in operating-system specific format ▪ i.e. ELF for Linux, PE for Windows • Assembly = binary instructions ◦ Generated for a particular CPU architecture ◦ Common mnemonics ▪ MV, ADD, MUL, STO, LD • Storage locations ◦ Random access memory = large but slow ▪ Addressed using pointers ◦ CPU Registers = small but fast ▪ 32-bit processors use 8 general purpose
Dynamic Link Library .sys - System driver .ocx - ActiveX control .scr - Screensaver • All begin with the PE header ◦ Denotes target architecture and compiler ◦ Instructions and data needed to run the program
◦ Viewable with tools like PEiD .text = Code that will load into memory .data = Data that is writable (global variables) .rdata = Data that is read-only (static strings) .bss = Data that is statically allocated (zero'd out initially)
and save the result" Pseudocode: total = add (5, 8) // C-style: int total = 5 + 8; # Assembly: MOV EAX, 0x5 ADD EAX, 0x8 //save result in EAX register MOV byte ptr [total], EAX //store value of EAX in memory
◦ Result is built for target processor architecture ◦ Output can be optimized for various performance needs Source Code Machine Code Compiler (simplified representation) Executable Linker
return c;}" > prog.c $ gcc prog.c -o myprogram $ file myprogram ELF 64-bit LSB executable, x86-64, dynamically linked, for GNU/Linux 2.6.24, not stripped • Break it down ◦ ELF = executable and linker format for Linux ◦ x86-64 = built for 64-bit CPU on Intel x86 family ◦ dynamically linked = libraries are included at runtime ◦ for Linux 2.6.24 = using the C library for this kernel ◦ not stripped = debug symbols are present
◦ Included on *nix systems by default ◦ SysInternals program on Windows ▪ http://technet.microsoft.com/en-us/sysinternals/bb897439 Results from Aurora malware (HydraQ) Imports: SetKeyboardFilter (keylog) Project Path: 'AuroraVNC\..\VedioDriver.pdb' contagiodump.blogspot.com