Malware Incident Response  Dynamic Analysis - 2

Slides:



Advertisements
Similar presentations
Introduction to Eclipse. Start Eclipse Click and then click Eclipse from the menu: Or open a shell and type eclipse after the prompt.
Advertisements

Slide 1CPU Emulator Tutorial This program is part of the software suite that accompanies the book The Digital Core, by Noam Nisan and Shimon Schocken 2003,
COMPUTER PROGRAMMING I Essential Standard 5.02 Understand Breakpoint, Watch Window, and Try And Catch to Find Errors.
Utilizing the GDB debugger to analyze programs Background and application.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Lab6 – Debug Assembly Language Lab
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.
Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction:
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)
Embedded Systems Principle of Debugger. Reference Materials kl.de/avr_projects/arm_projects/#winarmhttp://
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev
P.1ECE 331, Prof. A. Mason Professor Andrew Mason Michigan State University Spring 2013 ECE 331: PC Lab 1: Using HC12 ASM Simulators.
Debugging a Program … Using the PC/370 Emulator Interactively !
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Chapter 4 - Implementing Standard Program Structures in 8086 Assembly Language from Microprocessors and Interfacing by Douglas Hall.
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
1 Κατανεμημένες Διαδικτυακές Εφαρμογές Πολυμέσων Γιάννης Πετράκης.
Objective At the conclusion of this chapter you will be able to:
Module 6: Debugging a Windows CE Image.  Overview Debug Zones IDE Debug Setup IDE Debug Commands Platform Builder Integrated Kernel Debugger Other Debugging.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
Copyright 2006 by Timothy J. McGuire, Ph.D. 1 MIPS Assembly Language CS 333 Sam Houston State University Dr. Tim McGuire.
Bit-DSP-MicrocontrollerTMS320F2812 Texas Instruments Incorporated European Customer Training Center University of Applied Sciences Zwickau (FH)
CSE 351 GDB Introduction. Lab 1 Status? How is Lab 1 going? I’ll be available at the end of class to answer questions There are office hours later today.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 Carnegie Mellon Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4, Sept. 17, 2012.
Intro to SPIM Justin Fiore Nathan Parish. Installing SPIM on Windows Download pcspim.zip from the SPIM website:
Copyright 2006 by Timothy J. McGuire, Ph.D. 1 MIPS Assembly Language CS 333 Sam Houston State University Dr. Tim McGuire.
Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.
Lecture 11 Example Rootkit. Intel internship Intel CTG (Corporate Technology Group) –Advanced research & development –System integrity services using.
GDB Introduction And Lab 2
PV204 Security technologies Reverse engineering of binary applications Petr Švenda Faculty of Informatics, Masaryk University.
Writing an Assembly-language program MIPS assembly language using MARS: MIPS Assembler and Runtime Simulator CS-2710 Dr. Mark L. Hornick 1.
Gnu Debugger (gdb) Debuggers are used to: Find semantic errors Locate seg faults and bus errors Prepared by Dr. Spiegel.
Introduction to Operating Systems Concepts
Lecture 3 Translation.
Topic 2: Hardware and Software
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
Lab assignments Follow each lab walkthrough in textbook
Development Environment
Gnu Debugger (gdb) Debuggers are used to: Find semantic errors
Live Phishing Attack Authentication Activity from a Foreign Address.
MIPS Instruction Set Advantages
More GDB, Intro to x86 Calling Conventions, Control Flow, & Lab 2
Dynamic Analysis ddaa.
Debugging with gdb gdb is the GNU debugger on our CS machines.
Computer Programming I
Software Development with uMPS
Introduction to Computer Systems
Computer Architecture “Bomb Lab Hints”
Computer Science I CSC 135.
Lab assignments Follow each lab walkthrough in textbook
CSc 352 Debugging Tools Saumya Debray Dept. of Computer Science
Debugging Taken from notes by Dr. Neil Moore
CPU Emulator Tutorial This program is part of the software suite
CSC235 - Visual Studio Tutorial
Our Environment We will exercise on Microsoft Visual C++ v.6
Debugging Taken from notes by Dr. Neil Moore
Homework Reading Programming Assignments Finish K&R Chapter 1
Reverse engineering through full system simulations
Module 6: Debugging a Windows CE Image
Reversing an Executable
Some Assembly (Part 2) set.html.
CSE 153 Design of Operating Systems Winter 2019
Following Malware Execution in IDA
Presentation transcript:

Malware Incident Response  Dynamic Analysis - 2 CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou czou@cs.ucf.edu

Acknowledgement Javier Nieto Hacking Blog: Slides from book: http://www.behindthefirewalls.com/2013/11/hacklu- capturing-flag-v10.html Slides from book: https://samsclass.info/126/ppt/ch8.ppt

Windows Malware Dynamic Analysis using OllyDbg

Debugger: OllyDbg http://ollydbg.de/ Purpose Licensing OllyDbg is a general purpose win32 user-mode debugger. The great thing about it is the intuitive UI and powerful disassembler Licensing OllyDbg is free (shareware), however it is not open source and the source code is not available We will use OllyDbg 1.10 version

Disassemblers v. Debuggers A disassembler like IDA Pro shows the state of the program just before execution begins Debuggers show Every memory location Register Argument to every function At any point during processing And let you change them

Two Debuggers Ollydbg Windbg Most popular for malware analysis User-mode debugging only IDA Pro has a built-in debugger, but it's not as easy to use or powerful as Ollydbg Windbg Supports kernel-mode debugging

Case Study: Hack.lu - Capturing the flag V.1.0 Using Ollydbg to solve half of the puzzle: http://www.behindthefirewalls.com/2013/11/hacklu-capturing-flag- v10.html The competitors need to get two hard-coded passwords of a program called RoboAuth.exe which can be downloaded here: http://shell-storm.org/repo/CTF/Hacklu-2013/Reversing/RoboAuth- 150/RoboAuth.exe In the above posting by Javier Nieto, he provided how to find the first password using Ollydbg

Highlight: next instruction to be executed Ollydbg Interface Disassembler Highlight: next instruction to be executed Registers Memory dump Stack

Run A Program Under OllyDbg Load the .exe file, and click “Debug” “Run” The first “run” will start the program to the first instruction, but not actually run the program On second click of “Run”, the RoboAuth.exe executes and asks us to input the first password. Wrong input will cause the program to terminate.

Analyze A Binary Code Under OllyDbg A program may have many text outputs, they will give us hint Check ASCII strings in the assembly code look at "All referenced test strings" in order to find something which draws attention. Right-click assembly code window… After you run the code

Find ASCII Output Interested we can see the string "You passed level1!". We can suppose that just before that, the assemble code will compare our password with the real one.

Find Code for Password Testing To go to this string in the assemble code, we right-click on this line and select "Follow in Disassembler". Two lines before that, we can see the function "TEST EAX, EAX" Test EAX, EAX  set ZF flag (zero flag) to 1 if EAX == 0 JNZ addr  if ZF ==0, then jump to address of addr One line above, “CALL…” must be the call to the subroutine “strcmp()” to set EAX by comparing our password with the hard- code password!

Check Memory in Runtime for Real Password Set a breaking point at this point in order to stop the program just when the program is comparing the passwords in order to see the good one in the Stack. Right click on the line which contains “CALL…", select Breakpoint and select "Memory, on access“ Then click “Run” again

Check Memory in Runtime for Real Password Write a password (distinct) and wait until the program stops in the breakpoint. See the Stack window (bottom right) in OllyDbg Shows the state of the stack in memory for the thread being debugged. Below our password “######" followed by other string "r0b0RUlez!". It seems to be the password.

Test the Password Obtained Run the RoboAuth.exe, test the first password of "r0b0RUlez!”, It works!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.