ARRAYS

arrays are used by programmers to define an ordered set of similar data items. malware sometimes uses an array of pointers to strings that contain multiple hostnames that are used as options for connections

EXAMPLE 1:

EXAMPLE 2:

#C CODE SNIPPET
int b[5] = {123,87,487,7,978};
void main()
{
   int i;
   int a[5];

   for(i = 0; i<5; i++)
   {
      a[i] = i;
      b[i] = i;
   }
}

#ASSEMBLY CODE SNIPPET
00401006        mov     [ebp+var_18], 0
0040100D        jmp     short loc_401018
0040100F loc_40100F:
0040100F        mov     eax, [ebp+var_18]
00401012        add     eax, 1
00401015        mov     [ebp+var_18], eax
00401018 loc_401018:
00401018        cmp     [ebp+var_18], 5
0040101C        jge     short loc_401037
0040101E        mov     ecx, [ebp+var_18]
00401021        mov     edx, [ebp+var_18]
00401024        mov     [ebp+ecx*4+var_14], edx ❶
00401028        mov     eax, [ebp+var_18]
0040102B        mov     ecx, [ebp+var_18]
0040102E        mov     dword_40A000[ecx*4], eax ❷
00401035        jmp     short loc_40100F

 * in assembly, arrays are accessed using a base address as a starting point
    - the size is not always obvious, but can be determined by seeing how the array is being indexed
    
 * dword_40A000 corresponds to array b marked by (2)
 * var_14 corresponds to array a marked by (1)
PreviousFUNCTION CALLSNextSTRUCTS

Last updated