[Malware Analysis Tutorial] 2 - Ring3 Debugging
# Learning Goals
- Efficiently master a Ring3 debugger such as Immunity Debugger
- Can control program execution (step in, over, breakpoints)
- Can monitor/change program state (registers, memory)
- Comments annotation in Immunity Debugger
# This Lesson Can be Used as a Lab Module in :
- Computer architecture
- Operating systems
- Discrete Maths (number system)
1. Introduction : Debuggers (Kernel & User level debuggers)
1) Kernel Level Debuggers (== Ring0 debugger)
: WinDbg, SoftIce, Syser
2) User Level Debuggers (== Ring3 debugger)
: OllyDbg, Immunity Debugger, IDA
3) Difference
a. Ring0 debugger run with higher privilege & can debug kernel device drivers and devices (Ring3 cannot)
b. Why not use Ring0 debugger ?
- Ring3 provides a better GUI, but Ring0 does not. (ex. WinDbg uses a command line)
- GUI makes users improve the productivity of a Reverse Engineer
2. Brief Tour of IMM : Immunity Debugger
1) Control
- F8 : step over
- F7 : step in
- F9 : continue (often used to continue form a BP)
- Shift + F9 : continue & intercept exceptions
2) Examine data
- Memory pane : right click -> binary -> edit
- Register pane : right click -> edit
- Set Breakpoints
- F2 : toggle soft-breakpoint
- F4 : run to the cursor, right click on instruction -> BP -> H/W & memory AP
- Annotation : ';' for a comment
3) Step In VS Step Over
- Step In (F7)
: Gets into the function body of a Call Instruction
- Step Over (F8)
: Executes the whole function & Stops at the next immediate instruction
: Not always get you the result you desire because of Anti-Debugging techniques & using return-oriented programming to redirect program control flow
4) Data Manipulation : Manage Registers, Stack, All other segments (code, data, heap)
- Managing Registers
a. How?
: Right click on the register & select Edit to change its value
: When a register contains a memory pointer(addr. Of a memory slot) ?
: It's very convenient to right click on it & select "Follow in Dump" or "Follow in Stack" to watch its value
b. Managing EIP register
: IMM does not allow you to directly change the value of EIP register in the Register pane
: to change EIP - use the Python shell window
c. Memory Dump pane
: Select & Right click on any data
-> select "Binary->Edit"
- Reset the code (as data)
: In CPU pane, right click & select "Assemble"
=> can directly modify the code segment by typing assembly instructions
: How ?
Right click in CPU pane
-> Copy to Executable
-> Copy All
-> Close the dialog window (list of instructions that are modified)
-> A dialog asking for "save the file" pops.
-> Select "yes" & save it as a new executable file
5) Breakpoints
- S/W BP (F2)
a. Similar to the BP available in high-level language debuggers
b. Can have an unlimited soft BP
c. Can Set conditions on a soft BP
d. BP should stop the program only when the value of a register is equl to a certain number
e. Implemented using the INT 3 instruction
: When set a BP at a location
f. The debugger
: Replaces the FIRST byte of that instruction with INT 3 (a one-byte instruction)
: Saves the old byte
g. When the program executes to that location
: An interrupt is generated
: The debugger is called to handle that exception
: The dubugger can perform the condition check on the BP & stop the program
6) User Annotation (Ease the process of analysis)
- ;
: Add a comment to a machine instruction
- :
: Label a location
: When the location is referred to as av ariable or a function, its label will be displayed
- End of this class -
※주의
이 글은 http://fumalwareanalysis.blogspot.kr/p/malware-analysis-tutorials-reverse.html 에서 참고 및 번역을 한 것입니다.
'Study > Malware Analysis Tutorial' 카테고리의 다른 글
| [Malware Analysis Tutorial] 1st - VM Based Analysis Platform (0) | 2015.07.02 |
|---|