CNIT 126 6: Recognizing C Code Constructs in Assembly
1 like1,244 views
Chapter 6 of the practical malware analysis document focuses on recognizing C constructs in assembly, highlighting methods for finding function calls and understanding variable scope. It explains the handling of function arguments, local vs. global variables, and typical programming constructs such as loops and arithmetic operations in assembly code. Key techniques include using strings for identification and cross-referencing disassembly in tools like IDA Pro.
CNIT 126 6: Recognizing C Code Constructs in Assembly
- 1. Practical Malware Analysis Ch 6: Recognizing C Constructs in Assembly Updated 2-27-17
- 3. Finding the Code in IDA Pro • IDA shows only the entry point • Link Ch 6a
- 4. Trick: Use Strings, then XREF
- 5. Disassembly in IDA Pro • 4 arguments for printf() function • Pushed onto stack • Reverse order • call launches function
- 6. Global vs. Local Variables • Global variables – Available to any function in the program • Local variables – Defined in a function and only available to that function
- 7. Global vs. Local Variables
- 8. Global vs. Local Variables Local – on stack Local – on stack Global – in memory
- 12. Branching (if)
- 13. Branching (if)
- 14. Finding for Loops • Four components • Initialization: i starts at 0 • Comparison: is i<100 ? • Execution: printf • Increment/decrement: i++
- 16. Arrays
- 18. Summary • Finding the Code – Strings, then XREF • Function Call – Arguments pushed onto stack – Reverse order – call • Variables – Global: in memory, available to all functions – Local: on stack, only available to one function
- 19. Summary • Arithmetic – Move variables into registers – Perform arithmetic (add, sub, idiv, etc.) – Move results back into variables • Branching – Compare (cmp, test, etc.) – Conditional jump (jz, jnz, etc.) – Red arrow if false, green arrow if true