practical malware analysis: ch 6: recognizing c code constructs in assembly
TRANSCRIPT
![Page 1: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/1.jpg)
Practical Malware AnalysisCh 6: Recognizing C Constructs in
Assembly
![Page 2: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/2.jpg)
Function Call
![Page 3: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/3.jpg)
Finding the Code in IDA Pro
• IDA shows only the entry point
• Link Ch 6a
![Page 4: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/4.jpg)
Trick: Use Strings, then XREF
![Page 5: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/5.jpg)
Disassemblyin IDA Pro
• 4 arguments for printf() function
• Pushed onto stack
• Reverse order• call launches
function
![Page 6: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/6.jpg)
Global vs. Local Variables
• Global variables– Available to any function in the program
• Local variables– Defined in a function and only available to that
function
![Page 7: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/7.jpg)
Global vs. Local Variables
![Page 8: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/8.jpg)
Global vs. Local Variables
Local – on stack
Local – on stack
Global – in memory
![Page 9: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/9.jpg)
Arithmetic Operations
![Page 10: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/10.jpg)
Arithmetic Operations
![Page 11: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/11.jpg)
Arithmetic Operations
![Page 12: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/12.jpg)
Branching (if)
![Page 13: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/13.jpg)
Branching (if)
![Page 14: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/14.jpg)
Summary
• Finding the Code– Strings, then XREF
• Function Call– Arguments pushed onto stack– Reverse order– call
• Variables– Global: in memory, available to all functions– Local: on stack, only available to one function
![Page 15: Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly](https://reader036.vdocuments.mx/reader036/viewer/2022081503/588370451a28ab536b8b6fdd/html5/thumbnails/15.jpg)
Summary
• Arithmetic– Move variables into registers– Perform arithmetic (add, sub, idiv, etc.)– Move results back into variables
• Branching– Compare (cmp, test, etc.)– Conditional jump (jz, jnz, etc.)– Red arrow if false, green arrow if true