Chapter 4 Notes

to accompany Sikorski and Honig, Practical Malware Analysis, no starch press

A Crash Course in X86 Disassembly

Additional material drawn from X86 Disassembly, available at Wikibooks.

The malware analyst rarely has access to source code, and even commented assembly is easier to understand than the raw binary such analysts typically get.

Fortunately, some good disassemblers (such as IDA Pro) are available, and will be discussed very soon.

x86 Architecture

• ordinary Von Neumann architecture, CPU, registers, ALU, etc.
• memory is organized as follows, from low addresses to high:
  • Stack, for local variables and parameter passing
  • Heap, for dynamic storage during program execution, e.g. malloc and free in C
  • Code, for machine instructions
  • Data, for static data (that is, data that is allocated at load time)
• registers, as follows:
  • four sets of general registers, EAX, EBX, ECX and EDX, with their half-word and byte counterparts
    • so AL refers to the lower eight bits, AH refers to the next lower eight bits, and AX refers to the lower 16 bits of the 32-bit EAX register
  • segment registers
  • the status register EFLAGS, including
    • ZF, set when an operation returns zero, and
    • TF, used to restrict CPU to execute one instruction at a time
  • the instruction pointer EIP, which points to the next instruction to be executed

Simple Instructions: mov

• mov eax, ebx
• mov eax, 0x42
• mov eax, [0x4037C4]
• mov eax, [ebx]
• mov eax, [ebx+esi*4]

Other materials on the notes page