Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Published byClarissa Rose Modified over 9 years ago

Similar presentations

Presentation on theme: "Part 3: Advanced Dynamic Analysis Chapter 8: Debugging."— Presentation transcript:

1 Part 3: Advanced Dynamic Analysis Chapter 8: Debugging

2 Debugger Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks like before execution Debugger: dynamic snapshot of what code does during execution

3 Types of debuggers Source-level Debug while coding Map machine execution to corresponding source code lines Allow setting of breakpoints at source-code lines Assembly-level Strictly operate at machine instruction level Main debugger used for malware

4 Kernel mode v. user mode User mode Debug one program via another program all in user space Examples: OlllyDbg Kernel mode Debugging a kernel requires a second machine Must configure target OS to allow kernel debugging Examples: WinDbg

5 Debugging functions Single stepping One machine instruction or source line at a time Stepping-over: call functions executed all at once before control returned to debugger Stepping-into: call functions followed and callee executed one machine instruction at a time Stepping-out: some debuggers allow you to return to calling function Replay Some VMs allow record/replay to “undo” execution

6 Debugging functions Software execution breakpoints Virtual address or source line Examine the state of the machine at critical execution points File creation (Listing 8-4, Figure 8-1) Encryption (Listing 8-5, Figure 8-2) Implemented by overwriting INT 3 (0xcc) into opcode of instruction (Table 8-1) Debugger restores overwritten byte upon continue Replay Some VMs allow record/replay to “undo” execution

7 Debugging functions Hardware execution breakpoints Dedicated registers that store virtual addresses Can be set to break on access, rather than on execution Memory watchpoints on data (reads or writes) 4 hardware registers (DR0-DR3) Can be modified by running program! Malware can disable them Counter-measure is “General Detect” flag in DR7 that triggers a breakpoint on any mov involving debug registers

8 Debugging functions Conditional software execution breakpoints Break only if a certain condition is met Example Break on GetProcAddress function only if address parameter is RegSetValue Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not met

9 Exceptions Used by debugger to gain control of program INT 3, Trap flag in FLAGS register, Division by 0, invalid memory access First-chance and second-chance exceptions Debugger (if attached) gets first-chance control over exceptions If debugger does not want it, program allowed to handle exception If program does not handle exception and would crash, debugger gets a second-chance to handle exception Malware may intentionally trigger first-chance exceptions to determine environment

10 Modifying execution Via debugger Skip functions by changing EIP directly Invoke functions directly on arguments you choose Use in metamorphic malware Malware programmed to behave differently under different circumstances Debugger can be set to trace branches of metamorphic code (Listing 8-6)

11 Advanced Dynamic Analysis Chapter 9: OllyDbg

12 OllyDbg Developed by Oleh Yuschuk Debugger of choice for malware analysis *and* exploit developers Bought by Immunity and rebranded as ImmDbg Python API support added Many still use OllyDbg 1.1 (OllyDbg 2.0 not widely used yet in 2012)

13 Loading code in OllyDbg Open executable from within OllyDbg Launch executable and attach In-class exercise Recreate Figure 9-2 for notepad.exe 4 main windows of OllyDbg Disassembler, Registers, Stack, Memory dump Launch notepad.exe from OllyDbg Attach OllyDbg to running notepad Recreate Figures 9-3, 9-4 for notepad.exe

14 Rebasing Memory locations of Figure 9-4 dynamic Relocatable code allows libraries to be rebased Enables libraries to be written independent of each other Absolute address references modified at load time via.reloc information in PE header Supports ASLR to thwart malware In-class exercise Note the location of notepad's.text section Relaunch OllyDbg on notepad again What is the location now?

15 Threads Most programs and malware multi-threaded In-class exercise Launch Internet Explorer Attach OllyDbg View threads via View>Threads How many threads are there?

16 Executing code Debug menu Run Restarts process until next breakpoint reached Breakpoint=>Run to selection Continue execution until specified instruction Debug=>Execute till Return Runs until next return hit Debug=>Execute till User Code Run until user program code is reached Pulls out of library calls In-class: MyExample.exe strncmp Step into, step over

17 Executing code Malware making a mess out of step-over P. 187 Step over a “call” instruction sets breakpoint to next instruction after call Malware might never return Could be a “get EIP” trick as well – call followed by a pop

18 Breakpoints View=>Breakpoints to list Right-click instruction to find sub-menu to set Software breakpoint (Toggle) Sets execution breakpoint at instruction See string decoder in Listing 9-2 Hardware breakpoint (on execution) Memory (on access) Memory (on write)

19 Breakpoints Right-click instruction to find sub-menu to set Conditional breakpoint Checks condition to see if debugger should break Poison Ivy example – Backdoor that reads shellcode commands from socket and executes them – Uses a call to VirtualAlloc to store command – Typical call to VirtualAlloc (Figure 9-7) – Want to break only on large allocations indicative of a batch of commands (> 100bytes) » Size parameter at [ESP+8] » Set breakpoint at VirtualAlloc entry point if condition [ESP+8] > 100 » Breakpoint=>Conditional » Figure 9-8

20 Loading DLLs Malware often delivered as DLLs to be injected into other processes OllyDbg uses loaddll.exe as dummy program Calls into DllMain function of target DLL Hit play to initialize DLL Debug=>Call DLL export to call a particular exported function with custom parameters Follow in disassembler to see code Figure 9-10 In-class exercise Open Lab03-02.dll (only on 32-bit win7, restart olly)

21 Tracing Recording execution Standard Back Trace Execution recorded when single stepping + and – take you forward and backward in execution Call Stack Trace View the function call path that has led to your current execution point In-class: MyExample.exe strncmp

22 Tracing Recording execution Run Trace OllyDbg saves every executed instruction and all changes to registers and flags Highlight code to trace – Run Trace=>Add Selection – Execute – View=>Run Trace – - and + to navigate trace and see changes – In-class: MyExample.exe and strncmp Or use “Trace Into” and “Trace Over” options to run trace until next breakpoint – Take care to limit size of trace

23 Tracing Poison Ivy backdoor example VirtualAlloc to store commands from C&C server Stored in heap memory EIP executes from heap locations Goal: Find out mechanism for execution Step #1: Set condition to pause on EIP outside of program segment (Figure 9-11) Step #2: Trace Into to execute until condition met Step #3: Use – key to backup execution to see where entry into shellcode occurred

24 Exceptions Exceptions that occur while debugger attached transfer control to debugger User options Step into exception Step over exception Run exception handler Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)

25 Patching Modifying program instructions to change behavior Binary=>Edit In class In OllyDbg, modify conditional branch within MyExample.exe to *always* hit OK branch Copy modifications to new executable

26 Dumping Create new binary upon unpacking program OllyDump plug-in Find entry point after unpacking and decryption operations of malware performed Creates a new executable that can be analyzed within IDA Pro Figure 9-16

27 In-class exercise Lab 9-2 In OllyDbg, perform the Follow in Dump step to display 1qaz2wsx and ocl.exe Generate Listing 9-6L in IDA Pro. In OllyDbg, set a breakpoint at the strcmp and identify the strings being compared In IDA Pro, show where the network calls are located Change the name of the file to enable the malware to execute Step through and show the DNS name as it is being decoded Within Wireshark, show the connect and its result

Download ppt "Part 3: Advanced Dynamic Analysis Chapter 8: Debugging."

Similar presentations

Computer-System Structures Er.Harsimran Singh www.ProgrammingPlaza.com.

Computer-System Structures Er.Harsimran Singh
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.

Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction: 0000 000000000100.

Chapter 4 H1 Assembly Language: Part 2. Direct instruction Contains the absolute address of the memory location it accesses. ld instruction:
Introduction to Interrupts

Introduction to Interrupts
OllyDbg Debuger.

OllyDbg Debuger.
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
System Calls 1.

System Calls 1.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Practical Malware Analysis Ch 8: Debugging Rev. 10-13-14.

Practical Malware Analysis Ch 8: Debugging Rev
Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.

Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 4: Threads.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 4: Threads.

Similar presentations

Ads by Google