Professional Documents
Culture Documents
03 Fundamental Software Engineering Concepts
03 Fundamental Software Engineering Concepts
03 Fundamental Software Engineering Concepts
ENGINEERING AND
MALWARE ANALYSIS
● The idea is that someone designs and implements a black box, tests it
and confirms that it works, and then integrates it with other
components in the system.
● A program can therefore be seen as a large collection of black boxes
that interact with one another.
High-Level Perspective – Program Structure
● Static libraries are added to a program while it is being built, and they
become an integral part of the program’s binaries.
● They are difficult to make out and isolate when we look at the program
from a low-level perspective while reversing
High-Level Perspective – Program Structure : Modules
● Dynamic libraries are very easy to detect while reversing, and the
interfaces between them often simplify the reversing process because
they provide helpful hints regarding the program’s architecture
High-Level Perspective – Program Structure : Code
Construct
● There are two basic code-level constructs that are considered the
most fundamental building blocks for a program.
● These are
− procedures and
− objects
High-Level Perspective – Program Structure : Code
Construct
● A program deals with data. Any operation always requires input data,
room for intermediate data, and a way to send back results managed
in the program
● To view a program and understand what is happening, we must
understand how data is managed in the program
● This requires two perspectives:
– the high-level perspective as viewed by software
developers and
– the low-level perspective that is viewed by reversers.
High-Level Perspective – Data Management
● You can easily see that much of the added complexity is the result of
low-level data management considerations.
● Some common low-level data management constructs include -
– registers,
– stacks,
– and heaps,
Low-Level Perspective
● Registers
● Registers are small chunks of internal memory that reside within the
processor and can be accessed very easily
● While reversing, it is important to try and detect the nature of the
values loaded into each register
● Detecting the case where a register is used simply to allow
instructions access to specific values is very easy because the
register is used only for transferring a value from memory to the
instruction or the other way around
Low-Level Perspective
● Stack
● A stack is an area in program memory that is used for short-term
storage of information by the CPU and the program
● It can be thought of as a secondary storage area for short-term
information
● Registers are used for storing the most immediate data, and the stack
is used for storing slightly longer-term data
● Physically, the stack is just an area in RAM that has been allocated for
this purpose
Low-Level Perspective
● Heaps
● A heap is a managed memory region that allows for the dynamic
allocation of variable-sized blocks of memory in runtime
● A program simply requests a block of a certain size and receives a
pointer to the newly allocated block (assuming that enough memory is
available)
● Heaps are managed either by software libraries that are shipped
alongside programs or by the operating system.
Low-Level Perspective
● Heaps
● For reversers, locating heaps in memory and properly identifying heap
allocation and freeing routines can be helpful, because it contributes
to the overall understanding of the program’s data layout.