The Art of Mac Malware by Patrick Wardle

Author:Patrick Wardle [Patrick Wardle]
Language: eng
Format: epub, pdf
Publisher: No Starch Press
Published: 2022-06-13T16:00:00+00:00

Control Flow Disassembly

So far, our analysis has focused on the logic contained solely within functions, not on the interactions of the functions and the code that invokes them. Understanding such interactions is important when analyzing malware, as malicious code will often take decisive actions based on the return value of a single function. Komplex’s payload provides an illustrative example.

Komplex’s persistent payload contains logic in a function named __Z19connectedToInternetv (which demangles to connectedToInternet). This aptly named function checks if an infected host is connected to the internet. If the host is offline, the malware will understandably wait until network connectivity is restored before attempting to connect to its command and control server for tasking. (This check also doubles as a basic anti-analysis mechanism, based on the assumption that most analysis systems are not connected to the internet.)

Let’s examine the disassembly of malware code that invokes the connectedToInternet function and then acts upon its response (Listing 6-13).

0x0000000100005b15:

0x0000000100005b15 call connectedToInternet()

0x0000000100005b1a and al, 0x1

0x0000000100005b1c mov byte [rbp+var_19], al

0x0000000100005b1f test byte [rbp+var_19], 0x1

1 0x0000000100005b23 jz loc_100005b2e

2 0x0000000100005b29 jmp loc_100005b40

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.