Switch Statements
Introduction
Branching out in multiple ways, the switch statement appropriately dispenses execution to parts of code, based on the expression’s value. A switch statement is a code construct that is used in programming to make a decision, based on a character or integer. Lengthy “if” statements that compare integral values against a variable are often replaced by a switch statements.
When reverse-engineering a malicious binary, being able to identify switch statements can be useful when dealing with most malware classes. For instance, a malware with keylogger functionality most likely uses a switch statement for switching through special keys such as SHIFT in the keyboard.
In this article, we will discuss how switch statements can be spotted when reversing a binary.
Switch statements
Figure 1 shows a code snippet of how switch statements are used in the C programming language.
#include <stdio.h> void main() { int i = 3; switch(i) { case 1: printf(“Value is 1n”); break; case 2: printf(“Value is 2n”); break; case 3: printf(“Value is 3n”); break; default: printf(“Value out of rangen”);
} } |
Figure 1
The integer variable named “i” was declared and initialized with value 3 to keep the example simple. This value passes to a switch statement. Then the statements inside the matching case will be executed. The text “Value is 3” will be printed when this code is compiled and run.
When the Figure 1 code is compiled and the binary is opened using a debugger (OllyDbg in this case), the following results.
PUSH EBP MOV EBP,ESP AND ESP,FFFFFFF0 SUB ESP,20 CALL switch.00401610 MOV DWORD PTR SS:[ESP+1C],3 ; | CMP DWORD PTR SS:[ESP+1C],2 ; | JE SHORT switch.00401549 ; | |
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/b0Nl7_nQfs8/