recognizing c code constructs in assembly
TRANSCRIPT
Recognizing C Code Constructs in Assembly
Assembly Language Fundamentals Part II
Windows Memory ForensicsAddress Space Layout Details
Windows Memory Forensics
Dynamic DLLs. This area represents shared libraries (DLLs)
These libraries are loaded into the address space.This can be intentional by the process or…
Windows Memory Forensics
Dynamic DLLs. This area represents shared libraries (DLLs)
These libraries are loaded into the address space.This can be intentional by the process or forcefully through injection.
Windows Memory Forensics
Environment Variables.Stores the process’ environment variables here.
This is where the executable path, temporary directories, home folders, etc.
Windows Memory Forensics
Process Environment Block. An extremely useful structure displaying the data informs
us where to find several of the other items on the memory stack suchas DLLs, Heaps and Environment variables.
Windows Memory Forensics
Process Heap. The place where the majority of the process input received is found.
Examples:Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)
Windows Memory Forensics
Process Heap. The place where the majority of the process input received is found. Examples:
Variable length text (email, word doc, etc.) Data travelling over the network (SSL, TLS)
In other words, the data seen in tools like Wireshark, Office, Outlook email, IM, snap chat, ICQ, all the web browsers (FF, Chrome, IE, Opera)
Windows Memory Forensics
Thread Stacks. Each thread process has a dedicated range of process
memory within the parent process’ runtime stack. The call history is found here.
For example:Function parametersLocal variablesReturn addresses
Windows Memory Forensics
Mapped Files and Application Data: The content in this address space depends on the process.
Mapped files are files on disk:Configuration files
Resource filesRegistry
Windows Memory Forensics
Executable: The process executable contains the body of code & read/write variables for
the application. Note: This data may be compressed or encrypted.
Once loaded into memory, it unpacks itself, andallows for plain text code to be dumped back to disk
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsGlobal versus Local Variables
Global variable X
Windows Memory ForensicsGlobal versus Local Variables
X is changed in memory when EAX is moved into dword_40CF60
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsGlobal versus Local Variables
EBP-4 is the offset for the local variable X in memory
Windows Memory ForensicsGlobal versus Local Variables
EBP-4 is used throughout this function to reference X.
Windows Memory ForensicsGlobal versus Local Variables
This pattern matches what we expect for a stack based local variable which is only referenced inside a function.
Windows Memory ForensicsGlobal versus Local Variables
Windows Memory ForensicsConditionals – If Statements
Windows Memory Forensics
Windows Memory Forensics
Example 1: C if statement
Windows Memory Forensics
Example 1
Windows Memory Forensics
Example 1
Notice the jump command JNZ at 2
Windows Memory Forensics
Example 1
The decision to jump is made based on compare command at 1
Windows Memory Forensics
Example 1
The C code makes the two variables unequal. No jump to loc_40102B
Windows Memory Forensics
Example 1
Instead, completes instructions until JMP command at 3. Bypassing remaining commands.
Questions?