I'm new to assembly and have been playing around with it. While i was analyzing malware, I realised that there are multiple functions named sub_xxxxxx. How does one determine if this sub_xxxxxx is created by a user, or if it is a function that is imported from somewhere else?
Asked
Active
Viewed 122 times
1
-
1It's not clear to me what you are asking. Most functions are created "automatically" by the compiler when the software is compiled. If a function isn't explicitly compiled from your source code it is usually linked from some library, but those libraries are typically compiled from some user's source code. Are you asking how to differentiate library functions like Windows API functions from other functions? – hft May 14 '20 at 04:55
-
Yes! I would like to know about the differences between the API and other functions. Are there any indication, to differentiate a API function from other functions?. Thank you for your reply! – empty May 14 '20 at 05:32
-
@NightMoon I edited your question to make it more clear; roll it back if that's not what you intended. – multithr3at3d May 16 '20 at 15:34
-
You may also try asking at https://reverseengineering.stackexchange.com/ – auspicious99 May 16 '20 at 15:37
-
It may be helpful to say what processor this malware is written for, as the answer may vary from processor to processor – auspicious99 May 16 '20 at 15:38
1 Answers
1
If the program is dynamically linked, functions are usually pretty easy to identify since you will see imported functions with their correct name. E.g. a user created function will be shown as sub_xxxxxx, and printf will be shown as printf.
However, if the program is statically linked, it will be hard to tell the difference between user-created and imported functions. Tools like Ida's FLIRT exist to recognize known functions; there may be some free alternatives as well.
multithr3at3d
- 12,842
- 3
- 32
- 43