Part 3: Advanced Dynamic Analysis

Chapter 8: Debugging

Debugger

Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks

like before execution Debugger: dynamic snapshot of what code does

during execution

Types of debuggers

Source-levelDebug while codingMap machine execution to corresponding source

code linesAllow setting of breakpoints at source-code lines

Assembly-levelStrictly operate at machine instruction levelMain debugger used for malware

Kernel mode v. user mode

User modeDebug one program via another program all in user

spaceExamples: OlllyDbg

Kernel modeDebugging a kernel requires a second machineMust configure target OS to allow kernel debuggingExamples: WinDbg

Debugging functions

Single steppingOne machine instruction or source line at a timeStepping-over: call functions executed all at once

before control returned to debuggerStepping-into: call functions followed and callee

executed one machine instruction at a timeStepping-out: some debuggers allow you to return

to calling function

ReplaySome VMs allow record/replay to “undo” execution

Debugging functions

Software execution breakpointsVirtual address or source lineExamine the state of the machine at critical

execution points• File creation (Listing 8-4, Figure 8-1)

• Encryption (Listing 8-5, Figure 8-2)

Implemented by overwriting INT 3 (0xcc) into opcode of instruction (Table 8-1)

Debugger restores overwritten byte upon continue

ReplaySome VMs allow record/replay to “undo” execution

Debugging functions

Hardware execution breakpointsDedicated registers that store virtual addressesCan be set to break on access, rather than on

execution• Memory watchpoints on data (reads or writes)

4 hardware registers (DR0-DR3)Can be modified by running program!

• Malware can disable them

• Counter-measure is “General Detect” flag in DR7 that triggers a breakpoint on any mov involving debug registers

Debugging functions

Conditional software execution breakpointsBreak only if a certain condition is metExample

• Break on GetProcAddress function only if address parameter is RegSetValue

• Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not met

Exceptions

Used by debugger to gain control of programINT 3, Trap flag in FLAGS register, Division by 0,

invalid memory accessFirst-chance and second-chance exceptions

• Debugger (if attached) gets first-chance control over exceptions

• If debugger does not want it, program allowed to handle exception

• If program does not handle exception and would crash, debugger gets a second-chance to handle exception

• Malware may intentionally trigger first-chance exceptions to determine environment

Modifying execution

Via debuggerSkip functions by changing EIP directlyInvoke functions directly on arguments you choose

Use in metamorphic malwareMalware programmed to behave differently under

different circumstancesDebugger can be set to trace branches of

metamorphic code (Listing 8-6)

Advanced Dynamic Analysis

Chapter 9: OllyDbg

OllyDbg

Developed by Oleh YuschukDebugger of choice for malware analysis *and*

exploit developersBought by Immunity and rebranded as ImmDbg

• Python API support added

Many still use OllyDbg 1.1 (OllyDbg 2.0 not widely used yet in 2012)

Loading code in OllyDbg

Open executable from within OllyDbg

Launch executable and attach

In-class exerciseRecreate Figure 9-2 for notepad.exe4 main windows of OllyDbg

• Disassembler, Registers, Stack, Memory dump

Launch notepad.exe from OllyDbgAttach OllyDbg to running notepadRecreate Figures 9-3, 9-4 for notepad.exe

Rebasing

Memory locations of Figure 9-4 dynamicRelocatable code allows libraries to be rebasedEnables libraries to be written independent of each

other Absolute address references modified at load time

via .reloc information in PE headerSupports ASLR to thwart malwareIn-class exercise

• Note the location of notepad's .text section

• Relaunch OllyDbg on notepad again

• What is the location now?

Threads

Most programs and malware multi-threadedIn-class exercise

• Launch Internet Explorer

• Attach OllyDbg

• View threads via View>Threads

• How many threads are there?

Executing code

Debug menuRun

• Restarts process until next breakpoint reached

Breakpoint=>Run to selection• Continue execution until specified instruction

Debug=>Execute till Return• Runs until next return hit

Debug=>Execute till User Code• Run until user program code is reached

• Pulls out of library calls

• In-class: MyExample.exe strncmp

Step into, step over

Executing code

Malware making a mess out of step-overP. 187

• Step over a “call” instruction sets breakpoint to next instruction after call

• Malware might never return

• Could be a “get EIP” trick as well– call followed by a pop

Breakpoints

View=>Breakpoints to list

Right-click instruction to find sub-menu to setSoftware breakpoint (Toggle)

• Sets execution breakpoint at instruction

• See string decoder in Listing 9-2

Hardware breakpoint (on execution)Memory (on access)Memory (on write)

Breakpoints

Right-click instruction to find sub-menu to setConditional breakpoint

• Checks condition to see if debugger should break

• Poison Ivy example– Backdoor that reads shellcode commands from

socket and executes them– Uses a call to VirtualAlloc to store command– Typical call to VirtualAlloc (Figure 9-7)– Want to break only on large allocations indicative

of a batch of commands (> 100bytes)» Size parameter at [ESP+8]» Set breakpoint at VirtualAlloc entry point if

condition [ESP+8] > 100» Breakpoint=>Conditional» Figure 9-8

Loading DLLs

Malware often delivered as DLLs to be injected into other processesOllyDbg uses loaddll.exe as dummy program Calls into DllMain function of target DLL

• Hit play to initialize DLL

• Debug=>Call DLL export to call a particular exported function with custom parameters

• Follow in disassembler to see code

• Figure 9-10

In-class exercise• Open Lab03-02.dll (only on 32-bit win7, restart

olly)

Tracing

Recording executionStandard Back Trace

• Execution recorded when single stepping

• + and – take you forward and backward in execution

Call Stack Trace• View the function call path that has led to your

current execution point

• In-class: MyExample.exe strncmp

Tracing

Recording executionRun Trace

• OllyDbg saves every executed instruction and all changes to registers and flags

• Highlight code to trace– Run Trace=>Add Selection– Execute– View=>Run Trace– - and + to navigate trace and see changes– In-class: MyExample.exe and strncmp

• Or use “Trace Into” and “Trace Over” options to run trace until next breakpoint

– Take care to limit size of trace

Tracing

Poison Ivy backdoor exampleVirtualAlloc to store commands from C&C server

• Stored in heap memory

• EIP executes from heap locations

Goal: Find out mechanism for execution• Step #1: Set condition to pause on EIP outside of

program segment (Figure 9-11)

• Step #2: Trace Into to execute until condition met

• Step #3: Use – key to backup execution to see where entry into shellcode occurred

Exceptions

Exceptions that occur while debugger attached transfer control to debuggerUser options

• Step into exception

• Step over exception

• Run exception handler

Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)

Patching

Modifying program instructions to change behaviorBinary=>EditIn class

• In OllyDbg, modify conditional branch within MyExample.exe to *always* hit OK branch

• Copy modifications to new executable

Dumping

Create new binary upon unpacking programOllyDump plug-inFind entry point after unpacking and decryption

operations of malware performedCreates a new executable that can be analyzed

within IDA ProFigure 9-16

In-class exercise

Lab 9-2 In OllyDbg, perform the Follow in Dump step to display

1qaz2wsx and ocl.exeGenerate Listing 9-6L in IDA Pro. In OllyDbg, set a

breakpoint at the strcmp and identify the strings being compared

In IDA Pro, show where the network calls are locatedChange the name of the file to enable the malware to

executeStep through and show the DNS name as it is being

decodedWithin Wireshark, show the connect and its result