Wednesday, August 31, 2011

Malware Analysis Tutorial 2 - Ring3 Debugging

Learning Objectives:
  • Efficiently master a Ring3 debugger such as Immunity Debugger
  • Can control program execution (step in, over, breakpoints)
  • Can monitor/change program state (registers, memory)
  • Comments annotation in Immunity Debugger
This tutorial can be used as a lab module in
  • Computer architecture
  • Operating systems
  • Discrete Maths (number system)
1. Introduction

To reverse engineer a malware, a quality debugger is essential. There are two types of debuggers: user level debuggers (such as OllyDbg, Immunity Debugger, and IDA Pro), and kernel debugger (such as WinDbg, SoftIce, and Syser). The difference between user/kernel level debuggers is that kernel debuggers run with higher privilege and hence can debug kernel device drivers and devices, while user level debuggers cannot. It is well known that modern OS such as Windows relies on the processor (e.g., Intel CPU) to provide a layered collection of protection domains. For example, on a typical Intel CPU, programs can run in four modes, from ring0 (kernel mode) to ring3 (user level). In this case, we also call user level debuggers "ring3 debuggers".

A natural question you might have is: Since ring0 debuggers are more powerful than ring3 debuggers, why not use ring0 debuggers directly? Well, there is no free lunch as always. Ring3 debuggers usually come with a nice GUI which can greatly improve the productivity of a reverse engineer. Only when necessary, we'll use the command-line ring0 debuggers (such as WinDbg). There is one exception though - recently, IDA Pro has introduced a GUI module which can drive WinDbg for kernel debugging. This is a nice feature and you'll have to pay for it.

In this tutorial, we assume that you would like to use open-source/free software tools. The following is a combination of debuggers we'll use throughout the tutorial: Immunity Debugger (IMM for short) and WinDbg.

2. Brief Tour of IMM

Now we will have a brief introduction of IMM. If you have not installed your Virtual Machine test bed, check out the first tutorial Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for setting up the experimental platform.

Figure 1. Screenshot of IMM

As shown in Figure 1, from left-top anti-clockwise, we have the CPU pane (which shows the sequence of machine instructions and user comments), the Register pane (which you can watch and modify the values of registers), the Stack pane and the Memory dump. Before we try to reverse engineer the first section of Max++, it is beneficial to learn how to use the short-cut keys in the debugger efficiently.

In general, to use a debugger efficiently, you need to know  the following :
  1. How to control the execution flow? (F8 - step over, F7 - step in, F9 - continue, Shift+F9 - continue and intercept exceptions)
  2. How to examine data? (In Memroy pane: right click -> binary -> edit, in Register pane: right click -> edit)
  3. How to set breakpoints? (F2 for toggle soft-breakpoint, F4 - run to the cursor, right click on instruction -> Breakpoint -> for hardware and memory access point)
  4. Annotation (; for placing a comment)
Most of the above can be found in the Debug menu of the IMM debugger, however, it's always beneficial to remember the shortcut keys. We now briefly explain some of the functions that are very useful in the analysis.

2.1 Execution Flow Control

The difference between step over/step in is similar to all other debuggers. Step in (F7) gets into the function body of a Call instruction. Step over (F8) executes the whole function and then stops at the next immediate instruction. Notice that F8 may not always get you the result you desire -- many malware employ anti-debugging techniques and use return-oriented programming technique to redirect program control flow (and the execution will never hit the next instruction). We will later see an example in Max++.

F9 (continue) is often used to continue from a breakpoint. Notice that the debugger automatically handles a lot of exceptions for you. If you want to intercept all exceptions, you should use SHIFT+F9. Later, we will see an example that Max++ re-writes the SEH (structured exception handler) to detect the existence of debuggers. To circumvent that anti-debug trick, you will use SHIFT+F9 to manually inspect SEH code.

2.2 Data Manipulation

In general, you have three types of data to manage: (1) registers, (2) stack, and (3) all other segments (code, data, and heap).

To change the value of a register, you can right click on the register and select Edit to change its value. Notice that when a register contains a memory pointer (the address of a memory slot), it is very convenient to right click on it and select "Follow in Dump" or "Follow in Stack" to watch its value.

The design of IMM does not allow you to directly change the value of EIP register in the Register pane. However, it is possible to change EIP using the Python shell window. We leave it as a homework question for you to figure out how to change EIP.

In the Memory Dump pane, select and right click on any data, and then select Binary->Edit. You can enter data conveniently (either as a string or binary number).

You are able to reset the code (as data). In CPU pane, right click and select "Assemble", you can directly modify the code segment by typing assembly instructions! You can even modify a program using this nice feature. For example, after modifying the code segment, you can save the modified program using the following approach:

   (1) Right click in CPU pane
   (2) Copy to Executable
   (3) Copy All
   (4) Close the dialog window (list of instructions that are modified)
   (5) Then a dialog asking for "save the file" pops. Select "yes" and save it as a new executable file.
2.3 Breakpoints

Software breakpoints (F2) are the post popular breakpoints. It is similar to the breakpoints available in your high-level language debuggers. You can have an unlimited soft breakpoints (BPs) and you can set conditions on a soft BP (e.g., to specify that the BP should stop the program only when the value of a register is equal to a certain number).

Soft BPs are implemented using the INT 3 instruction. Basically, whenever you set a breakpoint at a location, the debugger replaces the FIRST byte of that instruction with INT 3 (a one-byte instruction), and saves the old byte. Whenever the program executes to that location, an interrupt is generated and the debugger is called to handle that exception. So the debugger can then perform the condition check on the breakpoint and stop the program.

Hareware breakpoints can be set by right click in the CPU pane and then select Breakpoints -> Hardware, on execution. Notice that there are two other types hard BPs availalbe (memory read, memory access). As its name suggests, hard BPs are accomplished by taking advantage of hardware. On a Intel CPU, there are four hardware BP registers which records the location of hard BPs. This means that at any time, you can have up to 4 hard BPs.

Hardware BPs are very useful if you need to find out which part of the code modifies a variable. Just set a memory access BP on it and you don't have to look over the entire source code to find it out.

2.4 User Annotation

Although seemingly trivial, user comments and annotation is a very important function during a reverse engineering effort. In the CPU pane, pressing ";" allows you to add a comment to a machine instruction and pressing ":" allows you to label a location. Later when the location is referred to as a variable or a function, its label will be displayed. This will greatly ease the process of analysis.

3. Challenges of the Day

It's time to roll-up your sleeves and put all we have learned into practice! The objective today is to analyze the code snippet from 0x413BC8 to 0x413BD8. Answer the following questions. We will post the solution to these questions in the comments area.

Q1. What is the value of EAX at 0x413BD5 (right before int 2d is executed)?
Q2. Is the instruction "RET" at 0x413BD7 ever executed?
Q3. If you change the value of EAX to 0 (at 0x413BD5), does it make any difference for Q2?
Q4. Can you change the value of EIP at 0x413BD5 so that the int 2d instruction is skipped?
Q5. Modify the int 2d instruction at (0x413BD7) to "NOP" (no operations) and save the file as "max2.exe". Execute max2.exe. Do you observe any difference of the malware behavior? (check tutorial 1 Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for monitoring the network traffic)


  1. This comment has been removed by the author.

  2. Q1. The value of the EAX register is 1.

    Q2. The ret is never executed, it is skipped.

    Q3. Yes, the ret will be executed.

    Q4. Yes, with a the python shell window you can change the EIP.

    Q5. Yes, the malware does not run. Without the int 2d instruction, the ret is executed and the program does not call the MAX++ function.

  3. at Q5 you have put wrong address.

  4. The address in Q5 is correct. Check Figure 1 again.

  5. Outstanding stuff here Dr Fu. Great work and great contribution to the malware analysis community.
    Thank you,
    David aka IndiGenus

  6. It would be great if you could post how to change the EIP here in comments.

  7. From a Python Shell

    >>> imm = immlib.Debugger()
    >>> imm.setReg('EIP',int("hex value",16))

  8. Thank you Dr.Fu !
    I am eager to learn moar!

  9. I think I've downloaded another sample, I mean, the entry point is totally different from yours in Figure 1. Could someone please upload the sample again?...

  10. Hello Dr. Fu, first thanks for this great tutorial.

    As you said "However, it is possible to change EIP using the Python shell window".

    However, I found another simple solution for this, similar like on Ollydbg, by right click the new EIP destination address on CPU window and select "New origin here". Is this a different?

  11. Hi,
    I am having a bit of trouble with the Q3.
    If I change the value of EAx to zero, still the RETN is NOT executed.
    However, if I put a soft-breakpoint and also change the value of EAX then RETN is executed.

    Please let me know if this is the right thing to do or am I missing something? As stated in the question there is no breakpoint mentioned.

    Thank you in advance


  13. Thank you Dr. Fu, I really enjoyed this tutorial. I've been learning Malware Analysis for the past 3 or so months, and I learned a few things about the debugger! :)

  14. Q1. The value of the EAX register 1.

    Q2. The ret is never executed, it is skipped.

    Q3. No, stil is not executed.

    Q4. Yes, execution goes to retn and program is terminated.

    Q5. Yes, the malware does not run. Without the int 2d instruction, the retn is executed and program is terminated.

  15. Quantum Binary Signals

    Professional trading signals sent to your mobile phone every day.

    Start following our signals today and gain up to 270% per day.

  16. Thanks for sharing, very informative blog.

  17. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here.
    Data Science Online Training | Data Science Online Certification

  18. In the quest for quality grades, students have realized the need for working with Nursing Paper Writing Service agencies that specialize in various types of essay writing. They are the best company that handles Best Proofreading Service and Affordable Editing Services.

    Virtual DJ Pro Crack is the audio-video mixing software with its breakthrough and beat lock engine. It is one of the famous software programs in the entire market and becomes the number one software. While the automatic loops of it are the seamless and also synchronized sampler which lets you the Virtual DJ Pro Keygen perform and astounding the remix which is life. Furthermore, the representation that is visual that can cue which is allowed to DJ too see the song and structure clearly.

  20. nfs most wanted download pc
    NFS Most Wanted Pc Download: an openworld action Car Racing Video Game. Criterion Games developed NFS Most Wanted Torrent. Electronics Arts published Need For Speed Most Wanted Pc Download Free Full Version. It is the 19th installment in the Need For Speed Games. Need For Speed Most Wanted Free Download Pc Game features both single player as well as the multiplayer gameplay modes.

    Revo Uninstaller Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    Smadav Pro Crack pro is the small and lightweight entity of the tool. It is really secure and efficient software. It makes your system secure and safe. It is most widely too used all over the world. It is used on mobile and laptops. It provides you security checks and threats of data. It is a type of antivirus. It means it protects your pc and mobile phone at all. You can take advantage of installing it in your system. It removes the virus and makes your system virus free. It cannot allow any threat which may damage your pc data.

    Lightworks Pro Crack is software. That gives good help. This service is used to change the videos. This software is a master changing component. It is used in film making to edit in the movies. It allows us to produce and change video clips. The software also pays the draw images. It also pays the audio data short clips to choose the video.

    CINEMA 4D Crack is a 3D modelling software. That is most widely used for animation, rendering, graphics, and motions, etc. it is one of the top 50 graphics design products. It modified your requirements.

    Device Doctor Pro Crack is very simple software, which function is to scan the device for new updates. If you have any kind of device it checks it very smoothly, using the internet is there any kind of update or not. Amazing thing is that it supports up to 3 terabytes of drivers. You have no need to use any updated operating system for its use. It supports a minimum 32 bit of operating system also. The software is very beneficial of the laptop users. And, this software is very easy to use no need for any science to operate it.

    Revo Uninstaller Pro Crack a potent utility to get rid of and disable apps without any remnants, tails, and traces on your computer. As everyone probably knows, lots of software throughout setup to create diverse files. Folders and registry entries in distinct regions of the technique. This app tracks real-time exactly what effects have been made into this machine from new applications and also carries those changes under consideration in its work. Even if you have not tracked the installment of an app, it’s still feasible to disable it manually via a setup log. This may occur employing the logs out of your Logs Database.

    mIRC Crack can be a social network that employs the Internet Relay Chat protocol. Its principal goal is always to make a digital connection involving users all around over the Earth, who is able to convey using its own conversation capacities. Additionally, in addition, it has scripting terminology, making it symmetrical and thoroughly user-friendly. If you require staff talks or one-on-one private requirements, this program is best for you personally.

    Deezer Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    FL Studio Final Crack is the most powerful production tool. While, it is developed by the Fruity Edition, and Also the Signature Bundle. The features are available in line with the sound editing and also the audio. While the most recent variant contains all that you require for. Fl-studio can be an audio platform. All you’re looking for in one package to write. While you need to organize, document, edit, combine, and also genius proficient excellent new music.

  30. download halo 2
    Halo 2 Pc Game: is a famous action war fighting and shooting and Fighting Pc Game. Bungie Games developed it and Microsoft Games Studio Entertainments published Halo 2 Torrent worldwide for all platforms.

  31. Good article! I found some useful educational information in your blog about Data Science, it was awesome to read, thanks for sharing this great content to my vision.
    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

    Lucky Patcher Mod is an incredible Android application which let you to expel promotions from Android applications and games, alter authorizations of various applications and games, sidestep permit check of premium applications, reinforcement downloaded applications and games, evacuate framework applications if a bit much, reinforcement adjusted applications and so forth. How about we see a portion of the highlights of fortunate patcher mod application.

  33. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me.

    Microsoft Azure Online Training

    Microsoft Azure Classes Online

    Microsoft Azure Training Online

    Online Microsoft Azure Course

    Microsoft Azure Course Online

  34. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot.

    Informatica Online Training

    Informatica Classes Online

    Informatica Training Online

    Online Informatica Course

    Informatica Course Online

  35. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.

    angular 7 training in bangalore

    angular 7 courses in bangalore

    angular 7 classes in bangalore

    angular 7 training institute in bangalore

    angular 7 course syllabus

    best angular 7 training

    angular 7 training centers

  36. Every one of us might face health disorders at any stage of our life. For the treatment of these diseases or infections doctors recommend several type of medicines. But you must know that every medicine have some side effects as well as its benefits. So you must know the full information about this medicine and exact dosage required. So you must like it for


  37. Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

    Security Guard License
    Ontario Security License
    Security License Ontario
    Security License

    Thank you..

  38. nfs no limits for pc
    NFS Most Wanted 2012 (Need For Speed Most Wanted) Free Download Full Version Highly Compressed Pc Game is a famous car racing game. Critrion Games developed NFS Most Wanted Torrent and EA Entertainments published the game world wide.

  39. tramadol 50mg uses
    Tramal Tablets contains Tramadol HCL which is centrally acting analgesic with a unique, dual mechanism of action with the CNS. Tramadol Tablets is effective in the control of post operative pain. But it is suitable as an adjunct to anesthesia because of low sedative properties it has. Tramadol Brand Name is Tramal Tablets.

  40. Braiding hair is cheap and best quality product with new silky hairs.
    Kanekalon Weave

  41. Nice Post. Very informative Message and found a great post. Thank you. Rajasthan Budget Tours

  42. great tips for aws we at SynergisticIT offer the best aws training in California

  43. Great read! Thank you for such useful insights. Visit here for latest tech courses on MALWARE ANALYSIS ONLINE TRAINING

  44. Artweaver Plus is a powerful and the latest photo editor software. The software contains a fully advanced toolkit for creating image files.

  45. YouTube By Click Premium is a windows based software to treat with the downloading tasks from the different online resources.

  46. Reimage PC Repair is a digital system repair software. It rids the User of threatening or malfunctioning files.

  47. Lumion Pro
    Cracked Here is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

  48. Talha PC!

    Driver Reviver Crack!

    Driver Reviver Crack is capable of identifying and refreshing all hardware drivers. This software permits you to download the modern-day drivers directly to your PC. It uses all the equipment to make your computer quicker and better. Driver Reviver Crack scans both hardware and software drivers on your PC to check it for the modern driver updates. You may be wasting your time monitoring down the driver for each piece of hardware whilst the application will do all this in minutes.

  49. Talha PC!

    Adobe Acrobat Pro DC Crack!

    Adobe Acrobat Pro DC Crack is the world’s fine software that allows you to create, manage, convert, extract, and annotating PDF files. Users can create PDF file varieties of documents. Additionally, you can also scan snapshots and documents to make new PDF files. It is more effective than any other PDF software. Extract elements of the text, keep the images in excessive-quality, and even more. Now, sharing PDFs and gathering comments is like sending an email.

  50. ESET NOD32 Antivirus
    Cracked Here is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

  51. Talha PC!

    Avast Premium Security Crack!

    Avast Premium Security Crack is powerful anti-virus software for operating structures like Windows, As of now creates protection freeware and shareware applications beneath the Avast mark for character and business utilizes on PCs, Macs, and Android gadgets, and beginning at 2013 in extra of 200 million devices global were valued for to have utilized Avast items.

  52. BlueStacks
    BlueStacks Crack is an easy-to-use application that you can use to run Android apps on your PC.