Upload
kristen-haynes
View
52
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Chapter 8: Debugging. Part 3: Advanced Dynamic Analysis. Debugger. Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks like before execution Debugger: dynamic snapshot of what code does during execution. Types of debuggers. - PowerPoint PPT Presentation
Citation preview
Part 3: Advanced Dynamic Analysis
Chapter 8: Debugging
Debugger
Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks
like before execution Debugger: dynamic snapshot of what code does
during execution
Types of debuggers
Source-levelDebug while codingMap machine execution to corresponding source
code linesAllow setting of breakpoints at source-code lines
Assembly-levelStrictly operate at machine instruction levelMain debugger used for malware
Kernel mode v. user mode
User modeDebug one program via another program all in user
spaceExamples: OlllyDbg
Kernel modeDebugging a kernel requires a second machineMust configure target OS to allow kernel debuggingExamples: WinDbg
Debugging functions
Single steppingOne machine instruction or source line at a timeStepping-over: call functions executed all at once
before control returned to debuggerStepping-into: call functions followed and callee
executed one machine instruction at a timeStepping-out: some debuggers allow you to return
to calling function
ReplaySome VMs allow record/replay to “undo” execution
Debugging functions
Software execution breakpointsVirtual address or source lineExamine the state of the machine at critical
execution points• File creation (Listing 8-4, Figure 8-1)
• Encryption (Listing 8-5, Figure 8-2)
Implemented by overwriting INT 3 (0xcc) into opcode of instruction (Table 8-1)
Debugger restores overwritten byte upon continue
ReplaySome VMs allow record/replay to “undo” execution
Debugging functions
Hardware execution breakpointsDedicated registers that store virtual addressesCan be set to break on access, rather than on
execution• Memory watchpoints on data (reads or writes)
4 hardware registers (DR0-DR3)Can be modified by running program!
• Malware can disable them
• Counter-measure is “General Detect” flag in DR7 that triggers a breakpoint on any mov involving debug registers
Debugging functions
Conditional software execution breakpointsBreak only if a certain condition is metExample
• Break on GetProcAddress function only if address parameter is RegSetValue
• Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not met
Exceptions
Used by debugger to gain control of programINT 3, Trap flag in FLAGS register, Division by 0,
invalid memory accessFirst-chance and second-chance exceptions
• Debugger (if attached) gets first-chance control over exceptions
• If debugger does not want it, program allowed to handle exception
• If program does not handle exception and would crash, debugger gets a second-chance to handle exception
• Malware may intentionally trigger first-chance exceptions to determine environment
Modifying execution
Via debuggerSkip functions by changing EIP directlyInvoke functions directly on arguments you choose
Use in metamorphic malwareMalware programmed to behave differently under
different circumstancesDebugger can be set to trace branches of
metamorphic code (Listing 8-6)
Advanced Dynamic Analysis
Chapter 9: OllyDbg
OllyDbg
Developed by Oleh YuschukDebugger of choice for malware analysis *and*
exploit developersBought by Immunity and rebranded as ImmDbg
• Python API support added
Many still use OllyDbg 1.1 (OllyDbg 2.0 not widely used yet in 2012)
Loading code in OllyDbg
Open executable from within OllyDbg
Launch executable and attach
In-class exerciseRecreate Figure 9-2 for notepad.exe4 main windows of OllyDbg
• Disassembler, Registers, Stack, Memory dump
Launch notepad.exe from OllyDbgAttach OllyDbg to running notepadRecreate Figures 9-3, 9-4 for notepad.exe
Rebasing
Memory locations of Figure 9-4 dynamicRelocatable code allows libraries to be rebasedEnables libraries to be written independent of each
other Absolute address references modified at load time
via .reloc information in PE headerSupports ASLR to thwart malwareIn-class exercise
• Note the location of notepad's .text section
• Relaunch OllyDbg on notepad again
• What is the location now?
Threads
Most programs and malware multi-threadedIn-class exercise
• Launch Internet Explorer
• Attach OllyDbg
• View threads via View>Threads
• How many threads are there?
Executing code
Debug menuRun
• Restarts process until next breakpoint reached
Breakpoint=>Run to selection• Continue execution until specified instruction
Debug=>Execute till Return• Runs until next return hit
Debug=>Execute till User Code• Run until user program code is reached
• Pulls out of library calls
• In-class: MyExample.exe strncmp
Step into, step over
Executing code
Malware making a mess out of step-overP. 187
• Step over a “call” instruction sets breakpoint to next instruction after call
• Malware might never return
• Could be a “get EIP” trick as well– call followed by a pop
Breakpoints
View=>Breakpoints to list
Right-click instruction to find sub-menu to setSoftware breakpoint (Toggle)
• Sets execution breakpoint at instruction
• See string decoder in Listing 9-2
Hardware breakpoint (on execution)Memory (on access)Memory (on write)
Breakpoints
Right-click instruction to find sub-menu to setConditional breakpoint
• Checks condition to see if debugger should break
• Poison Ivy example– Backdoor that reads shellcode commands from
socket and executes them– Uses a call to VirtualAlloc to store command– Typical call to VirtualAlloc (Figure 9-7)– Want to break only on large allocations indicative
of a batch of commands (> 100bytes)» Size parameter at [ESP+8]» Set breakpoint at VirtualAlloc entry point if
condition [ESP+8] > 100» Breakpoint=>Conditional» Figure 9-8
Loading DLLs
Malware often delivered as DLLs to be injected into other processesOllyDbg uses loaddll.exe as dummy program Calls into DllMain function of target DLL
• Hit play to initialize DLL
• Debug=>Call DLL export to call a particular exported function with custom parameters
• Follow in disassembler to see code
• Figure 9-10
In-class exercise• Open Lab03-02.dll (only on 32-bit win7, restart
olly)
Tracing
Recording executionStandard Back Trace
• Execution recorded when single stepping
• + and – take you forward and backward in execution
Call Stack Trace• View the function call path that has led to your
current execution point
• In-class: MyExample.exe strncmp
Tracing
Recording executionRun Trace
• OllyDbg saves every executed instruction and all changes to registers and flags
• Highlight code to trace– Run Trace=>Add Selection– Execute– View=>Run Trace– - and + to navigate trace and see changes– In-class: MyExample.exe and strncmp
• Or use “Trace Into” and “Trace Over” options to run trace until next breakpoint
– Take care to limit size of trace
Tracing
Poison Ivy backdoor exampleVirtualAlloc to store commands from C&C server
• Stored in heap memory
• EIP executes from heap locations
Goal: Find out mechanism for execution• Step #1: Set condition to pause on EIP outside of
program segment (Figure 9-11)
• Step #2: Trace Into to execute until condition met
• Step #3: Use – key to backup execution to see where entry into shellcode occurred
Exceptions
Exceptions that occur while debugger attached transfer control to debuggerUser options
• Step into exception
• Step over exception
• Run exception handler
Can also set in Debugging Options to ignore all exceptions (immediately transfer control back to program)
Patching
Modifying program instructions to change behaviorBinary=>EditIn class
• In OllyDbg, modify conditional branch within MyExample.exe to *always* hit OK branch
• Copy modifications to new executable
Dumping
Create new binary upon unpacking programOllyDump plug-inFind entry point after unpacking and decryption
operations of malware performedCreates a new executable that can be analyzed
within IDA ProFigure 9-16
In-class exercise
Lab 9-2 In OllyDbg, perform the Follow in Dump step to display
1qaz2wsx and ocl.exeGenerate Listing 9-6L in IDA Pro. In OllyDbg, set a
breakpoint at the strcmp and identify the strings being compared
In IDA Pro, show where the network calls are locatedChange the name of the file to enable the malware to
executeStep through and show the DNS name as it is being
decodedWithin Wireshark, show the connect and its result