Live Phishing Attack Authentication Activity from a Foreign Address

Live Phishing Attack http://syvn.org/includes//adfs.odu.edu.html

Debugging Chapter 8 Debugging

Debuggers Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks like before execution Debugger: dynamic snapshot of what code does during execution Source-Level (built-in most IDE) Debug while coding Map machine execution to corresponding source code lines Allow setting of breakpoints at source-code lines Assembly-level Strictly operate at machine instruction level Main debugger used for malware (no need to access to source code)

Types of Debuggers User mode Kernel mode Debug one program via another program all in user space Examples: OllyDbg, gdb Kernel mode Debugging a kernel requires a second machine Must configure target OS to allow kernel debugging Examples: WinDbg

Using a Debugger Single stepping One machine instruction or source line at a time (slow) Stepping-over: bypass call instructions (F8) Stepping-into: in the call function (starting from the first instruction) (F7) Stepping-out: run until return back to calling function (finish)

Breakpoints Breakpoints (software) Needed because registers/memory addr are changing Allows one to examine the state of the machine at critical execution points File creation – set breakpoint to CreateFileW and look at the value on stack to get filename Encryption – set breakpoint at encryption to see data before encrypted Implemented by overwriting INT 3 (0xcc) into opcode of instruction When 0xcc is executed, OS generates an exception and transfer control to debugger Debugger restores overwritten byte upon continue

Hardware Breakpoints Hardware execution breakpoints (faster, more flexible) Dedicated registers that store virtual addresses Can be set to break on access – break when a memory location is encountered (halt on non-execution memory address) Only 4 hardware registers (DR0-DR3) – x86 4 active hardware breakpoints at once. Can be modified by running program (malware)! Malware can disable them Counter-measure is “General Detect” flag in DR7 (debug control) that triggers a breakpoint prior to any mov involving debug registers Detect when the debug register is changed

Conditional Breakpoints Conditional software execution breakpoints Break only if a certain condition is met Example Break on GetProcAddress function only if address parameter is RegSetValue Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not met Program slow down -> examine whether condition is met

Exceptions Exceptions pass control to debugger Division by 0, invalid memory access, INT 3 (0xcc/breakpoint), Might interfere with exception handlers that program needs to run First-chance and second-chance exceptions Debugger (if attached) gets first-chance control – see if in debugger when exception occurs –almost dead If debugger does not want it, program allowed to handle exception If program does not handle exception and would crash, debugger gets a second-chance to handle exception – already dead Malware may intentionally trigger first-chance exceptions to determine environment

OllyDBG Chapter 9 OllyDBG

History Developed by Oleh Yuschuk First used to crack software Primary debugger of choice for malware analysis *and* exploit developers Many still use OllyDbg 1.1. OllyDbg 2.0 also available. Purchased by Immunity and rebranded as Immunity Debugger (ImmDbg) Python API support added Free

Loading Program in OllyDbg Open executable from within OllyDbg In class exercise: Opening executable notepad.exe (malware used in book) 4 main windows of OllyDbg Disassembler, Registers, Stack, Memory dump

Attach to a running process File->Attach Current executing thread will be paused and displayed

OllyDbg Interface Disassembler Window Register Window Memory Dump Window Stack Window

OllyDbg Interface Disassembler window: press spacebar to modify instruction Register Window: modify data in register by right-clicking any register value selected Stack Window: current state of the stack in memory; right-click->modify Memory Dump Window: Dump of live memory for the debugged process

Memory Map (notepad.exe) PE header, code, imports,data All DLLs imported are also viewable

Rebasing PE files have preferred base address (image base) Most executables loaded at 0x00400000 Relocatable code allows libraries to be rebased Enables libraries to be written independent of each other Example: two libs have the same preferred load address, one is relocated elsewhere Address space layout randomization – reduce the chances of collision Absolute address references modified at load time via .reloc information in PE header

In Class Exercise In-class exercise Note the location of notepad's .text section Relaunch OllyDbg on notepad again What is the location now? Is it different or still the same ? Same 0x0100739D

In Class Exercise Most programs and malware multi-threaded View current threads by selecting View-> Threads Each thread has its own stack In-class exercise Launch Internet Explorer Attach OllyDbg View threads via View>Threads How many threads are there?

Executing Code Debug menu Run Breakpoint=>Run to selection Continue execution until specified instruction Debug=>Execute till Return Runs until next return hit (e.g. Finish) (useful when the you want pause after function finishes) Debug=>Execute till User Code Run until user program code is reached (malware code) Step into (single instruction) Step over (bypass the call)

Breakpoints Software breakpoints Unconditional breakpoint (Toggle) Right-click instruction to find sub-menu to set View->Breakpoints Conditional Breakpoints – break only if certain condition is true (performance impact to check the condition) Use conditional breakpoints to detect memory allocations above a certain size Book Example: Poison Ivy Backdoor that reads shellcode commands from socket and executes them Command-and-control server sends a large quantity of shellcode

Conditional Breakpoints Uses a call to VirtualAlloc dynamically allocate memory Want to break only on large allocations indicative of a batch of commands (> 100bytes) Size parameter at [ESP+8] (ESP top of the stack) Set breakpoint at VirtualAlloc entry point if condition [ESP+8] > 100 Breakpoint=>Conditional (Figure 9-8, p. 190) Click Play and wait code to break OllyDbg can also set memory breakpoints to access a chunk of memory (p. 190)

Loading DLLs Malware often delivered as DLLs to be injected into other processes DLL cannot be executed directly OllyDbg uses loaddll.exe as dummy program OllyDbg breaks at DllMain entry point once loaded In-class exercise Generate Figure 9-10, p. 191 Open C:\WINDOWS\system32\ws2_32.dll in OllyDbg(32-bit only) Hit play to initialize DLL Debug->Call DLL export to call a particular exported function with custom parameters View disassembler window to see code (enter 7F000001) -> see it being loaded into EAX Ntohl -> convert network to host order 7F000001 ->01000007F

In-class practice (ws_32.dll)

In-class practice (ws_32.dll) Convert to Host Byte Order Network Byte Order 127.0.0.1

Exceptions Exception handling with OllyDbg User options Step into exception Step over exception Run debugger exception handler Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)

Patching Modifying live data (registers and flags), assemble and patch code directly into a program Example from the book JNZ will jump if password is not a match – NOP it so the jump will not be taken Changes made in live memory, save it to file in Copy to Executable-> All Modifications; Save File Patching can be used to permanently modify a piece of malware to facilitate analysis

OllyDump – most common plug-in Dump a debugged process to a PE file; will use the current state (code,data, etc) in memory Can be used for unpacked program – find entry point after unpacking and decryption operations of malware performed Create a new PE file for IDAPro See other plug-ins from p. 198-200

Personal Experience with OllyDbg Fonts are too small – hurt my eyes No go back like IDAPro, may have to restart once overshoots using step over. Great interactive features – tells you the actual flow of the program whereas using IDAPro, you may only have a hunch and have difficulty to analyze the actual flow of the program.

In Class Homework