Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 126: 6: Recognizing C Code Constructs in Assembly

195 views

Published on

Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.

Instructor: Sam Bowne

Class website: https://samsclass.info/126/126_F18.shtml

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 126: 6: Recognizing C Code Constructs in Assembly

  1. 1. Practical Malware Analysis Ch 6: Recognizing C Constructs in Assembly Updated 10-2-18
  2. 2. Function Call
  3. 3. Finding the Code in IDA Pro • IDA shows only the entry point
  4. 4. Use Strings, then XREF
  5. 5. Disassembly in IDA Pro • Arguments for printf() function • Pushed onto stack • Reverse order • call launches function
  6. 6. Global vs. Local Variables • Global variables – Available to any function in the program – Stored outside all functions • Local variables – Defined in a function and only available to that function – Stored on the stack
  7. 7. Global vs. Local Variables
  8. 8. Arithmetic Operations
  9. 9. Branching (if)
  10. 10. Finding for Loops • Four components • Initialization: i starts at 0 • Comparison: is i<100 ? • Execution: printf • Increment/decrement: i++
  11. 11. Arrays
  12. 12. Summary • Finding the Code – Strings, then XREF • Function Call – Arguments pushed onto stack – Reverse order – call • Variables – Global: in memory, available to all functions – Local: on stack, only available to one function
  13. 13. Summary • Arithmetic – Move variables into registers – Perform arithmetic (add, sub, idiv, etc.) – Move results back into variables • Branching – Compare (cmp, test, etc.) – Conditional jump (jz, jnz, etc.) – Red arrow if false, green arrow if true

×