Recognizing Code in Assembly Language

Recognizing Code in Assembly Language

Notice that x is changed in memory when eax is moved into dword_40CF60

Disassembling Arithmetic Operations

int a = 0; 
int b = 1;
a = a + 11;
a = a - b; 
a--;
b++;
b = a % 3;

This can be broken down and translated back to C

Recognizing if Statements

Recognizing nested if statements

Recognizing Loops

  • The for loop can be recognized by locating the four components

    • Initialization

    • Comparison

    • Execution instructions

    • Increment/decrement

Finding while loops

Understanding Function Call Conventions

  • The calling convention used depends on the compiler

  • Three most common calling conventions

    • cdecl

      • parameters are pushed onto the stack from right to left

      • caller cleans up the stack when the function is complete

      • return value is stored in EAX

  • stdcall

    • requires the callee to clean up the stack when the function is complete

    • function called would be responsible for cleaning up the stack

    • standard calling convention for the Windows API

    • Any code calling these functions will not need to clean up the stack, that responsibility falls to the DLLs that implement the code for the API function

  • fastcall

    • first few arguments are passed in registers with the most commonly used registers being EDX and ECX

    • the calling function is usually responsible for cleaning up the stack

    • more efficient because the code doesn't need to involve the stack as much

  • Push vs. Move

    • adder function adds two arguments and returns the result

    • main function calls adder and prints the result using printf

Analyzing switch statements

  • Compiled in two common ways

    • using the if style

    • using jump tables

  • A compiled switch statement looks like a group of if statements

  • There may be multiple ways to represent the same code constructs in assembly

Using a jump table

  • defines offsets to additional memory locations

  • switch variable is used as an index into the jump table

Disassembling Arrays

  • Used by programmer to define an ordered set of similar data items

  • Malware sometimes uses array of pointers to strings that contain multiple hostname that are used as options for connections

  • In assembly, arrays are accessed using a base address as a starting point

  • ecx is used as the index, which is multiplied by 4 to account for the size of the elements

  • The resulting value is added to the base address of the array to access the proper array element

Identifying Structs

  • Similar to arrays

  • Comprise elements of different types

  • Commonly used by malware authors to group information

  • Accessed with a base address used as a starting pointer

Analyzing Linked List Traversal

  • Linked list

    • A data structure that consists of a sequence of data records

    • Each record includes a field that contains a reference (link) to the next record in the sequence

    • Benefits over arrays - order of linked items can be different from the order in which data items are stored in memory or disk

    • To recognize a linked list, you have to recognize that some object contains a pointer that points to another of the same type

  • To recognize a linked list - you have to first recognize that some object contains a pointer that points to another object of the same type

PreviousCrash Course in x86 DisassemblyNextDynamic Analysis

Last updated