What does EIP stand for?

Information Security Asked by Ares on July 27, 2020

There are a ton of questions on here that make reference to the eip:

What is the EIP? How is it used, both as an exploit target and in benign code?

3 Answers

EIP is a register in x86 architectures (32bit). It holds the "Extended Instruction Pointer" for the stack. In other words, it tells the computer where to go next to execute the next command and controls the flow of a program.

Research Assembly language to get a better understanding of how registers work. Skull Security has a good primer.

Correct answer by HashHazard on July 27, 2020

EIP is a Basic Program Execution register.

-As an exploit target, I think pg. 81 of the Intel manual says it all

The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack. The EIP register can be loaded indirectly by modifying the value of a return instruction pointer on the procedure stack and executing a return instruction

Understanding the role EIP plays in program execution seems simple yet complex when you consider the combination of the Code Segment register (CS) with EIP creates this "logical address" and because all x86 CPUs use prefetching, an instruction read from the bus won't be what's in the EIP register. The simple part is that value in EIP is used to determine the location of the next instruction whether this sends you back to a previous instruction or forward in straight-line code. The results of what your previous instruction came up with is stored in EAX.

-and in benign code?

Well anytime your code executes an algorithm or calls a function you'll definitely make use of this register.

Answered by Robert Houghton on July 27, 2020

One of the basic things that a computer needs to keep track of is where in memory the instructions that are being executed are located.

This is normally done by the CPU using what is often known as the instruction pointer or program counter register. The exact name depends on the architecture, but the concept generalizes across all architectures. It's called the instruction pointer on Intel CPUs, and that's the term I'll be using in this answer. The instruction pointer is continually incremented while instructions are executed from memory, and also updated whenever a jump instruction of some kind is executed. Modern CPU architectures with multiple parallel execution pipelines and multiple cores makes what is actually going on inside the CPU more complex, but to an external observer, the simple explanation is sufficient to understand what is going on and the purpose of the relevant registers.

By virtue of the old Intel 8086/8088, 80186 and 80286 being 16-bit processors, the instruction pointer was normally expressed as a pair of 16-bit values known as the code segment (code selector in the 80286, but except in protected mode selectors function very similarly to segments) and instruction pointer. In assembler parlace, CS:IP where the colon indicates the pairing of a segment and an offset as a pair to form a memory address. CS and IP here are CPU registers, tiny memory locations within the CPU chip itself, in this particular case each 16 bits in size. (You also had things like DS:DX which was conventionally the location to where to read or write data in memory; DS was data segment and DX is a general-purpose register that in this case held the data segment offset. There were originally four registers intended for general use, referred to as AX, BX, CX and DX respectively, each of which could be addressed in terms of the high half -- AH, for example -- or the low half -- AL, plus a small number of general-purpose registers that had specific intended uses. Modern CPUs have many, many more registers, with dozens of registers being common and over a hundred not unheard of.)

In making the 80386 CPU in the late 1980s, Intel made a lot of changes, including extending the address space to 32 bits while keeping selectors as a concept. For this reason, the old 16-bit values were no longer sufficient, and the instruction pointer was extended to 32 bits. In order to maintain full backward compatibility (at this point, Intel had probably learned the lesson of the 80286 which was more one-way compatible; it was easy to go from the 8086/8088's real mode into the 80286's protected mode, but going back was a lot more difficult, and this turned out to be a problem in practice), this required a new register for the CPU to keep the instruction pointer when operating in 32-bit mode.

In the 80386, the extended (32-bit) registers were named Exx whereas the corresponding 16-bit registers were as previously referred to as xx. So you'd get for example the old 16-bit accumulator register AX plus the extended 32-bit accumulator register EAX (with AX as the low 16-bit half). In keeping with this naming convention, the Extended Instruction Pointer register was referred to as EIP.

As an aside, most often, the correct value isn't merely EIP, but CS:EIP, because the value of EIP remains an offset from some starting location which is defined by the code selector.

Answered by a CVn on July 27, 2020

Add your own answers!

Related Questions

What’s a “safe” URL shortening algorithm?

3  Asked on December 31, 2020 by bensower


Securing internet connection with hostile ISP

1  Asked on December 29, 2020 by user242761


Is Chrome Browser/ Computer compromised by KMSPico?

0  Asked on December 27, 2020 by waterbyte


Web Cache Deception – exploitable without a cache server?

1  Asked on December 26, 2020 by citylight


Determine if private key belongs to certificate?

3  Asked on December 25, 2020 by thanatos


Filtering http responses for subdomain takeover

0  Asked on December 21, 2020 by kirill-z


Sql map Manual Vulnerability Assessment

1  Asked on December 20, 2020 by badddy


Unknown folders in OneDrive

1  Asked on December 19, 2020 by user851


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir