Branching out in multiple ways, the switch statement appropriately dispenses execution to parts of code, based on the expression’s value. A switch statement is a code construct that is used in programming to make a decision, based on a character or integer. Lengthy “if” statements that compare integral values against a variable are often replaced by a switch statements.
When reverse-engineering a malicious binary, being able to identify switch statements can be useful when dealing with most malware classes. For instance, a malware with keylogger functionality most likely uses a switch statement for switching through special keys such as SHIFT in the keyboard.
In this article, we will discuss how switch statements can be spotted when reversing a binary.
Figure 1 shows a code snippet of how switch statements are used in the C programming language.
int i = 3;
case 1: printf(“Value is 1n”);
case 2: printf(“Value is 2n”);
case 3: printf(“Value is 3n”);
default: printf(“Value out of rangen”);
The integer variable named “i” was declared and initialized with value 3 to keep the example simple. This value passes to a switch statement. Then the statements inside the matching case will be executed. The text “Value is 3” will be printed when this code is compiled and run.
When the Figure 1 code is compiled and the binary is opened using a debugger (OllyDbg in this case), the following results.
MOV DWORD PTR SS:[ESP+1C],3 ; |
CMP DWORD PTR SS:[ESP+1C],2 ; |
JE SHORT switch.00401549 ; |
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/b0Nl7_nQfs8/