recognizing c code constructs in assembly

Recognizing C Code Constructs in Assembly

Assembly Language Fundamentals Part II

Windows Memory ForensicsAddress Space Layout Details

Windows Memory Forensics

Dynamic DLLs. This area represents shared libraries (DLLs)

These libraries are loaded into the address space.This can be intentional by the process or…

Windows Memory Forensics

Dynamic DLLs. This area represents shared libraries (DLLs)

These libraries are loaded into the address space.This can be intentional by the process or forcefully through injection.

Windows Memory Forensics

Environment Variables.Stores the process’ environment variables here.

This is where the executable path, temporary directories, home folders, etc.

Windows Memory Forensics

Process Environment Block. An extremely useful structure displaying the data informs

us where to find several of the other items on the memory stack suchas DLLs, Heaps and Environment variables.

Windows Memory Forensics

Process Heap. The place where the majority of the process input received is found.

Examples:Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)

Windows Memory Forensics

Process Heap. The place where the majority of the process input received is found. Examples:

Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)

In other words, the data seen in tools like Wireshark, Office, Outlook email, IM, snap chat, ICQ, all the web browsers (FF, Chrome, IE, Opera)

Windows Memory Forensics

Thread Stacks. Each thread process has a dedicated range of process

memory within the parent process’ runtime stack. The call history is found here.

For example:Function parametersLocal variablesReturn addresses

Windows Memory Forensics

Mapped Files and Application Data: The content in this address space depends on the process.

Mapped files are files on disk:Configuration files

Resource filesRegistry

Windows Memory Forensics

Executable: The process executable contains the body of code & read/write variables for

the application. Note: This data may be compressed or encrypted.

Once loaded into memory, it unpacks itself, andallows for plain text code to be dumped back to disk

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsGlobal versus Local Variables

Global variable X

Windows Memory ForensicsGlobal versus Local Variables

X is changed in memory when EAX is moved into dword_40CF60

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsGlobal versus Local Variables

EBP-4 is the offset for the local variable X in memory

Windows Memory ForensicsGlobal versus Local Variables

EBP-4 is used throughout this function to reference X.

Windows Memory ForensicsGlobal versus Local Variables

This pattern matches what we expect for a stack based local variable which is only referenced inside a function.

Windows Memory ForensicsGlobal versus Local Variables

Windows Memory ForensicsConditionals – If Statements

Windows Memory Forensics

Windows Memory Forensics

Example 1: C if statement

Windows Memory Forensics

Example 1

Windows Memory Forensics

Example 1

Notice the jump command JNZ at 2

Windows Memory Forensics

Example 1

The decision to jump is made based on compare command at 1

Windows Memory Forensics

Example 1

The C code makes the two variables unequal. No jump to loc_40102B

Windows Memory Forensics

Example 1

Instead, completes instructions until JMP command at 3. Bypassing remaining commands.

Questions?