View
8
Download
0
Category
Preview:
Citation preview
Chapter 9 OllyDBG
OllyDBG
Loading Program in OllyDbgOpen executable from within OllyDbg In class exercise:Opening executable notepad.exe (malware used in book) 4 main windows of OllyDbg Disassembler, Registers, Stack, Memory dump
Attach to a running processFile->Attach
Current executing thread will be paused and displayed
OllyDbg Interface
DisassemblerWindow
Register Window
Memory Dump Window Stack Window
OllyDbg InterfaceDisassembler window: press spacebar to modify instruction Register Window: modify data in register by right-clicking
any register value selected (or enter)
Stack Window: current state of the stack in memory; right-click->modify
Memory Dump Window: Dump of live memory for the debugged process
Memory Map (notepad.exe)
PE header, code, imports,data
All DLLs imported are also viewable
Rebasing
PE files have preferred base address (image base)Most executables loaded at 0x00400000 Relocatable code allows libraries to be rebased Enables libraries to be written independent of each other Example: two libs have the same preferred load address, one is
relocated elsewhere Address space layout randomization – reduce the chances of
collision Absolute address references modified at load time via .reloc
information in PE header
In Class ExerciseMost programs and malware multi-threadedView current threads by selecting View-> Threads Each thread has its own stack In-class exerciseLaunch Internet ExplorerAttach OllyDbgView threads via View>ThreadsHow many threads are there?
Executing Code Debug menuRunBreakpoint=>Run to selection Continue execution until specified instruction
Debug=>Execute till Return Runs until next return hit (e.g. Finish) (useful when the you want pause after function finishes)
Debug=>Execute till User Code Run until user program code is reached (malware code)
Step into (single instruction)Step over (bypass the call)
Executing CodeMalware making a mess out of step-overStep over a “call” instruction sets breakpoint to next instruction after callThe call may never execute a ret
Cause the program to resume executing without pausing
Breakpoints Software breakpoints Unconditional breakpoint (Toggle) Right-click instruction to find sub-menu to set
View->Breakpoints
Conditional Breakpoints – break only if certain condition is true (performance impact to check the condition)
Use conditional breakpoints to detect memory allocations above a certain size
Book Example: Poison Ivy Backdoor that reads shellcode commands from socket and executes
themCommand-and-control server sends a large quantity of shellcode
Conditional BreakpointsUses a call to VirtualAlloc dynamically allocate memoryWant to break only on large allocations indicative of a batch of
commands (> 100bytes)Size parameter at [ESP+8] (ESP top of the stack)Set breakpoint at VirtualAlloc entry point if condition [ESP+8] >
100Breakpoint=>Conditional (Figure 9-8, p. 190)Click Play and wait code to break
OllyDbg can also set memory breakpoints to access a chunk of memory (p. 190)
Loading DLLsMalware often delivered as DLLs to be injected into other processesDLL cannot be executed directlyOllyDbg uses loaddll.exe as dummy program OllyDbg breaks at DllMain entry point once loaded
In-class exerciseGenerate Figure 9-10, p. 191Open C:\WINDOWS\system32\ws2_32.dll in OllyDbg(32-bit
only)Hit play to initialize DLLDebug->Call DLL export to call a particular exported function with
custom parameters
In-class practice (ws_32.dll)
In-class practice (ws_32.dll)
Network Byte Order127.0.0.1
Convert to Host Byte Order
Exceptions• Exception handling with OllyDbg User options Step into exception Step over exception Run debugger exception handler
Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)
Patching Modifying live data (registers and flags), assemble and patch
code directly into a program Example from the book
JNZ will jump if password is not a match – NOP it so the jump will not be taken
Changes made in live memory, save it to file in Copy to Executable-> All Modifications; Save File
Patching can be used to permanently modify a piece of malware to facilitate analysis
OllyDump – most common plug-in Dump a debugged process to a PE file; will use the current state (code,data, etc) in
memory Can be used for unpacked program – find entry point after unpacking and
decryption operations of malware performed Create a new PE file for IDAPro See other plug-ins from p. 198-200
In Class Homework
Recommended