are distributed globally through resellers and the Internet as well as via AVG Anti-Virus Software Developer’s Kit (SDK) to interested partners.http://www.grisoft.com/
8086 MICROPROCESSOR
The 8086 is a 16-bit,N-channel,HMOS microprocessor chip designed by Intel in 1978, which gave rise to the x86 architecture.The 8086 draws 360mA on 5V.Its frequency range is 4 - 10 MHz.
The 8086 was intended as a temporary substitute for the ambitious iAPX 432 project in an attempt to draw attention from other manufacturers (such as Motorola, Zilog, and National Semiconductor) less delayed 16 and 32-bit processors. Both the architecture and the physical chip were therefore developed very quickly, and were based on the earlier 8080 and 8085 designs with a similar register set. The chip had around 29,000 transistors (many for microcode) and would also function as a continuation of the 8085; although not directly source code compatible, it was designed so that assembly language for the 8085 could be automatically converted into (sub-optimal) 8086 assembly source, usually with little or no hand-editing. However, the 8086 design was expanded to support full 16-bit processing instead of the fairly basic 16-bit capabilities of the Intel 8080/8085.
8086 MEMORY
Its Memory is divided into two parts:a)even bank and,b)odd bank.Program, data and stack memories occupy the same memory space. The total addressable memory size is 1MB KB. As the most of the processor instructions use 16-bit pointers the processor can effectively address only 64 KB of memory. To access memory outside of 64 KB the CPU uses special segment registers to specify where the code, stack and data 64 KB segments are positioned within 1 MB of memory.
Physical memory address pointed by segment:offset pair is calculated as:
address = ( * 16) +
Program memory - program can be located anywhere in memory. Jump and call instructions can be used for short jumps within currently selected 64 KB code segment, as well as for far jumps anywhere within 1 MB of memory. All conditional jump instructions can be used to jump within approximately +127 - -127 bytes from current instruction.
Data memory - the processor can access data in any one out of 4 available segments, which limits the size of accessible memory to 256 KB (if all four segments point to different 64 KB blocks). Accessing data from the Data, Code, Stack or Extra segments can be usually done by prefixing instructions with the DS:, CS:, SS: or ES: (some registers and instructions by default may use the ES or SS segments instead of DS segment).
Stack memory can be placed anywhere in memory. The stack can be located at odd memory addresses, but it is not recommended for performance reasons (see “Data Memory” above).
Reserved locations:
0000h - 03FFh are reserved for interrupt vectors. Each interrupt vector is a 32-bit pointer in format segment:offset.
FFFF0h - FFFFFh - after RESET the processor always starts program execution at the FFFF0h address.
General Purpose Registers
Accumulator register consists of 2 8-bit registers AL and AH, which can be combined together and used as a 16-bit register AX. AL in this case contains the low-order byte of the word, and AH contains the high-order byte. Accumulator can be used for I/O operations and string manipulation.
Base register consists of 2 8-bit registers BL and BH, which can be combined together and used as a 16-bit register BX. BL in this case contains the low-order byte of the word, and BH contains the high-order byte. BX register usually contains a data pointer used for based, based indexed or register indirect addressing.
Count register consists of 2 8-bit registers CL and CH, which can be combined together and used as a 16-bit register CX. When combined, CL register contains the low-order byte of the word, and CH contains the high-order byte. Count register can be used as a counter in string manipulation and shift/rotate instructions.
Data register consists of 2 8-bit registers DL and DH, which can be combined together and used as a 16-bit register DX. When combined, DL register contains the low-order byte of the word, and DH contains the high-order byte. Data register can be used as a port number in I/O operations. In integer 32-bit multiply and divide instruction the DX register contains high-order word of the initial or resulting number.
The following registers are both general and index registers:
Stack Pointer (SP) is a 16-bit register pointing to program stack.
Base Pointer (BP) is a 16-bit register pointing to data in stack segment. BP register is usually used for based, based indexed or register indirect addressing.
Source Index (SI) is a 16-bit register. SI is used for indexed, based indexed and register indirect addressing, as well as a source data address in string manipulation instructions.
Destination Index (DI) is a 16-bit register. DI is used for indexed, based indexed and register indirect addressing, as well as a destination data address in string manipulation instructions.
Other registers:
Instruction Pointer (IP) is a 16-bit register.
Flags is a 16-bit register containing 9 1-bit flags:
Overflow Flag (OF) - set if the result is too large positive number, or is too small negative number to fit into destination operand.
Direction Flag (DF) - if set then string manipulation instructions will auto-decrement index registers. If cleared then the index registers will be auto-incremented.
Interrupt-enable Flag (IF) - setting this bit enables maskable interrupts.
Single-step Flag (TF) - if set then single-step interrupt will occur after the next instruction.
Sign Flag (SF) - set if the most significant bit of the result is set.
Zero Flag (ZF) - set if the result is zero.
Auxiliary carry Flag (AF) - set if there was a carry from or borrow to bits 0-3 in the AL register.
Parity Flag (PF) - set if parity (the number of “1″ bits) in the low-order byte of the result is even.
Carry Flag (CF) - set if there was a carry from or borrow to the most significant bit during last result calculation.
SEGMENTS:
Code segment (CS) is a 16-bit register containing address of 64 KB segment with processor instructions. The processor uses CS segment for all accesses to instructions referenced by instruction pointer (IP) register. CS register cannot be changed directly. The CS register is automatically updated during far jump, far call and far return instructions.
Stack segment (SS) is a 16-bit register containing address of 64KB segment with program stack. By default, the processor assumes that all data referenced by the stack pointer (SP) and base pointer (BP) registers is located in the stack segment. SS register can be changed directly using POP instruction.
Data segment (DS) is a 16-bit register containing address of 64KB segment with program data. By default, the processor assumes that all data referenced by general registers (AX, BX, CX, DX) and index register (SI, DI) is located in the data segment. DS register can be changed directly using POP and LDS instructions.
Extra segment (ES) is a 16-bit register containing address of 64KB segment, usually with program data. By default, the processor assumes that the DI register references the ES segment in string manipulation instructions. ES register can be changed directly using POP and LES instructions.
It is possible to change default segments used by general and index registers by prefixing instructions with a CS, SS, DS or ES prefix.
Addressing Modes Of 8086:
Implied - the data value/data address is implicitly associated with the instruction.
Register - references the data in a register or in a register pair.
mov d,s
add bx,ax
Immediate - the data is provided in the instruction.
mov bh,32
Direct - the instruction operand specifies the memory address where data is located.
mov al,[0005]
Register indirect - instruction specifies a register containing an address, where data is located. This addressing mode works with SI, DI, BX and BP registers.
mov si,[0005]
mov al,[si]
Based - 8-bit or 16-bit instruction operand is added to the contents of a base register (BX or BP), the resulting value is a pointer to location where data resides.
mov al,[si][bx]
Indexed - 8-bit or 16-bit instruction operand is added to the contents of an index register (SI or DI), the resulting value is a pointer to location where data resides.
Based Indexed - the contents of a base register (BX or BP) is added to the contents of an index register (SI or DI), the resulting value is a pointer to location where data resides.
Based Indexed with displacement - 8-bit or 16-bit instruction operand is added to the contents of a base register (BX or BP) and index register (SI or DI), the resulting value is a pointer to location where data resides.
Instruction Set:
8086 instruction set consists of the following instructions:
Data moving instructions.
Arithmetic - add, subtract, increment, decrement, convert byte/word and compare.
Logic - AND, OR, exclusive OR, shift/rotate and test.
String manipulation - load, store, move, compare and scan for byte/word.
Control transfer - conditional, unconditional, call subroutine and return from subroutine.
Input/Output instructions.
Other - setting/clearing flag bits, stack operations, software interrupts, etc.
Interrupts:
The processor has the following interrupts:
INTR is a maskable hardware interrupt. The interrupt can be enabled/disabled using STI/CLI instructions or using more complicated method of updating the FLAGS register with the help of the POPF instruction. When an interrupt occurs, the processor stores FLAGS register into stack, disables further interrupts, fetches from the bus one byte representing interrupt type, and jumps to interrupt processing routine address of which is stored in location 4 * . Interrupt processing routine should return with the IRET instruction.
NMI is a non-maskable interrupt. Interrupt is processed in the same way as the INTR interrupt. Interrupt type of the NMI is 2, i.e. the address of the NMI processing routine is stored in location 0008h. This interrupt has higher priority then the maskable interrupt.
Software interrupts can be caused by:
INT instruction - breakpoint interrupt. This is a type 3 interrupt.
INT instruction - any one interrupt from available 256 interrupts.
INTO instruction - interrupt on overflow
Single-step interrupt - generated if the TF flag is set. This is a type 1 interrupt. When the CPU processes this interrupt it clears TF flag before calling the interrupt processing routine.
Processor exceptions: divide error (type 0), unused opcode (type 6) and escape opcode (type 7).
Software interrupt processing is the same as for the hardware interrupts.
The 8086 was intended as a temporary substitute for the ambitious iAPX 432 project in an attempt to draw attention from other manufacturers (such as Motorola, Zilog, and National Semiconductor) less delayed 16 and 32-bit processors. Both the architecture and the physical chip were therefore developed very quickly, and were based on the earlier 8080 and 8085 designs with a similar register set. The chip had around 29,000 transistors (many for microcode) and would also function as a continuation of the 8085; although not directly source code compatible, it was designed so that assembly language for the 8085 could be automatically converted into (sub-optimal) 8086 assembly source, usually with little or no hand-editing. However, the 8086 design was expanded to support full 16-bit processing instead of the fairly basic 16-bit capabilities of the Intel 8080/8085.
8086 MEMORY
Its Memory is divided into two parts:a)even bank and,b)odd bank.Program, data and stack memories occupy the same memory space. The total addressable memory size is 1MB KB. As the most of the processor instructions use 16-bit pointers the processor can effectively address only 64 KB of memory. To access memory outside of 64 KB the CPU uses special segment registers to specify where the code, stack and data 64 KB segments are positioned within 1 MB of memory.
Physical memory address pointed by segment:offset pair is calculated as:
address = ( * 16) +
Program memory - program can be located anywhere in memory. Jump and call instructions can be used for short jumps within currently selected 64 KB code segment, as well as for far jumps anywhere within 1 MB of memory. All conditional jump instructions can be used to jump within approximately +127 - -127 bytes from current instruction.
Data memory - the processor can access data in any one out of 4 available segments, which limits the size of accessible memory to 256 KB (if all four segments point to different 64 KB blocks). Accessing data from the Data, Code, Stack or Extra segments can be usually done by prefixing instructions with the DS:, CS:, SS: or ES: (some registers and instructions by default may use the ES or SS segments instead of DS segment).
Stack memory can be placed anywhere in memory. The stack can be located at odd memory addresses, but it is not recommended for performance reasons (see “Data Memory” above).
Reserved locations:
0000h - 03FFh are reserved for interrupt vectors. Each interrupt vector is a 32-bit pointer in format segment:offset.
FFFF0h - FFFFFh - after RESET the processor always starts program execution at the FFFF0h address.
General Purpose Registers
Accumulator register consists of 2 8-bit registers AL and AH, which can be combined together and used as a 16-bit register AX. AL in this case contains the low-order byte of the word, and AH contains the high-order byte. Accumulator can be used for I/O operations and string manipulation.
Base register consists of 2 8-bit registers BL and BH, which can be combined together and used as a 16-bit register BX. BL in this case contains the low-order byte of the word, and BH contains the high-order byte. BX register usually contains a data pointer used for based, based indexed or register indirect addressing.
Count register consists of 2 8-bit registers CL and CH, which can be combined together and used as a 16-bit register CX. When combined, CL register contains the low-order byte of the word, and CH contains the high-order byte. Count register can be used as a counter in string manipulation and shift/rotate instructions.
Data register consists of 2 8-bit registers DL and DH, which can be combined together and used as a 16-bit register DX. When combined, DL register contains the low-order byte of the word, and DH contains the high-order byte. Data register can be used as a port number in I/O operations. In integer 32-bit multiply and divide instruction the DX register contains high-order word of the initial or resulting number.
The following registers are both general and index registers:
Stack Pointer (SP) is a 16-bit register pointing to program stack.
Base Pointer (BP) is a 16-bit register pointing to data in stack segment. BP register is usually used for based, based indexed or register indirect addressing.
Source Index (SI) is a 16-bit register. SI is used for indexed, based indexed and register indirect addressing, as well as a source data address in string manipulation instructions.
Destination Index (DI) is a 16-bit register. DI is used for indexed, based indexed and register indirect addressing, as well as a destination data address in string manipulation instructions.
Other registers:
Instruction Pointer (IP) is a 16-bit register.
Flags is a 16-bit register containing 9 1-bit flags:
Overflow Flag (OF) - set if the result is too large positive number, or is too small negative number to fit into destination operand.
Direction Flag (DF) - if set then string manipulation instructions will auto-decrement index registers. If cleared then the index registers will be auto-incremented.
Interrupt-enable Flag (IF) - setting this bit enables maskable interrupts.
Single-step Flag (TF) - if set then single-step interrupt will occur after the next instruction.
Sign Flag (SF) - set if the most significant bit of the result is set.
Zero Flag (ZF) - set if the result is zero.
Auxiliary carry Flag (AF) - set if there was a carry from or borrow to bits 0-3 in the AL register.
Parity Flag (PF) - set if parity (the number of “1″ bits) in the low-order byte of the result is even.
Carry Flag (CF) - set if there was a carry from or borrow to the most significant bit during last result calculation.
SEGMENTS:
Code segment (CS) is a 16-bit register containing address of 64 KB segment with processor instructions. The processor uses CS segment for all accesses to instructions referenced by instruction pointer (IP) register. CS register cannot be changed directly. The CS register is automatically updated during far jump, far call and far return instructions.
Stack segment (SS) is a 16-bit register containing address of 64KB segment with program stack. By default, the processor assumes that all data referenced by the stack pointer (SP) and base pointer (BP) registers is located in the stack segment. SS register can be changed directly using POP instruction.
Data segment (DS) is a 16-bit register containing address of 64KB segment with program data. By default, the processor assumes that all data referenced by general registers (AX, BX, CX, DX) and index register (SI, DI) is located in the data segment. DS register can be changed directly using POP and LDS instructions.
Extra segment (ES) is a 16-bit register containing address of 64KB segment, usually with program data. By default, the processor assumes that the DI register references the ES segment in string manipulation instructions. ES register can be changed directly using POP and LES instructions.
It is possible to change default segments used by general and index registers by prefixing instructions with a CS, SS, DS or ES prefix.
Addressing Modes Of 8086:
Implied - the data value/data address is implicitly associated with the instruction.
Register - references the data in a register or in a register pair.
mov d,s
add bx,ax
Immediate - the data is provided in the instruction.
mov bh,32
Direct - the instruction operand specifies the memory address where data is located.
mov al,[0005]
Register indirect - instruction specifies a register containing an address, where data is located. This addressing mode works with SI, DI, BX and BP registers.
mov si,[0005]
mov al,[si]
Based - 8-bit or 16-bit instruction operand is added to the contents of a base register (BX or BP), the resulting value is a pointer to location where data resides.
mov al,[si][bx]
Indexed - 8-bit or 16-bit instruction operand is added to the contents of an index register (SI or DI), the resulting value is a pointer to location where data resides.
Based Indexed - the contents of a base register (BX or BP) is added to the contents of an index register (SI or DI), the resulting value is a pointer to location where data resides.
Based Indexed with displacement - 8-bit or 16-bit instruction operand is added to the contents of a base register (BX or BP) and index register (SI or DI), the resulting value is a pointer to location where data resides.
Instruction Set:
8086 instruction set consists of the following instructions:
Data moving instructions.
Arithmetic - add, subtract, increment, decrement, convert byte/word and compare.
Logic - AND, OR, exclusive OR, shift/rotate and test.
String manipulation - load, store, move, compare and scan for byte/word.
Control transfer - conditional, unconditional, call subroutine and return from subroutine.
Input/Output instructions.
Other - setting/clearing flag bits, stack operations, software interrupts, etc.
Interrupts:
The processor has the following interrupts:
INTR is a maskable hardware interrupt. The interrupt can be enabled/disabled using STI/CLI instructions or using more complicated method of updating the FLAGS register with the help of the POPF instruction. When an interrupt occurs, the processor stores FLAGS register into stack, disables further interrupts, fetches from the bus one byte representing interrupt type, and jumps to interrupt processing routine address of which is stored in location 4 * . Interrupt processing routine should return with the IRET instruction.
NMI is a non-maskable interrupt. Interrupt is processed in the same way as the INTR interrupt. Interrupt type of the NMI is 2, i.e. the address of the NMI processing routine is stored in location 0008h. This interrupt has higher priority then the maskable interrupt.
Software interrupts can be caused by:
INT instruction - breakpoint interrupt. This is a type 3 interrupt.
INT instruction - any one interrupt from available 256 interrupts.
INTO instruction - interrupt on overflow
Single-step interrupt - generated if the TF flag is set. This is a type 1 interrupt. When the CPU processes this interrupt it clears TF flag before calling the interrupt processing routine.
Processor exceptions: divide error (type 0), unused opcode (type 6) and escape opcode (type 7).
Software interrupt processing is the same as for the hardware interrupts.
Subscribe to:
Posts (Atom)
