Week 4 Lecture PART 2
Week 4 Lecture PART 2
Malware Forensics
Lecture Topics
➢ Functions
➢ Stacks
– Stack Push and Pop operations
– ESP and EBP x86 registers
– PUSH and POP x86 instructions
– Stack Frames
➢ How functions use the stack
➢ Understanding functions for malware analysis
Functions Defined
➢Ablock of code of set of instructions that performs a
particular task.
➢ Functions are separate from the main or other code.
➢ Functions can be called multiple times from any part of a
program.
➢ The
code of the function is reusable which may save
memory and minimise the executable size.
Function Structure
Parameters (inputs)
int main()
{
int sum = 0 ;
sum = calc(2, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}
Compile Commands
gcc -m32 main.c
retn Example
#include <stdio.h>
int main()
{
int sum = 0 ;
sum = calc(2, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}
Compile Commands
gcc -m32 main.c
Local and Global Variables (Functions)
➢ Global variables
– Are permanent variables and can be accessed from any
function.
– They are stored in the .data section of the executable
➢ Local variables
– Are temporary variables which can be accessed only within a
function.
– These are stored on the stack instead
Global Variable Example
#include <stdio.h>
int a = 2;
int main()
{
int sum = 0 ;
sum = calc(a, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}
– pop ebx
– pop eax EBX
EAX EAX
ESP Register (x86 Stack)
➢ ESP points to top of stack (last thing to go onto stack)
Lower
➢ It decreases by four bytes when we push an item Addresses
Lower Lower
Addresses Addresses
ESP 0x0040156c -4
ESP
Higher Higher
Addresses Addresses
BEFORE AFTER
Calling Functions
push ebp -Push the current EBP value (memory address) onto the
stack
Lower Lower
Addresses Addresses
Higher Higher
Addresses Addresses
BEFORE AFTER
Calling Functions
mov ebp, esp -Set EBP to the value of ESP
Lower
Addresses
Higher
Addresses
AFTER
Calling Functions
sub esp, X -Subtract some value from ESP to create the stack frame
Lower
Addresses
ESP -4
-4
-4
-4
10h = 0x10 = 16
4 memory locations EBP EBP ADDRESS (OLD)
0x0040156c
Higher
Addresses
Calling Functions
Lower
Addresses
ESP
0x0040156c
Higher
Addresses
Calling Functions
3) Restore the old value of EBP to its old value, which ESP now points
to
● pop ebp
ESP
Higher
BEFORE Higher AFTER Addresses
Addresses
Calling Functions
Restore the old value of EBP to its old value
● pop ebp ESP now points
Lower Lower to return address,
Addresses Addresses next instruction
after the call
function
EBP=
EBP ADDRESS (OLD)
Higher Higher
BEFORE Addresses AFTER Addresses
Calling Functions
Return to the calling function with a retn instruction. It pops the return
address off stack into the EIP register (instruction pointer register) i.e., ESP
de-increments by 4 bytes
● retn EIP now holds
the next
instruction after
the call
function
EIP = 0040156c
0x0040156c
ESP 0x0040156c
ESP +4
Higher
Higher AFTER Addresses
BEFORE Addresses
Calling Functions (With Parameters)
●
Parameters are added to the stack before the stack frame is set up and
the function is called
●
From right to left in Windows EXE’s from parameter list
● Added below current ESP (higher addresses)
int res = 0 ;
Lower
Addresses
ESP 2
3 ESP +4
9 ESP +8 (4+4)
Calling Functions (With Parameters)
●
Then proceeds calling function and setting up stack frame (previous slides)
Lower
Addresses Lower
Addresses
ESP
EBP 0x0040156c
ESP 2 2
3 3
9 9
BEFORE AFTER
IDA Notes
• IDA will try to recognise function variables and label them
var_XXX.
Before After
IDA Notes
• User defined functions are displayed in Functions window in IDA.
• Library functions(DLL) are listed in the imports view.
• Double click on the function to navigate to its code.
IDA Notes
• Xrefs to functions: Double click on the function and third icon. A dialogue box
shows the list of functions calling the function. Double click on the reference to
navigate to the code (the call instruction).