i Kaspersky Academy Function Calls CPU supports function calls in the following ways: = CALLand RET instructions * ENTER and LEAVE instructions, in conjunction with the CALL and RET instructions The stack is typically virtually divided into “frames”. Each stack frame can cont i. = Return address to the calling procedure + Local variables + Parameters to be passed to another procedurei Kaspersky Academy KASPERSKY: Function Calls - Stackframe ESP : Local variable 1 : Stacktrame Local variable 2 Local variable 3 3 4 ED esp & nh Cee] | Q VG lo : nay — eee = : E Kaspersky Academy veaspeniuvs | (Junction Calls - Continued + Each procedure typically starts with a prologue. The following steps may be accomplished during this stage: a push ebp ‘sve stack ame base pointer ofthe caling procedure ‘ nov ebp, esp _slore the ase adress of curent stack ame into EBP : sub esp, N reserve space for local variables, total size N i Epilogue reverses the actions of the prologue and returns control to the calling procedure: i wor cas ain boa eden os ds ao doors ) op ebp restore base slack frame pointer ofthe calling procedure ret return execution tothe caling procedure Actual instructions performed during prologue and epilogue may vary.i Kaspersky “cademy inction Calls - Calling Conventions Calling convention is a scheme which indicates: -On stack sRight-to-teft ‘Left-to-right ‘In registers *On stack eee COMME oessanecikaecclede eka "Caller cleans up stack *Callee cleans up stack 1K Kaspersky Academy +The caller cleans the stack Common Calling Conventions in x86 ‘asteal J] ¢.. | edect: + 2.03 arguments are passed in registers Arguments are passed on the stack (usualy EDX, EAX, and ECX) fightto-or + Adora arguments are passed on the stack fett-o-right + _The caller cleans the stack Be | scan + Argumants are passed on the stack right-to- left order + Tho calloe cloans the stack ‘thiscall (used with class objects in C+): +The pointe to the class objact (1s) ls passod inECx + Arguments are passed on the stack right-fo4eft +The calle cleans the stack.Ei Kaspersky Academy ‘ommon Calling Conventions in x64 a Only two are most commonly used - Microsoft x64 calling convention, System V AMDB ABI Because othe increased register siz0, and additional available registers (RB-R15), more (than in x86) arguments aro passed through registers, but the order varios: Microsoft x64 Calling Convention (Used in 64-bit Windows) + Fitst four integer or pointer arguments are passed using RCX, ROX, RB, R9 (in the same order). + Additonal arguments are pusied onto the stack, right to fet ‘System V AMD64 ABI (Used in 64-bit Solaris, Linux, BSD and macOS): + Standard for Unix, “nx operating sysioms. RB, R9 tn the same order), + Callee clears the stack KASPERSKYS Fora usermode call fist si integer or pointer arguments are passed in registers ROI, RSI, ROX, ROX, 1 Kaspersky Academy unction Calls - Stack Frame Esp Lower addresses Considora function F000) that els another func stack frame Ant _edeel bar(int at, of bar() int 33, Ant 23). FBP, Saved EBP register Saved EIP register i a touid translate to: push a3 push a2 push at add esp, och Higher addresses KASPER)KYS ‘Stack growthI Kaspersky Academy KASPERSKY LET'S TALK? Kaspersky Lab HO 39A/3 Loningradskoe Shosse: Moscow, 125212, Russian Federation ‘Tel: +7 (495) 797-8700 www.kaspersty.com —__ wt aoOKaspersky Academy KASPERSKY Basic Static Analysis - Why Is It Necessary? ‘Quick file analysis (you are a shift analyst who <& is pressed for ime; you are an experienced ‘analyst and would like to save time by recognizing a familiar pattern; you ere working with a gun trained at your head). FEE] Prtminry anata you wont to understand ‘What to do with the fle - choose tools for detailed analysis, prepare an action plan. fina] An analysis in “field” conditions (nothing bettor than HIEW Is available on hand). i Kaspersky Academy KASPERSKY Basic Static Analysis — Features QO In many casos, it holps to determine whether or not ‘sample Is malicious in a short time (in a matter of ‘Seconds or minutes). if you are experienced enough 10 do s0, of course. © Ithetps to estimate the amount of time it would take to perform a full analysis of the sample. [Eq] Ina number of cases, it makes itpossible to determine sample functionality accurately without resorting to “heavy arllory’ EB, Inthe majority of casos itheips to dotermine crude ‘changes to the structure of the PE file, be that Corruption, infection, crack or patch.1 Kaspersky Academy Always! When a sample is accessed for the first time. KASPER)KYS IB Kaspersky Academy CStatic Analy: Static program analysis is the analysis. of computer software that is performed without actually executing programs Pat KASPERSKY