Analyzing Functions

One of the most powerful aspects of IDA Pro is its ability to recognize functions, label them, and break down the local variables and parameters. Example 5-4 shows an example of a function that has been recognized by IDA Pro.

Example 5-4. Function and stack example

00401020 ; =============== S U B R O U T I N E=============================
00401020
00401020 ; Attributes: ebp-based frame ❶
00401020
00401020 function        proc near               ;  CODE XREF: _main+1Cp
00401020
00401020 var_C           = dword ptr -0Ch ❷ 00401020 var_8 = dword ptr -8 00401020 var_4 = dword ptr -4 00401020 arg_0 = dword ptr 8 00401020 arg_4 = dword ptr 0Ch 00401020 00401020 push ebp 00401021 mov ebp, esp 00401023 sub esp, 0Ch 00401026 mov [ebp+var_8], 5 0040102D mov [ebp+var_C], ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Analyzing Functions

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly