Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Incident Response  Dynamic Analysis - 2

Published byDoris Carpenter Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware Incident Response  Dynamic Analysis - 2"— Presentation transcript:

1 Malware Incident Response  Dynamic Analysis - 2
CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou

2 Acknowledgement Javier Nieto Hacking Blog: Slides from book:
capturing-flag-v10.html Slides from book:

3 Windows Malware Dynamic Analysis using OllyDbg

4 Debugger: OllyDbg http://ollydbg.de/ Purpose Licensing
OllyDbg is a general purpose win32 user-mode debugger. The great thing about it is the intuitive UI and powerful disassembler Licensing OllyDbg is free (shareware), however it is not open source and the source code is not available We will use OllyDbg 1.10 version

5 Disassemblers v. Debuggers
A disassembler like IDA Pro shows the state of the program just before execution begins Debuggers show Every memory location Register Argument to every function At any point during processing And let you change them

6 Two Debuggers Ollydbg Windbg Most popular for malware analysis
User-mode debugging only IDA Pro has a built-in debugger, but it's not as easy to use or powerful as Ollydbg Windbg Supports kernel-mode debugging

7 Case Study: Hack.lu - Capturing the flag V.1.0
Using Ollydbg to solve half of the puzzle: v10.html The competitors need to get two hard-coded passwords of a program called RoboAuth.exe which can be downloaded here: 150/RoboAuth.exe In the above posting by Javier Nieto, he provided how to find the first password using Ollydbg

8 Highlight: next instruction to be executed
Ollydbg Interface Disassembler Highlight: next instruction to be executed Registers Memory dump Stack

9 Run A Program Under OllyDbg
Load the .exe file, and click “Debug” “Run” The first “run” will start the program to the first instruction, but not actually run the program On second click of “Run”, the RoboAuth.exe executes and asks us to input the first password. Wrong input will cause the program to terminate.

10 Analyze A Binary Code Under OllyDbg
A program may have many text outputs, they will give us hint Check ASCII strings in the assembly code look at "All referenced test strings" in order to find something which draws attention. Right-click assembly code window… After you run the code

11 Find ASCII Output Interested
we can see the string "You passed level1!". We can suppose that just before that, the assemble code will compare our password with the real one.

12 Find Code for Password Testing
To go to this string in the assemble code, we right-click on this line and select "Follow in Disassembler". Two lines before that, we can see the function "TEST EAX, EAX" Test EAX, EAX  set ZF flag (zero flag) to 1 if EAX == 0 JNZ addr  if ZF ==0, then jump to address of addr One line above, “CALL…” must be the call to the subroutine “strcmp()” to set EAX by comparing our password with the hard- code password!

13 Check Memory in Runtime for Real Password
Set a breaking point at this point in order to stop the program just when the program is comparing the passwords in order to see the good one in the Stack. Right click on the line which contains “CALL…", select Breakpoint and select "Memory, on access“ Then click “Run” again

14 Check Memory in Runtime for Real Password
Write a password (distinct) and wait until the program stops in the breakpoint. See the Stack window (bottom right) in OllyDbg Shows the state of the stack in memory for the thread being debugged. Below our password “######" followed by other string "r0b0RUlez!". It seems to be the password.

15 Test the Password Obtained
Run the RoboAuth.exe, test the first password of "r0b0RUlez!”, It works!

Download ppt "Malware Incident Response  Dynamic Analysis - 2"

Similar presentations

Introduction to Eclipse. Start Eclipse Click and then click Eclipse from the menu: Or open a shell and type eclipse after the prompt.

Introduction to Eclipse. Start Eclipse Click and then click Eclipse from the menu: Or open a shell and type eclipse after the prompt.
Slide 1CPU Emulator Tutorial This program is part of the software suite that accompanies the book The Digital Core, by Noam Nisan and Shimon Schocken 2003,

Slide 1CPU Emulator Tutorial This program is part of the software suite that accompanies the book The Digital Core, by Noam Nisan and Shimon Schocken 2003,
COMPUTER PROGRAMMING I Essential Standard 5.02 Understand Breakpoint, Watch Window, and Try And Catch to Find Errors.

COMPUTER PROGRAMMING I Essential Standard 5.02 Understand Breakpoint, Watch Window, and Try And Catch to Find Errors.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.

Designing a Virtual Machine. Basic Approach Object-oriented design Try to model the hardware. Seek a level of detail that is appropriate for interpretation.
Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction: 0000 000000000100.

Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction:
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
OllyDbg Debuger.

OllyDbg Debuger.
SRE  Introduction 1 Software Reverse Engineering (SRE)

SRE  Introduction 1 Software Reverse Engineering (SRE)
Embedded Systems Principle of Debugger. Reference Materials kl.de/avr_projects/arm_projects/#winarmhttp://www.siwawi.arubi.uni-

Embedded Systems Principle of Debugger. Reference Materials kl.de/avr_projects/arm_projects/#winarmhttp://
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.

1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
P.1ECE 331, Prof. A. Mason Professor Andrew Mason Michigan State University Spring 2013 ECE 331: PC Lab 1: Using HC12 ASM Simulators.

P.1ECE 331, Prof. A. Mason Professor Andrew Mason Michigan State University Spring 2013 ECE 331: PC Lab 1: Using HC12 ASM Simulators.
Debugging a Program … Using the PC/370 Emulator Interactively !

Debugging a Program … Using the PC/370 Emulator Interactively !
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Similar presentations

Ads by Google