Currently I'm looking at the object dump of a trojan (supposedly a TDSS variant). I'm doing this on a Linux virtual machine using objdump. I want to find what API functions the trojan calls. I think I've already tracked down most of the the native API ones that use interrupts, and those are interesting as it is; but I don't know what other stuff it does. I also did a dump of the headers, but the addresses being used for 'call' instructions and those in the headers are obviously different. I figure there must be some formula for deriving the former from the latter. Can anyone tell me what the formula is? I've been Googling on this for a while; nothing so far. And yes, I'm a newbie at malware analysis. I'm doing this strictly for educational purposes. First native API calls, then Win32 API calls, then figuring out the flow of execution and what arguments and data are being used; until I (hopefully) have a picture of how it works.