If you have ever had to assist others understand malware behaviour then every trainer needs a useful tool to illustrate basic concept. Marco Schweighauser has launched a useful online webpage with such a tool ( https://schweigi.github.io/assembler-simulator/ ) or a github page ( https://github.com/Schweigi/assembler-simulator ) to download the working tool so that trainers can play with creating harmless scripts.
Marco has produced a "simulator which provides a simplified assembler syntax (based on NASM) and is simulating a x86 like cpu." The tool is demonstrated by using default code "HELLO WORLD" and presented as a visualisation for illustrative and activity purposes relating to registers, flags, Instruction Pointer (IP), Stack Pointer (SP), RAM, machine code, stack, and memory mapping when following how the harmless code is executed either in RUN or STEP mode.
Iko Knyphausen (Computer Forensic Examiner, Intrusion & Malware Analyst at /d/b/a Datasource Forensics) has played with a simple but harmless malicious code (https://www.linkedin.com/pulse/using-simple-8-bit-assembler-simulation-illustrate-iko-knyphausen) to demonstrate malware in action by overwriting HELLO WORLD. Cut and paste the example into the online or downloaded tool and watch the activity.
=============================
; Writes Hello World to the output and emulates an infection; At the beginning of the PRINT function a simulated buffer
; overwrite called "stack_smash" pushes 12 values to
; the stack. After the print function has printed Hello World !
; it RETURNs but sets the Instruction Pointer to a manipulated
; address on the stack. From there execution continues on the
; stack, in this example overwriting all output with asterisk *
; characters.
; Single step through this demo for best results ;-)
JMP start
name: DB "Hello World!" ; Variable
DB 0 ; String terminator
start:
MOV C, name ; Point to var
MOV D, 232 ; Point to output
CALL print
HLT ; Stop execution
print: ; print characters from var to output
stack_smash: ; this would typically be a buffer
; overwrite which we simulate by
; pushing 12 values onto the stack
; in reverse order
; the RET operation from the print
; function puts the instruction pointer
; to 0xDC and overwrites the output
; with * characters in reverse order
PUSH 0 ; HLT
PUSH 0xDC ; LOOP back to this address on stack
PUSH 39 ; JNZ 0xDB
PUSH 232 ; the beginning of the output memory
PUSH 3
PUSH 23 ; CMP D, 232
PUSH 42 ; character to overwrite output
PUSH 3
PUSH 8 ; MOV number to reg_address
PUSH 3
PUSH 19 ; DEC register #3 = D
PUSH 0xDC ; RET from print will pull this address
MOV B, 0
.loop:
MOV A, [C] ; Get char from var
MOV [D], A ; Write to output
INC C
INC D
CMP B, [C] ; Check if end
JNZ .loop ; jump if not
RET ; loads malicious return address from stack
=============================
To understand assembler code visit:
https://schweigi.github.io/assembler-simulator/instruction-set.html
https://en.wikipedia.org/wiki/Assembly_language
http://www.nasm.us/xdoc/2.10.09/html/nasmdoc3.html