Skip to content

Lab 9: Functions

Overview

The purpose of this lab is to become familiar identifying the various components of functions.

Getting Started

You will need to load the malware into IDA Pro. To go to an address press G.

Exercise Part 1: Dexter

For this exercise examine the dexter malware (found at c:\malware\dexter\dexter.exe) There is a function that starts at 0x401700.

Question 1.1

In the function prologue identify:

  • The number of parameters, local variables on the stack, and registers used
  • The addresses and instructions used to save the old frame pointer, and allocate a new frame pointer
  • The address and instructions used to allocate space on the stack for local variables
  • The addresses and instructions used to save registers used in the function
Answer
  • There are two parameters, two local variables on the stack, and one variable stored in a register (EBX)
  • The push ebp at address 0x401700 is used to save the old frame pointer, and the mov ebp, esp at address 0x401701 is used to allocate a new one.
  • The sub esp, 8 at address 00401703
  • The push ebx at address 0x401706

Question 1.2

Identify the addresses of the body of the function

Answer

0x401707 through 0x4017BC

Question 1.3

In the function epilogue identify:

  • The addresses of the instructions used to restore registers
  • The addresses and instructions used to deallocate any stack variables
  • The addresses and instructions used to restore the frame pointer
Answer
  • The pop ebx at address 0x4017C7
  • The mov esp, ebp at address 0x4017C8
  • The pop ebp at address 0x4017CA

Part 2: NetWiredRC

For this exercise examine the netwiredrc malware (found at c:\malware\netwiredrc\netwiredrc.exe) There is a function that starts at address 0x004036A6.

Question 2.1

In the function prologue identify:

  • The number of parameters, local variables on the stack, and registers used
  • The addresses and instructions used to save the old frame pointer, and allocate a new frame pointer
  • The address and instructions used to allocate space on the stack for local variables
  • The addresses and instructions used to save registers used in the function
Answer
  • There are three parameters, 17 local variables on the stack, and three variables stored in registers.
  • The push ebp at address 0x4036A6 is used to save the old frame pointer, and the mov ebp, esp at address 0x4036AA is used to allocate a new one.
  • The sub esp, 34Ch at address 0x401703.
  • The push edi, push esi, and push ebx instructions at addresses 0x4036AE, 0x4036AF, and 0x4036B0 respectively.

Question 2.2

Identify the addresses of the body of the function

Answer

0x4036A7 through 0x40386C. Note that the function prologue code is interspersed with some of the body of the function.

Question 2.3

In the function epilogue identify:

  • The addresses of the instructions used to restore registers
  • The addresses and instructions used to deallocate any stack variables
  • The addresses and instructions used to restore the frame pointer
Answer
  • The pop ebx, pop esi, and pop edi instructions at addresses 0x403872, 0x403873, and 0x403874 respectively.
  • The lea esp, [ebp-0Ch] at address 0x40386F.
  • The pop ebp at address 0x403875.

Exercise Part 3: Wannacry

For this exercise examine the wannacry malware (found at c:\malware\wannacry\wannacry.exe) There is a function that starts at address 0x401225.

Hint

Not all of the items to identify will be separate instructions. Some instructions will have multiple purposes.

Question 3.1

In the function prologue identify:

  • The number of parameters, local variables on the stack, and registers used
  • The addresses and instructions used to save the old frame pointer, and allocate a new frame pointer
  • The address and instructions used to allocate space on the stack for local variables
  • The addresses and instructions used to save registers used in the function
Answer
  • There is one parameter, four local variables on the stack, and three variables in registers.
  • The push ebp at address 0x401225 is used to save the old frame pointer, and the mov ebp, esp at address 0x401226 is used to allocate a new one.
  • The sub esp, 198h at address 0x401228.
  • The push ebx, push esi, and push edi instructions at addresses 0x401234, 0x401235, and 0x401236 respectively.

Question 3.2

Identify the addresses of the body of the function

Answer

0x40122E through 0x4012EF. Note that the function prologue code is interspersed with some of the body of the function.

Question 3.3

In the function epilogue identify:

  • The addresses of the instructions used to restore registers
  • The addresses and instructions used to deallocate any stack variables
  • The addresses and instructions used to restore the frame pointer
Answer
  • The pop edi, pop esi, and pop ebx instructions at addresses 0x4012F8, 0x4012F9, and 0x4012FA respectively.
  • The leave at address 0x4012FB
  • The leave at address 0x4012FB

Note: the leave instruction essentially does a mov esp, ebp, followed by a pop ebp, and as such fullfills both the deallocation and restoration purposes.