Switch Statements

Introduction

Branching out in multiple ways, the switch statement appropriately dispenses execution to parts of code, based on the expression’s value. A switch statement is a code construct that is used in programming to make a decision, based on a character or integer. Lengthy “if” statements that compare integral values against a variable are often replaced by a switch statements. 

When reverse-engineering a malicious binary, being able to identify switch statements can be useful when dealing with most malware classes. For instance, a malware with keylogger functionality most likely uses a switch statement for switching through special keys such as SHIFT in the keyboard. 

In this article, we will discuss how switch statements can be spotted when reversing a binary.

Switch statements

Figure 1 shows a code snippet of how switch statements are used in the C programming language. 

 

#include <stdio.h>

void main()

{

int i = 3;

switch(i)

{

case 1: printf(“Value is 1n”);

        break;

case 2: printf(“Value is 2n”);

        break;

case 3: printf(“Value is 3n”);

        break;

default: printf(“Value out of rangen”);

       

}

}

Figure 1

 

The integer variable named “i” was declared and initialized with value 3 to keep the example simple. This value passes to a switch statement. Then the statements inside the matching case will be executed. The text “Value is 3” will be printed when this code is compiled and run. 

When the Figure 1 code is compiled and the binary is opened using a debugger (OllyDbg in this case), the following results.

 

PUSH EBP

MOV EBP,ESP

AND ESP,FFFFFFF0

SUB ESP,20

CALL switch.00401610

MOV DWORD PTR SS:[ESP+1C],3          ; |

CMP DWORD PTR SS:[ESP+1C],2          ; |

JE SHORT switch.00401549             ; |

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/b0Nl7_nQfs8/