1 / 15

Practical Malware Analysis

Practical Malware Analysis. Ch 6: Recognizing C Constructs in Assembly. Function Call. Finding the Code in IDA Pro. IDA shows only the entry point Link Ch 6a. Trick: Use Strings, then XREF. Disassembly in IDA Pro. 4 arguments for printf() function Pushed onto stack Reverse order

knox-abbott
Download Presentation

Practical Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Malware Analysis Ch 6: Recognizing C Constructs in Assembly

  2. Function Call

  3. Finding the Code in IDA Pro • IDA shows only the entry point • Link Ch 6a

  4. Trick: Use Strings, then XREF

  5. Disassemblyin IDA Pro • 4 arguments for printf() function • Pushed onto stack • Reverse order • call launches function

  6. Global vs. Local Variables • Global variables • Available to any function in the program • Local variables • Defined in a function and only available to that function

  7. Global vs. Local Variables

  8. Global vs. Local Variables Local – on stack Local – on stack Global – in memory

  9. Arithmetic Operations

  10. Arithmetic Operations

  11. Arithmetic Operations

  12. Branching (if)

  13. Branching (if)

  14. Summary • Finding the Code • Strings, then XREF • Function Call • Arguments pushed onto stack • Reverse order • call • Variables • Global: in memory, available to all functions • Local: on stack, only available to one function

  15. Summary • Arithmetic • Move variables into registers • Perform arithmetic (add, sub, idiv, etc.) • Move results back into variables • Branching • Compare (cmp, test, etc.) • Conditional jump (jz, jnz, etc.) • Red arrow if false, green arrow if true

More Related