When we x-ref “\cmd.exe /c” we come to this part of the code. When it shows us, double click on the first section. We wait a few seconds for it to show us the matches.
Start by going to the search for text section > enter the name of the match you want to find > check all the boxes > click ok.
Now we will deduce what is going on in a specific code area by looking at its components. Open the string windows, and to make it more entertaining I will not show you the image of that direction is \cmd.exe/.Ĭan you tell me where it is located? What is happening in the code that references \cmd.exe /c? Where is it located?įor this we will use the windows string located where the image shows.
How many parameters has IDA Pro recognized for the subroutine at 0x10001656? Use the Strings window to locate the string \cmd.exe /c in the disassembly. How many local variables does this address have? We will see a result like the following, where we will see more clearly what we commented before. In most common conventions, local variables and parameters are related to ebp.Īrguments have positive offsets and local variables have negative offsets.Īs we did in part 1, we will use the search for text, to search for the subroutine that we are asked for. How many local variables has IDA Pro recognized for the subroutine at 0x10001656? If we look closely at the result, we will see that there are 9 functions that are called gethostbyname. When we double click we will select gethostbyname and right click on it, where we will look for the option jump to xref to operand. How many functions does gethostbyname have?Īfter using the Imports window, find gethostbyname and, double-click the function. To open this we will only have to search by name gethostbyname Use the Imports window to browse for gethostbyname: view > open subviews > Imports Where is the import gethostbyname located ? click on search for text and paste all the content that is after the x mentioned above. In the text view we will filter by the address 0x1000D02E to see its content. The first thing to keep in mind is that the code will be displayed in a graph view, so we will right click and change it to text view format. We are analyzing a malicious ddl that we have found in a company that, we are auditing, so it is up to us to see the behavior of the malware by investigating it at a low level. Learning to use IDA PRO Understanding the laboratory