Forum Discussion

Fastlime's avatar
Fastlime
Icon for Bronze I rankBronze I
2 months ago

Foundational Static Analysis: Analyzing Structures

The question is asking me "In the disassembly at address 00401567, what is the structure EDX is pointing to? Look at Microsoft Docs for help!"

At the very end of the briefing they go over the explanation of how to identify which offset is determining which call. I am 90% positive that the offset we are supposed to be identifying in this case is 0x17c.

However within this SAME blurb while they are explaining the way the stack line up they simply identify which API the offset in their example is pointing to. THEY NEVER MENTION HOW THEY GOT THERE!

I am sure that it requires some research an I have been trying to identify anything within MSDN database but I can't find a single clue how identify what API 0x17c is pointing to.

I have even tried looking up references for the offset they had 0x138 which they identified as STARTUPINFO. (I googled both terms together.)

Now I am most definitely missing something here. I step within the assembly analysis mayb ebut I am at a loss. If anyone could help me out I would appreciate it.

  • ChrisKershaw's avatar
    ChrisKershaw
    Icon for Community Support rankCommunity Support

    Hey Fastlime πŸ‘‹πŸ»

    Thank you for posting, I'm sorry for the late reply back to your question.

    We had a member of our Content Team share this with us, if this is of any help to your attempt:

    "Just had a look over this, the task points users at looking at the Microsoft Docs in https://developer.microsoft.com/en-gb/windows/ to help them with identifying APIs. The user can look up the CreateProcess API here to help them identify the structure. Thanks!"

    Will you try this final task again, and see if this helps you to solve the question successfully?

    Kindest regards

    • tacobacocrunchwrap3's avatar
      tacobacocrunchwrap3
      Icon for Bronze I rankBronze I

      Hello, I don't know understand how this can help if we are supposed to be identifying what EDX points to. I have also been on this lab for a long time. I spent a long time using the examples and explanations given on the assembly code to understand what is happening but I still don't understand how I can identify what EDX is pointing to.
      0040155e     MOV     EDX, dword ptr[EBP+local_8]
      00401561     ADD     EDX, 0x17c
      00401567     PUSH     EDX

      so EDX at 00401567 should be pointing the address [EBP+local_8] + 0x17c
      please correct me if i'm wrong on that.
      if i'm right, how do I identify what EDX is pointing to?

      • autom8on's avatar
        autom8on
        Icon for Bronze III rankBronze III

        So, initially, I thought that they were asking you to look up something in Microsoft documentation, like one of the questions in an earlier lab, where a specific hex value related to a specific crypto algorithm id. But that's not it, I don't think (low level assembly stuff and windows internals are not my forte!). I think 0x17c is just the value that's being passed as the final argument in the CreateProcessA function call - and they're effectively asking you what that value is. So you need to look at the docs for that function call - CreateProcessA function (processthreadsapi.h) - Win32 apps | Microsoft Learn