OllyDBG - Old Dominion Universityc1wang/course/cs495/lecture/6_1_OllyDBG.pdf · OllyDbg uses...

Preview:

Citation preview

Chapter 9 OllyDBG

OllyDBG

Loading Program in OllyDbgOpen executable from within OllyDbg In class exercise:Opening executable notepad.exe (malware used in book) 4 main windows of OllyDbg Disassembler, Registers, Stack, Memory dump

Attach to a running processFile->Attach

Current executing thread will be paused and displayed

OllyDbg Interface

DisassemblerWindow

Register Window

Memory Dump Window Stack Window

OllyDbg InterfaceDisassembler window: press spacebar to modify instruction Register Window: modify data in register by right-clicking

any register value selected (or enter)

Stack Window: current state of the stack in memory; right-click->modify

Memory Dump Window: Dump of live memory for the debugged process

Memory Map (notepad.exe)

PE header, code, imports,data

All DLLs imported are also viewable

Rebasing

PE files have preferred base address (image base)Most executables loaded at 0x00400000 Relocatable code allows libraries to be rebased Enables libraries to be written independent of each other Example: two libs have the same preferred load address, one is

relocated elsewhere Address space layout randomization – reduce the chances of

collision Absolute address references modified at load time via .reloc

information in PE header

In Class ExerciseMost programs and malware multi-threadedView current threads by selecting View-> Threads Each thread has its own stack In-class exerciseLaunch Internet ExplorerAttach OllyDbgView threads via View>ThreadsHow many threads are there?

Executing Code Debug menuRunBreakpoint=>Run to selection Continue execution until specified instruction

Debug=>Execute till Return Runs until next return hit (e.g. Finish) (useful when the you want pause after function finishes)

Debug=>Execute till User Code Run until user program code is reached (malware code)

Step into (single instruction)Step over (bypass the call)

Executing CodeMalware making a mess out of step-overStep over a “call” instruction sets breakpoint to next instruction after callThe call may never execute a ret

Cause the program to resume executing without pausing

Breakpoints Software breakpoints Unconditional breakpoint (Toggle) Right-click instruction to find sub-menu to set

View->Breakpoints

Conditional Breakpoints – break only if certain condition is true (performance impact to check the condition)

Use conditional breakpoints to detect memory allocations above a certain size

Book Example: Poison Ivy Backdoor that reads shellcode commands from socket and executes

themCommand-and-control server sends a large quantity of shellcode

Conditional BreakpointsUses a call to VirtualAlloc dynamically allocate memoryWant to break only on large allocations indicative of a batch of

commands (> 100bytes)Size parameter at [ESP+8] (ESP top of the stack)Set breakpoint at VirtualAlloc entry point if condition [ESP+8] >

100Breakpoint=>Conditional (Figure 9-8, p. 190)Click Play and wait code to break

OllyDbg can also set memory breakpoints to access a chunk of memory (p. 190)

Loading DLLsMalware often delivered as DLLs to be injected into other processesDLL cannot be executed directlyOllyDbg uses loaddll.exe as dummy program OllyDbg breaks at DllMain entry point once loaded

In-class exerciseGenerate Figure 9-10, p. 191Open C:\WINDOWS\system32\ws2_32.dll in OllyDbg(32-bit

only)Hit play to initialize DLLDebug->Call DLL export to call a particular exported function with

custom parameters

In-class practice (ws_32.dll)

In-class practice (ws_32.dll)

Network Byte Order127.0.0.1

Convert to Host Byte Order

Exceptions• Exception handling with OllyDbg User options Step into exception Step over exception Run debugger exception handler

Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)

Patching Modifying live data (registers and flags), assemble and patch

code directly into a program Example from the book

JNZ will jump if password is not a match – NOP it so the jump will not be taken

Changes made in live memory, save it to file in Copy to Executable-> All Modifications; Save File

Patching can be used to permanently modify a piece of malware to facilitate analysis

OllyDump – most common plug-in Dump a debugged process to a PE file; will use the current state (code,data, etc) in

memory Can be used for unpacked program – find entry point after unpacking and

decryption operations of malware performed Create a new PE file for IDAPro See other plug-ins from p. 198-200

In Class Homework

Recommended