Week 4 - Lecture (Part 1)

Malware Forensics
C Language
Basic C Program Structure
//Library imports
#include <stdio.h>
// Global variables and function defs.
//main function, where the program starts and runs from
int main() {
// Add functionality e.g., printf
printf( “Hello World\n” );
return 0 ;
}
// function definitions go below main()

// is used for one line comments in C

C Setup and Compiling (Linux)
● sudo apt-get install gcc-multilib
gdb
● vim main.c (enter program)
● gcc -m32 -g main.c
● gdb -q ./a.out
● disassemble /m main
● q (to quit gdb)

Can also disassemble in IDA

C Setup and Compiling (Windows MingW32)

● Install MingW32
● vim main.c (enter program)
● gcc -m32 -g main.c (compile w/ debug)
● gdb -q .\a.exe (debug)
● disassemble /m main (disassemble)
● q (to quit gdb)

Can also disassemble in IDA

 GDB and IDA Both Display Assembly

Annotation of disassembly is slightly different though in IDA

Basic C Types
● char – holds characters, 1 byte
● int – holds integers, 4 bytes
● float – holds floating point (decimal), 4 bytes

● Various other types depending on C specification

and type specifiers (short, long, etc.) - these are
not needed here (see recommended book, if
you’re interested).
Basic C Variables
● Variables have two pieces to them
− A value
− Their memory address

● We can access the address with the “address-of”

operator, also called the reference operator
− &
− Goes in front of the variable
Basic C Variables
#include <stdio.h>

int main() {

int mark = 52 ;
printf( "Value: %d\n", mark ) ;
printf( "Address: %p\n", &mark ) ;

return 0 ;

}
Basic C Output
● printf(...) print formatted string
● Simple template language, which allows
variables to copied into the output stream
Basic C Input
● scanf(...) - scan formatted string
● Simple template language, which allows
variables to copied from the output stream
● Use & in front of variables
#include <stdio.h>
int main()
{
int n;
scanf("%d", &n);
printf("%d\n", n);
return 0;
}
Basic C Input
#include <stdio.h>
int main()
{
int n;
scanf("%d", &n) ;
printf("%d\n", n) ;
char str[50] ;
scanf("%s", &str) ;
printf("%s\n", str) ;
return 0;
}
Conditionals in C
> greater than: 5 > 4 is TRUE

< less than: 4 < 5 is TRUE

>= greater than or equal: 4 >= 4 is TRUE

<= less than or equal: 3 <= 4 is TRUE

== equal to: 5 == 5 is TRUE (one = symbol is assignment)

!= not equal: to 5 != 4 is TRUE
if-elseif-else in C
if ( TRUE ) {
/* Execute these statements if TRUE */
}
else {
/* Execute these statements if FALSE */
}
if ( TRUE ) {
/* Execute these statements if TRUE */
}
else if ( TRUE ) {
/* Execute these statements if TRUE if above “if” is not TRUE */
}
else {
/* Executed if no other statement is TRUE */
}
if-else-elseif in C
#include <stdio.h>
int main()
{
int i = 0;
scanf( "%d", &i );
if( i == 10 ) {
printf( "i equals 10\n" ) ;
}
else if ( i == 20 ) {
printf( "i equals 20\n" );
}
else {
printf( "Something else\n" ) ;
}
return 0;
}
for in C
for (initializationStatement; testExpression; updateStatement)
{
// statements inside the body of loop
}

- The initialization statement is executed only once.

- Then, the test expression is evaluated. If the test expression is evaluated
to false, the for loop is terminated.
- However, if the test expression is evaluated to true, statements inside the
body of the for loop are executed, and the update expression is updated.
- Again the test expression is evaluated.

int sum = 1;
for(int i=0; i<5; i=i+1) {
sum = 1 + sum * i ;
}
printf(“sum = %d”, sum);
for in C
#include <stdio.h>
int main()
{

int sum = 1 ;
for( int i = 0 ; i < 5 ; i = i+1 ) {
sum = 1 + sum * i ;
}
printf( "sum = %d" , sum ) ;

return 0;
}
Arrays in C

dataType arrayName[arraySize];
int mark[5];
int mark[5] = {19, 10, 8, 17, 9};
int mark[] = {19, 10, 8, 17, 9};
Arrays I/O in C
#include <stdio.h>
int main() {
int values[5];
// taking input and storing it in an array
for(int i = 0; i < 5; i++) {
scanf("%d", &values[i]);
}
printf("\n");
// printing elements of an array
for(int i = 0; i < 5; i++) {
printf("%d\n", values[i]);
}

return 0 ;
}