Recognizing C Code Constructs in Assembly
-
Upload
eric-nicholson -
Category
Documents
-
view
79 -
download
0
Transcript of Recognizing C Code Constructs in Assembly
![Page 1: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/1.jpg)
Recognizing C Code Constructs in Assembly
Assembly Language Fundamentals Part II
![Page 2: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/2.jpg)
Windows Memory ForensicsAddress Space Layout Details
![Page 3: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/3.jpg)
Windows Memory Forensics
Dynamic DLLs. This area represents shared libraries (DLLs)
These libraries are loaded into the address space.This can be intentional by the process or…
![Page 4: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/4.jpg)
Windows Memory Forensics
Dynamic DLLs. This area represents shared libraries (DLLs)
These libraries are loaded into the address space.This can be intentional by the process or forcefully through injection.
![Page 5: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/5.jpg)
Windows Memory Forensics
Environment Variables.Stores the process’ environment variables here.
This is where the executable path, temporary directories, home folders, etc.
![Page 6: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/6.jpg)
Windows Memory Forensics
Process Environment Block. An extremely useful structure displaying the data informs
us where to find several of the other items on the memory stack suchas DLLs, Heaps and Environment variables.
![Page 7: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/7.jpg)
Windows Memory Forensics
Process Heap. The place where the majority of the process input received is found.
Examples:Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)
![Page 8: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/8.jpg)
Windows Memory Forensics
Process Heap. The place where the majority of the process input received is found. Examples:
Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)
In other words, the data seen in tools like Wireshark, Office, Outlook email, IM, snap chat, ICQ, all the web browsers (FF, Chrome, IE, Opera)
![Page 9: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/9.jpg)
Windows Memory Forensics
Thread Stacks. Each thread process has a dedicated range of process
memory within the parent process’ runtime stack. The call history is found here.
For example:Function parametersLocal variablesReturn addresses
![Page 10: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/10.jpg)
Windows Memory Forensics
Mapped Files and Application Data: The content in this address space depends on the process.
Mapped files are files on disk:Configuration files
Resource filesRegistry
![Page 11: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/11.jpg)
Windows Memory Forensics
Executable: The process executable contains the body of code & read/write variables for
the application. Note: This data may be compressed or encrypted.
Once loaded into memory, it unpacks itself, andallows for plain text code to be dumped back to disk
![Page 12: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/12.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 13: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/13.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 14: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/14.jpg)
Windows Memory ForensicsGlobal versus Local Variables
Global variable X
![Page 15: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/15.jpg)
Windows Memory ForensicsGlobal versus Local Variables
X is changed in memory when EAX is moved into dword_40CF60
![Page 16: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/16.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 17: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/17.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 18: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/18.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 19: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/19.jpg)
Windows Memory ForensicsGlobal versus Local Variables
EBP-4 is the offset for the local variable X in memory
![Page 20: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/20.jpg)
Windows Memory ForensicsGlobal versus Local Variables
EBP-4 is used throughout this function to reference X.
![Page 21: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/21.jpg)
Windows Memory ForensicsGlobal versus Local Variables
This pattern matches what we expect for a stack based local variable which is only referenced inside a function.
![Page 22: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/22.jpg)
Windows Memory ForensicsGlobal versus Local Variables
![Page 23: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/23.jpg)
Windows Memory ForensicsConditionals – If Statements
![Page 24: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/24.jpg)
Windows Memory Forensics
![Page 25: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/25.jpg)
Windows Memory Forensics
Example 1: C if statement
![Page 26: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/26.jpg)
Windows Memory Forensics
Example 1
![Page 27: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/27.jpg)
Windows Memory Forensics
Example 1
Notice the jump command JNZ at 2
![Page 28: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/28.jpg)
Windows Memory Forensics
Example 1
The decision to jump is made based on compare command at 1
![Page 29: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/29.jpg)
Windows Memory Forensics
Example 1
The C code makes the two variables unequal. No jump to loc_40102B
![Page 30: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/30.jpg)
Windows Memory Forensics
Example 1
Instead, completes instructions until JMP command at 3. Bypassing remaining commands.
![Page 31: Recognizing C Code Constructs in Assembly](https://reader035.fdocuments.us/reader035/viewer/2022070522/58edd7c81a28abf3348b46e3/html5/thumbnails/31.jpg)
Questions?