Scribd
Upload
102 views15 pages

Practical Malware Analysis: CH 6: Recognizing C Constructs in Assembly

This document discusses techniques for recognizing C constructs in assembly code. It covers finding code using strings and XREF, function calls with arguments pushed onto the stack in reverse order, and the differences between global and local variables. It also examines how arithmetic operations move variables into registers to perform operations before storing results back in variables, and how branching uses compare instructions and conditional jumps marked with red and green arrows to indicate false and true paths.

Uploaded by

Hungvv10
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views15 pages

Practical Malware Analysis: CH 6: Recognizing C Constructs in Assembly

This document discusses techniques for recognizing C constructs in assembly code. It covers finding code using strings and XREF, function calls with arguments pushed onto the stack in reverse order, and the differences between global and local variables. It also examines how arithmetic operations move variables into registers to perform operations before storing results back in variables, and how branching uses compare instructions and conditional jumps marked with red and green arrows to indicate false and true paths.

Uploaded by

Hungvv10
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Practical Malware Analysis

Ch 6: Recognizing C Constructs in
Assembly
Function Call
Finding the Code in
IDA Pro
• IDA
shows
only the
entry
point
• Link Ch
6a
Trick: Use Strings, then XREF
Disassembly
in IDA Pro
• 4 arguments
for printf()
function
• Pushed onto
stack
• Reverse order
• call launches
function
Global vs. Local Variables
• Global variables
– Available to any function in the program
• Local variables
– Defined in a function and only available to that
function
Global vs. Local Variables
Global vs. Local Variables

Local – on stack

Local – on stack

Global – in memory
Arithmetic Operations
Arithmetic Operations
Arithmetic Operations
Branching (if)
Branching (if)
Summary
• Finding the Code
– Strings, then XREF
• Function Call
– Arguments pushed onto stack
– Reverse order
– call
• Variables
– Global: in memory, available to all functions
– Local: on stack, only available to one function
Summary
• Arithmetic
– Move variables into registers
– Perform arithmetic (add, sub, idiv, etc.)
– Move results back into variables
• Branching
– Compare (cmp, test, etc.)
– Conditional jump (jz, jnz, etc.)
– Red arrow if false, green arrow if true

You might also like