lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules
commit 671b07d80623cc62aec232f63a31962d87263930
parent 8dec4d579319f5417a2f7ced25711cf3eaf52959
Author: Alex Balgavy <alex@balgavy.eu>
Date:   Thu, 22 Apr 2021 13:45:48 +0200

BAMA notes updated

Diffstat:

Mcontent/binary-malware-analysis-notes/_index.md | 1+


Acontent/binary-malware-analysis-notes/tracking-control-flow.md | 42++++++++++++++++++++++++++++++++++++++++++


2 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/content/binary-malware-analysis-notes/_index.md b/content/binary-malware-analysis-notes/_index.md
@@ -14,3 +14,4 @@ title = 'Binary and Malware Analysis'
 9. [Dynamic taint analysis](dynamic-taint-analysis)
 10. [Taint analysis in practice](taint-analysis-in-practice)
 11. [Dynamic data excavation](dynamic-data-excavation)
+12. [Tracking control flow](tracking-control-flow)
diff --git a/content/binary-malware-analysis-notes/tracking-control-flow.md b/content/binary-malware-analysis-notes/tracking-control-flow.md
@@ -0,0 +1,42 @@
++++
+title = 'Tracking control flow'
++++
+# Tracking control flow
+Explore execution paths in the program.
+
+Control flow graph (CFG) of each function:
+- represent potential flow of control inside function
+
+Call graph
+- represent potential flow of control between functions
+
+Basic block: maximal sequence of instructions that execute one-by-one in order
+
+Control flow graph:
+- nodes are basic blocks with one entry point and one exit point
+- directed edges indicate possible control flow
+
+Call graph
+- nodes are functions
+- directed edges show potential for one function to invoke another
+
+Identifying a function
+- ideally:
+    - set a of basic blocks with single entry point
+    - reached using a call instruction
+    - ends with ret instructions
+- in reality, might be reached using jump, might share blocks with other functions, might have multiple entries
+
+## Problems
+- Pointer-based control transfer: conditionally set a function pointer, then call function pointer
+- non-returning calls: some functions won't return, code following call site may not be valid
+- non-contiguous code sections: could have jump tables, data, unparsed code, junk bytes...
+- tail calls: `return f(x)`
+- gaps in binary: might contain undiscovered functions
+- shared code and multiple entry representation
+
+You should:
+- run the program multiple times, observe targets of indirect jumps and calls
+- look for function prologue sequences (`push %rbp`, `mov %rsp, %rbp`)
+
+