Scribd
Upload
8 views37 pages

Week 4 Lecture PART 2

Uploaded by

karish jey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
8 views37 pages

Week 4 Lecture PART 2

Uploaded by

karish jey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Week 4 - Lecture (Part 2)

Malware Forensics
Lecture Topics
➢ Functions

➢ Stacks
– Stack Push and Pop operations
– ESP and EBP x86 registers
– PUSH and POP x86 instructions
– Stack Frames
➢ How functions use the stack
➢ Understanding functions for malware analysis
Functions Defined
➢Ablock of code of set of instructions that performs a
particular task.
➢ Functions are separate from the main or other code.
➢ Functions can be called multiple times from any part of a
program.
➢ The
code of the function is reusable which may save
memory and minimise the executable size.
Function Structure
Parameters (inputs)

int function1(int num1,int num2, int num3)


{ Local variables (temporary variables)
int result = 0;
result = num1 + num2 + num3;
return result;
}
Return Value (output)
Function Example
#include <stdio.h>

int calc(int a, int b) ;


int a = 2;
int main()
{
int sum = 0 ;
sum = calc(a, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}

int calc(int a, int b)


{
return a * b ;
}
Caller and Called Functions
int main(char* argv, int argc)
{
int n1,n2,n3,sum;
--------------------------- int function1(int num1,int num2,
--------------------------- int num3)
sum = function1(n1,n2,n3); {
--------------------------- int result = 0;
--------------------------- result = num1 + num2 + num3;
return 0; return result;
} }

Caller function Called function


- has call instruction in assembly: - has retn instruction in
call <address of the function> assembly
call Example
#include <stdio.h>

int calc(int a, int b) ;

int main()
{
int sum = 0 ;
sum = calc(2, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}

int calc(int a, int b)


{
return a * b ;
}

Compile Commands
gcc -m32 main.c
retn Example
#include <stdio.h>

int calc(int a, int b) ;

int main()
{
int sum = 0 ;
sum = calc(2, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}

int calc(int a, int b)


{
return a * b ;
}

Compile Commands
gcc -m32 main.c
Local and Global Variables (Functions)
➢ Global variables
– Are permanent variables and can be accessed from any
function.
– They are stored in the .data section of the executable
➢ Local variables
– Are temporary variables which can be accessed only within a
function.
– These are stored on the stack instead
Global Variable Example
#include <stdio.h>

int calc(int a, int b) ;

int a = 2;

int main()
{
int sum = 0 ;
sum = calc(a, 3) ;
printf("Sum = %d\n", sum );
return 0 ;
}

int calc(int a, int b)


{
return a * b ;
}
Stacks Defined
➢ A scratch pad for temporary storage.
– Just an area of memory – that’s all

➢ Often used for:


– Function variables
– Passing parameters to a function
– Return addresses (call puts return address on stack)

➢ Works in two ways (often at the same time)


– LIFO: push/pop
– Direct access: mov, etc
Stack Operations: Push and Pop
➢ Temporary memory storage, a
LIFO buffer
– Last in, first out
– Push adds to stack
– Pop takes last addition off stack
Stack Operations: Push and Pop
➢ So we could do:
– push eax
EBX
– push ebx
EAX EAX

– pop ebx
– pop eax EBX

EAX EAX
ESP Register (x86 Stack)
➢ ESP points to top of stack (last thing to go onto stack)
Lower
➢ It decreases by four bytes when we push an item Addresses

– -4 decimal or -0x04 in hex


➢ So:
– push foo
● ESP = 0x9090ABCC and[ESP]=”foo”
ESP 0xDEADBEEF -4
– push 0xDEADBEEF 0x9090ABC8
foo
● ESP = 0x9090ABC8 (-4) and [ESP]=0xDEADBEET 0x9090ABCC

Important: Stack grows towards


Higher
lower memory addresses Addresses
push and pop Instructions (x86 Stack)
➢ push instruction adds the specified register data to the
stack and decreases the ESP value (memory address)
by four bytes or by the size of pushed value.
– push EAX
● Adds the value in EAX to the stack
– adds a memory address if EAX contains one, or actual data
● ESP = ESP - 0x04
push and pop Instructions (x86 Stack)
➢ pop operation removes the data from
top of the stack (where ESP’s value) EAX=0xDEADBEEF
Lower
and assigns to the register (memory Addresses
address or data) and increases the
ESP value (memory address) by four
bytes or by the size of pushed value. 0xDEADBEEF +4
0x9090ABC8
– pop EAX ESP foo
0x9090ABCC
● Removes the value at ESP and puts it in
EAX
– Can be a memory address if [ESP] contains Higher
one, or actual data Addresses
● ESP = ESP + 0x04
Calling Functions
Stack Frames - Functions
• As well as the stack there is a concept
called a “stack frame” for functions.
• In C programs, the compiler creates Lower
Addresses
stack frames for functions.
• A stack frame is: simply part of the main ESP 2 -8
stack a function has exclusive use of 5 -4

e.g., to store local variables EBP 9
• ESP is used together with another
register EBP to form the frame
Higher
• Used when the function is called Addresses
Calling Functions
• When a function is called, a new stack frame is created at the current
ESP location.
Function entry sequence:
1) call function -Add the return address (next instruction after
call) to stack, de-increments ESP
2) push ebp -Push the current EBP value (memory address) onto
the stack

This will decrease ESP by 4 bytes
3) mov ebp, esp -Set EBP to the value of ESP

They now point to the same memory address
4) sub esp, X -Subtract some value from ESP to create the stack
frame
Calling Functions
call function -Add the return address (next instruction after
call) to stack

Lower Lower
Addresses Addresses

ESP 0x0040156c -4

ESP

Higher Higher
Addresses Addresses
BEFORE AFTER
Calling Functions
push ebp -Push the current EBP value (memory address) onto the
stack

Lower Lower
Addresses Addresses

EBP ADDRESS (OLD)


ESP -4
ESP 0x0040156c 0x0040156c

Higher Higher
Addresses Addresses

BEFORE AFTER
Calling Functions
mov ebp, esp -Set EBP to the value of ESP

Lower
Addresses

EBP ADDRESS (OLD)


EBP ESP
0x0040156c

Higher
Addresses

AFTER
Calling Functions
sub esp, X -Subtract some value from ESP to create the stack frame
Lower
Addresses

ESP -4

-4

-4
-4
10h = 0x10 = 16
4 memory locations EBP EBP ADDRESS (OLD)

0x0040156c

Higher
Addresses
Calling Functions
Lower
Addresses

ESP

Final function stack frame


Can be used for local
variables, etc EBP EBP ADDRESS (OLD)

0x0040156c

Higher
Addresses
Calling Functions

Do body of the function


using the stack
Calling Functions
Exit Sequence:
1) Return the value in EAX
2) Remove space for local variables, by reverting ESP to its old value.
● mov esp, ebp

3) Restore the old value of EBP to its old value, which ESP now points
to
● pop ebp

4) Return to the calling function with a retn instruction. It pops the


return address off stack into the EIP register (instruction pointer
register) and ESP de-increments by 4 bytes
● retn
Calling Functions
Remove space for local variables, by reverting ESP to its old value.
● mov esp, ebp
Lower
Lower Addresses
Addresses

ESP

EBP ADDRESS (OLD)


EBP ADDRESS (OLD)
ESP EBP
EBP
0x0040156c
0x0040156c

Higher
BEFORE Higher AFTER Addresses
Addresses
Calling Functions
Restore the old value of EBP to its old value
● pop ebp ESP now points
Lower Lower to return address,
Addresses Addresses next instruction
after the call
function

EBP=
EBP ADDRESS (OLD)

EBP ADDRESS (OLD)


ESP EBP
0x0040156c ESP 0x0040156c +4

Higher Higher
BEFORE Addresses AFTER Addresses
Calling Functions
Return to the calling function with a retn instruction. It pops the return
address off stack into the EIP register (instruction pointer register) i.e., ESP
de-increments by 4 bytes
● retn EIP now holds
the next
instruction after
the call
function

EIP = 0040156c

0x0040156c
ESP 0x0040156c
ESP +4

Higher
Higher AFTER Addresses
BEFORE Addresses
Calling Functions (With Parameters)

Parameters are added to the stack before the stack frame is set up and
the function is called

From right to left in Windows EXE’s from parameter list
● Added below current ESP (higher addresses)

● ESP doesn’t move! No pop instructions

int n1, n2, n3 ;


n1 = 2 ;
n2 = 3 ;
n3 = 9 ;

int res = 0 ;

res = function1( n1, n2, n3 );

n3 is added, then n2, then n1


Calling Functions (With Parameters)

Lower
Addresses

ESP 2
3 ESP +4

9 ESP +8 (4+4)
Calling Functions (With Parameters)

Then proceeds calling function and setting up stack frame (previous slides)
Lower
Addresses Lower
Addresses

ESP

EBP ADDRESS (OLD)

EBP 0x0040156c

ESP 2 2
3 3

9 9

BEFORE AFTER
IDA Notes
• IDA will try to recognise function variables and label them
var_XXX.

int function1( int num1, int num2, int num3 )


{
int result = 0 ;
result = num1 + num2 + num3 ;
return result ;
}

int result = 0 is mapped to var_4


IDA Notes
• IDA will try to recognise parameters to a function and label
them arg_XXX

int function1( int num1, int num2, int num3 )


{
int result = 0 ;
result = num1 + num2 + num3 ;
return result ;
}

num1, num2 and num3 is mapped to arg_0,


arg_4, arg_8
IDA Notes
• Possible to rename by right click and selecting Rename

Before After
IDA Notes
• User defined functions are displayed in Functions window in IDA.
• Library functions(DLL) are listed in the imports view.
• Double click on the function to navigate to its code.
IDA Notes
• Xrefs to functions: Double click on the function and third icon. A dialogue box
shows the list of functions calling the function. Double click on the reference to
navigate to the code (the call instruction).

You might also like