I have a .exe file, which I have disassembled by IDA Pro, I want to detect static array declaration (array stored on the stack). In the case of a dynamic array, there is a function call(such as malloc, calloc, new), which return the allocation address probably in EAX. So, how can I detect static array declaration?
Asked
Active
Viewed 472 times
0
-
2Is the binary stripped? If it is, then good luck. There aren't any markers or such. You can guess from which addresses are referenced, but that's about it. – fuz Nov 09 '16 at 10:34
-
If the array is put on the stack directly (not some `std::vector` which would allocate the body of array on heap anyway), then you may expect `sub esp,somewhat_around_array_size_or_more` around function entry (unless it's hand written obfuscated assembly doing some other trickery), but that's as "good" advice, as "read the source, understand it, and figure it out" and you need good idea about array defined size first... If you are after something particular, and you know also runtime content, it would be probably easier to run the binary with memory watchdogs and search for content. – Ped7g Nov 09 '16 at 10:43
-
I must find a way to detect arrays statically (static analysis). If the array size is big (such as 1000, 5000 or something like that) , then I can detect it. But what about arrays with small sizes (such as char buffer[5]; or int buffer[2]), then there is a problem. – David Nov 09 '16 at 18:12
-
Look for code that indexes into something, or loads a pointer into a register and then adds something to it. – Peter Cordes Nov 09 '16 at 22:34