STRUCTS

structures (structs) are similar to arrays, but they comprise elements of different types. these are commonly used by malware authors to group information.

#C CODE SNIPPET
struct my_structure { ❶
     int x[5];
     char y;
     double z;
};

struct my_structure *gms; ❷

void test(struct my_structure *q)
{
     int i;
     q->y = 'a';
     q->z = 15.6;
     for(i = 0; i<5; i++){
           q->x[i] = i;
     }
}

void main()
{
     gms = (struct my_structure *) malloc(
     sizeof(struct my_structure));
     test(gms);
}

 * the snippet marked (1) is where the struct is defined
 * the snippet marked (2) is a global variable

#ASSEMBLY CODE SNIPPET (MAIN) FUNCTION
00401050        push    ebp
00401051        mov     ebp, esp
00401053        push    20h
00401055        call    malloc
0040105A        add     esp, 4
0040105D        mov     dword_40EA30, eax
00401062        mov     eax, dword_40EA30
00401067        push    eax ❶
00401068        call    sub_401000
0040106D        add     esp, 4
00401070        xor     eax, eax
00401072        pop     ebp
00401073        retn

 * similar to arrays, structs are accessed with a base address used as a starting pointer
    - it is difficult to determine whether nearby data types are part of the same struct or whether they just happen to be next to each other
    - depending on the structure's context, an analysts ability to identify a structure can have a significant impact on their ability to analyze malware.
    
 * this example shows the disassembly of the main function. since the "struct gms" is a global variable,
   its base address will be the memory location dword_40EA30. the base address of this structure is passed to the sub_401000 (test) function via the push eax at (1)

#ASSEMBLY CODE SNIPPET (TEST) FUNCTION
00401000        push    ebp
00401001        mov     ebp, esp
00401003        push    ecx
00401004        mov     eax,[ebp+arg_0]
00401007        mov     byte ptr [eax+14h], 61h
0040100B        mov     ecx, [ebp+arg_0]
0040100E        fld     ds:dbl_40B120 ❶
00401014        fstp    qword ptr [ecx+18h]
00401017        mov     [ebp+var_4], 0
0040101E        jmp     short loc_401029
00401020 loc_401020:
00401020        mov     edx,[ebp+var_4]
00401023        add     edx, 1
00401026        mov     [ebp+var_4], edx
00401029 loc_401029:
00401029        cmp     [ebp+var_4], 5
0040102D        jge     short loc_40103D
0040102F        mov     eax,[ebp+var_4]
00401032        mov     ecx,[ebp+arg_0]
00401035        mov     edx,[ebp+var_4]
00401038        mov     [ecx+eax*4],edx ❷
0040103B        jmp     short loc_401020
0040103D loc_40103D:
0040103D        mov     esp, ebp
0040103F        pop     ebp
00401040        retn
   
 * arg_0 is the base address of the structure. offset 0x14 stores the character within the struct and 0x61 corresponds to the letter a in ASCII
PreviousARRAYSNextLINKED-LIST TRAVERSAL

Last updated