Presentation is loading. Please wait.

Presentation is loading. Please wait.

Live Phishing Attack Authentication Activity from a Foreign Address.

Published byAllan Short Modified over 6 years ago

Similar presentations

Presentation on theme: "Live Phishing Attack Authentication Activity from a Foreign Address."— Presentation transcript:

1 Live Phishing Attack Authentication Activity from a Foreign Address

2 Live Phishing Attack

3 Debugging Chapter 8 Debugging

4 Debuggers Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks like before execution Debugger: dynamic snapshot of what code does during execution Source-Level (built-in most IDE) Debug while coding Map machine execution to corresponding source code lines Allow setting of breakpoints at source-code lines Assembly-level Strictly operate at machine instruction level Main debugger used for malware (no need to access to source code)

5 Types of Debuggers User mode Kernel mode
Debug one program via another program all in user space Examples: OllyDbg, gdb Kernel mode Debugging a kernel requires a second machine Must configure target OS to allow kernel debugging Examples: WinDbg

6 Using a Debugger Single stepping
One machine instruction or source line at a time (slow) Stepping-over: bypass call instructions (F8) Stepping-into: in the call function (starting from the first instruction) (F7) Stepping-out: run until return back to calling function (finish)

7 Breakpoints Breakpoints (software)
Needed because registers/memory addr are changing Allows one to examine the state of the machine at critical execution points File creation – set breakpoint to CreateFileW and look at the value on stack to get filename Encryption – set breakpoint at encryption to see data before encrypted Implemented by overwriting INT 3 (0xcc) into opcode of instruction When 0xcc is executed, OS generates an exception and transfer control to debugger Debugger restores overwritten byte upon continue

8 Hardware Breakpoints Hardware execution breakpoints (faster, more flexible) Dedicated registers that store virtual addresses Can be set to break on access – break when a memory location is encountered (halt on non-execution memory address) Only 4 hardware registers (DR0-DR3) – x86 4 active hardware breakpoints at once. Can be modified by running program (malware)! Malware can disable them Counter-measure is “General Detect” flag in DR7 (debug control) that triggers a breakpoint prior to any mov involving debug registers Detect when the debug register is changed

9 Conditional Breakpoints
Conditional software execution breakpoints Break only if a certain condition is met Example Break on GetProcAddress function only if address parameter is RegSetValue Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not met Program slow down -> examine whether condition is met

10 Exceptions Exceptions pass control to debugger
Division by 0, invalid memory access, INT 3 (0xcc/breakpoint), Might interfere with exception handlers that program needs to run First-chance and second-chance exceptions Debugger (if attached) gets first-chance control – see if in debugger when exception occurs –almost dead If debugger does not want it, program allowed to handle exception If program does not handle exception and would crash, debugger gets a second-chance to handle exception – already dead Malware may intentionally trigger first-chance exceptions to determine environment

11 OllyDBG Chapter 9 OllyDBG

12 History Developed by Oleh Yuschuk First used to crack software
Primary debugger of choice for malware analysis *and* exploit developers Many still use OllyDbg OllyDbg 2.0 also available. Purchased by Immunity and rebranded as Immunity Debugger (ImmDbg) Python API support added Free

13 Loading Program in OllyDbg
Open executable from within OllyDbg In class exercise: Opening executable notepad.exe (malware used in book) 4 main windows of OllyDbg Disassembler, Registers, Stack, Memory dump

14 Attach to a running process File->Attach
Current executing thread will be paused and displayed

15 OllyDbg Interface Disassembler Window Register Window
Memory Dump Window Stack Window

16 OllyDbg Interface Disassembler window: press spacebar to modify instruction Register Window: modify data in register by right-clicking any register value selected Stack Window: current state of the stack in memory; right-click->modify Memory Dump Window: Dump of live memory for the debugged process

17 Memory Map (notepad.exe)
PE header, code, imports,data All DLLs imported are also viewable

18 Rebasing PE files have preferred base address (image base)
Most executables loaded at 0x Relocatable code allows libraries to be rebased Enables libraries to be written independent of each other Example: two libs have the same preferred load address, one is relocated elsewhere Address space layout randomization – reduce the chances of collision Absolute address references modified at load time via .reloc information in PE header

19 In Class Exercise In-class exercise
Note the location of notepad's .text section Relaunch OllyDbg on notepad again What is the location now? Is it different or still the same ? Same 0x D

20 In Class Exercise Most programs and malware multi-threaded
View current threads by selecting View-> Threads Each thread has its own stack In-class exercise Launch Internet Explorer Attach OllyDbg View threads via View>Threads How many threads are there?

21

22 Executing Code Debug menu Run Breakpoint=>Run to selection
Continue execution until specified instruction Debug=>Execute till Return Runs until next return hit (e.g. Finish) (useful when the you want pause after function finishes) Debug=>Execute till User Code Run until user program code is reached (malware code) Step into (single instruction) Step over (bypass the call)

23 Breakpoints Software breakpoints
Unconditional breakpoint (Toggle) Right-click instruction to find sub-menu to set View->Breakpoints Conditional Breakpoints – break only if certain condition is true (performance impact to check the condition) Use conditional breakpoints to detect memory allocations above a certain size Book Example: Poison Ivy Backdoor that reads shellcode commands from socket and executes them Command-and-control server sends a large quantity of shellcode

24 Conditional Breakpoints
Uses a call to VirtualAlloc dynamically allocate memory Want to break only on large allocations indicative of a batch of commands (> 100bytes) Size parameter at [ESP+8] (ESP top of the stack) Set breakpoint at VirtualAlloc entry point if condition [ESP+8] > 100 Breakpoint=>Conditional (Figure 9-8, p. 190) Click Play and wait code to break OllyDbg can also set memory breakpoints to access a chunk of memory (p. 190)

25 Loading DLLs Malware often delivered as DLLs to be injected into other processes DLL cannot be executed directly OllyDbg uses loaddll.exe as dummy program OllyDbg breaks at DllMain entry point once loaded In-class exercise Generate Figure 9-10, p. 191 Open C:\WINDOWS\system32\ws2_32.dll in OllyDbg(32-bit only) Hit play to initialize DLL Debug->Call DLL export to call a particular exported function with custom parameters View disassembler window to see code (enter 7F000001) -> see it being loaded into EAX Ntohl -> convert network to host order 7F > F

26 In-class practice (ws_32.dll)

27 In-class practice (ws_32.dll)
Convert to Host Byte Order Network Byte Order

28 Exceptions Exception handling with OllyDbg User options
Step into exception Step over exception Run debugger exception handler Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)

29 Patching Modifying live data (registers and flags), assemble and patch code directly into a program Example from the book JNZ will jump if password is not a match – NOP it so the jump will not be taken Changes made in live memory, save it to file in Copy to Executable-> All Modifications; Save File Patching can be used to permanently modify a piece of malware to facilitate analysis

30 OllyDump – most common plug-in
Dump a debugged process to a PE file; will use the current state (code,data, etc) in memory Can be used for unpacked program – find entry point after unpacking and decryption operations of malware performed Create a new PE file for IDAPro See other plug-ins from p

31 Personal Experience with OllyDbg
Fonts are too small – hurt my eyes No go back like IDAPro, may have to restart once overshoots using step over. Great interactive features – tells you the actual flow of the program whereas using IDAPro, you may only have a hunch and have difficulty to analyze the actual flow of the program.

32 In Class Homework

Download ppt "Live Phishing Attack Authentication Activity from a Foreign Address."

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.

Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
OllyDbg Debuger.

OllyDbg Debuger.
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.

1 CSC 2405: Computer Systems II Spring 2012 Dr. Tom Way.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
System Calls 1.

System Calls 1.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
1-1 Embedded Network Interface (ENI) API Concepts Shared RAM vs. FIFO modes ENI API’s.

1-1 Embedded Network Interface (ENI) API Concepts Shared RAM vs. FIFO modes ENI API’s.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
UBI >> Contents Chapter 2 Software Development tools Code Composer Essentials v3: Code Debugging Texas Instruments Incorporated University of Beira Interior.

UBI >> Contents Chapter 2 Software Development tools Code Composer Essentials v3: Code Debugging Texas Instruments Incorporated University of Beira Interior.

Similar presentations

Ads by Google