daawide.blogg.se - Test eax eax

Additional 64-bit registers are R8-R15.EAX→RAX, ECX→RCX, EBX→RBX, ESP→RSP, EIP→RIP.Shift ESP by 0x54 to make room on the stack for local variable(s).Ĭheck whether EAX contains zero, set the appropriate EFLAGS bits.Ĭompare EAX to 0xB8, set the appropriate EFLAGS bits. Increase ESP by 8 to shrink the stack by two 4-byte arguments. Put the address of variable EBP-4 in EAX.Ĭall the function whose address resides in the EAX register. Remove contents from top of the stack and put them in EAX. Instruction pointer points to the next instruction shellcode gets it via call/popĬontains flags that store outcomes of computations (e.g., Zero and Carry flags)į segment register FS: points to SEH chain, FS: points to the PEB.Ĭommon x86 Assembly Instructions mov EAX,0xB8

Points to the current “top” of the stack changes via PUSH, POP, and others

Repeat steps 5-9 above as necessary (the order may vary) until analysis objectives are met.Īddition, multiplication, function resultsīaseline/frame pointer for referencing function arguments (EBP+offset) and local variables (EBP-offset).

Progress to examine the code that references or depends upon the code you’ve already analyzed.

As your understanding of the code increases, add comments, labels rename functions, variables.

If appropriate, unpack the code and its artifacts.

Use a debugger for dynamic analysis to examine how risky strings and API calls are used.

Use a disassembler and decompiler to statically examine code related to risky strings and APIs calls.

Emulate code execution to identify characteristics and areas for further analysis.

Perform automated and manual behavioral analysis to gather additional details.

Identify strings and API calls that highlight the program’s suspicious or malicious capabilities.

Examine static properties of the Windows executable for initial assessment and triage.

This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. To print it, use the one-page PDF version you can also edit the Word version to customize it for you own needs.