- Efficiently master a Ring3 debugger such as Immunity Debugger
- Can control program execution (step in, over, breakpoints)
- Can monitor/change program state (registers, memory)
- Comments annotation in Immunity Debugger
- Computer architecture
- Operating systems
- Discrete Maths (number system)
To reverse engineer a malware, a quality debugger is essential. There are two types of debuggers: user level debuggers (such as OllyDbg, Immunity Debugger, and IDA Pro), and kernel debugger (such as WinDbg, SoftIce, and Syser). The difference between user/kernel level debuggers is that kernel debuggers run with higher privilege and hence can debug kernel device drivers and devices, while user level debuggers cannot. It is well known that modern OS such as Windows relies on the processor (e.g., Intel CPU) to provide a layered collection of protection domains. For example, on a typical Intel CPU, programs can run in four modes, from ring0 (kernel mode) to ring3 (user level). In this case, we also call user level debuggers "ring3 debuggers".
A natural question you might have is: Since ring0 debuggers are more powerful than ring3 debuggers, why not use ring0 debuggers directly? Well, there is no free lunch as always. Ring3 debuggers usually come with a nice GUI which can greatly improve the productivity of a reverse engineer. Only when necessary, we'll use the command-line ring0 debuggers (such as WinDbg). There is one exception though - recently, IDA Pro has introduced a GUI module which can drive WinDbg for kernel debugging. This is a nice feature and you'll have to pay for it.
In this tutorial, we assume that you would like to use open-source/free software tools. The following is a combination of debuggers we'll use throughout the tutorial: Immunity Debugger (IMM for short) and WinDbg.
2. Brief Tour of IMM
Now we will have a brief introduction of IMM. If you have not installed your Virtual Machine test bed, check out the first tutorial Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for setting up the experimental platform.
 |
| Figure 1. Screenshot of IMM |
As shown in Figure 1, from left-top anti-clockwise, we have the CPU pane (which shows the sequence of machine instructions and user comments), the Register pane (which you can watch and modify the values of registers), the Stack pane and the Memory dump. Before we try to reverse engineer the first section of Max++, it is beneficial to learn how to use the short-cut keys in the debugger efficiently.
In general, to use a debugger efficiently, you need to know the following :
- How to control the execution flow? (F8 - step over, F7 - step in, F9 - continue, Shift+F9 - continue and intercept exceptions)
- How to examine data? (In Memroy pane: right click -> binary -> edit, in Register pane: right click -> edit)
- How to set breakpoints? (F2 for toggle soft-breakpoint, F4 - run to the cursor, right click on instruction -> Breakpoint -> for hardware and memory access point)
- Annotation (; for placing a comment)
2.1 Execution Flow Control
The difference between step over/step in is similar to all other debuggers. Step in (F7) gets into the function body of a Call instruction. Step over (F8) executes the whole function and then stops at the next immediate instruction. Notice that F8 may not always get you the result you desire -- many malware employ anti-debugging techniques and use return-oriented programming technique to redirect program control flow (and the execution will never hit the next instruction). We will later see an example in Max++.
F9 (continue) is often used to continue from a breakpoint. Notice that the debugger automatically handles a lot of exceptions for you. If you want to intercept all exceptions, you should use SHIFT+F9. Later, we will see an example that Max++ re-writes the SEH (structured exception handler) to detect the existence of debuggers. To circumvent that anti-debug trick, you will use SHIFT+F9 to manually inspect SEH code.
2.2 Data Manipulation
In general, you have three types of data to manage: (1) registers, (2) stack, and (3) all other segments (code, data, and heap).
To change the value of a register, you can right click on the register and select Edit to change its value. Notice that when a register contains a memory pointer (the address of a memory slot), it is very convenient to right click on it and select "Follow in Dump" or "Follow in Stack" to watch its value.
The design of IMM does not allow you to directly change the value of EIP register in the Register pane. However, it is possible to change EIP using the Python shell window. We leave it as a homework question for you to figure out how to change EIP.
In the Memory Dump pane, select and right click on any data, and then select Binary->Edit. You can enter data conveniently (either as a string or binary number).
You are able to reset the code (as data). In CPU pane, right click and select "Assemble", you can directly modify the code segment by typing assembly instructions! You can even modify a program using this nice feature. For example, after modifying the code segment, you can save the modified program using the following approach:
(1) Right click in CPU pane
(2) Copy to Executable
(3) Copy All
(4) Close the dialog window (list of instructions that are modified)
(5) Then a dialog asking for "save the file" pops. Select "yes" and save it as a new executable file.
2.3 Breakpoints
Software breakpoints (F2) are the post popular breakpoints. It is similar to the breakpoints available in your high-level language debuggers. You can have an unlimited soft breakpoints (BPs) and you can set conditions on a soft BP (e.g., to specify that the BP should stop the program only when the value of a register is equal to a certain number).
Soft BPs are implemented using the INT 3 instruction. Basically, whenever you set a breakpoint at a location, the debugger replaces the FIRST byte of that instruction with INT 3 (a one-byte instruction), and saves the old byte. Whenever the program executes to that location, an interrupt is generated and the debugger is called to handle that exception. So the debugger can then perform the condition check on the breakpoint and stop the program.
Hareware breakpoints can be set by right click in the CPU pane and then select Breakpoints -> Hardware, on execution. Notice that there are two other types hard BPs availalbe (memory read, memory access). As its name suggests, hard BPs are accomplished by taking advantage of hardware. On a Intel CPU, there are four hardware BP registers which records the location of hard BPs. This means that at any time, you can have up to 4 hard BPs.
Hardware BPs are very useful if you need to find out which part of the code modifies a variable. Just set a memory access BP on it and you don't have to look over the entire source code to find it out.
2.4 User Annotation
Although seemingly trivial, user comments and annotation is a very important function during a reverse engineering effort. In the CPU pane, pressing ";" allows you to add a comment to a machine instruction and pressing ":" allows you to label a location. Later when the location is referred to as a variable or a function, its label will be displayed. This will greatly ease the process of analysis.
3. Challenges of the Day
It's time to roll-up your sleeves and put all we have learned into practice! The objective today is to analyze the code snippet from 0x413BC8 to 0x413BD8. Answer the following questions. We will post the solution to these questions in the comments area.
Q1. What is the value of EAX at 0x413BD5 (right before int 2d is executed)?
Q2. Is the instruction "RET" at 0x413BD7 ever executed?
Q3. If you change the value of EAX to 0 (at 0x413BD5), does it make any difference for Q2?
Q4. Can you change the value of EIP at 0x413BD5 so that the int 2d instruction is skipped?
Q5. Modify the int 2d instruction at (0x413BD7) to "NOP" (no operations) and save the file as "max2.exe". Execute max2.exe. Do you observe any difference of the malware behavior? (check tutorial 1 Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for monitoring the network traffic)
This comment has been removed by the author.
ReplyDeleteQ1. The value of the EAX register is 1.
ReplyDeleteQ2. The ret is never executed, it is skipped.
Q3. Yes, the ret will be executed.
Q4. Yes, with a the python shell window you can change the EIP.
Q5. Yes, the malware does not run. Without the int 2d instruction, the ret is executed and the program does not call the MAX++ function.
at Q5 you have put wrong address.
ReplyDeleteThe address in Q5 is correct. Check Figure 1 again.
ReplyDeleteOutstanding stuff here Dr Fu. Great work and great contribution to the malware analysis community.
ReplyDeleteThank you,
David aka IndiGenus
It would be great if you could post how to change the EIP here in comments.
ReplyDeleteFrom a Python Shell
ReplyDelete>>> imm = immlib.Debugger()
>>> imm.setReg('EIP',int("hex value",16))
Thank you Dr.Fu !
ReplyDeleteI am eager to learn moar!
I think I've downloaded another sample, I mean, the entry point is totally different from yours in Figure 1. Could someone please upload the sample again?...
ReplyDeleteHello Dr. Fu, first thanks for this great tutorial.
ReplyDeleteAs you said "However, it is possible to change EIP using the Python shell window".
However, I found another simple solution for this, similar like on Ollydbg, by right click the new EIP destination address on CPU window and select "New origin here". Is this a different?
Hi,
ReplyDeleteI am having a bit of trouble with the Q3.
If I change the value of EAx to zero, still the RETN is NOT executed.
However, if I put a soft-breakpoint and also change the value of EAX then RETN is executed.
Please let me know if this is the right thing to do or am I missing something? As stated in the question there is no breakpoint mentioned.
Thank you in advance
http://cryptogranarchy.blogspot.com/
ReplyDeletehttp://cryptogranarchy.my1.ru/
Thank you Dr. Fu, I really enjoyed this tutorial. I've been learning Malware Analysis for the past 3 or so months, and I learned a few things about the debugger! :)
ReplyDeleteQ1. The value of the EAX register 1.
ReplyDeleteQ2. The ret is never executed, it is skipped.
Q3. No, stil is not executed.
Q4. Yes, execution goes to retn and program is terminated.
Q5. Yes, the malware does not run. Without the int 2d instruction, the retn is executed and program is terminated.
Quantum Binary Signals
ReplyDeleteProfessional trading signals sent to your mobile phone every day.
Start following our signals today and gain up to 270% per day.
Amazing Content ..Reverse Engineering in India
ReplyDeleteReverse engineering design
Thanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
Nice blog!!!!!!!.
ReplyDeleteReverseEngineering
Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here.
ReplyDeleteData Science Online Training | Data Science Online Certification
In the quest for quality grades, students have realized the need for working with Nursing Paper Writing Service agencies that specialize in various types of essay writing. They are the best company that handles Best Proofreading Service and Affordable Editing Services.
ReplyDeletehttps://greencracks.com/virtual-dj-8-crack-serial-number/
ReplyDeleteVirtual DJ Pro Crack is the audio-video mixing software with its breakthrough and beat lock engine. It is one of the famous software programs in the entire market and becomes the number one software. While the automatic loops of it are the seamless and also synchronized sampler which lets you the Virtual DJ Pro Keygen perform and astounding the remix which is life. Furthermore, the representation that is visual that can cue which is allowed to DJ too see the song and structure clearly.
nfs most wanted download pc
ReplyDeleteNFS Most Wanted Pc Download: an openworld action Car Racing Video Game. Criterion Games developed NFS Most Wanted Torrent. Electronics Arts published Need For Speed Most Wanted Pc Download Free Full Version. It is the 19th installment in the Need For Speed Games. Need For Speed Most Wanted Free Download Pc Game features both single player as well as the multiplayer gameplay modes.
https://crackedhome.com/revo-uninstaller-torrent-full/
ReplyDeleteRevo Uninstaller Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.
https://thinkcrack.com/smadav-key/
ReplyDeleteSmadav Pro Crack pro is the small and lightweight entity of the tool. It is really secure and efficient software. It makes your system secure and safe. It is most widely too used all over the world. It is used on mobile and laptops. It provides you security checks and threats of data. It is a type of antivirus. It means it protects your pc and mobile phone at all. You can take advantage of installing it in your system. It removes the virus and makes your system virus free. It cannot allow any threat which may damage your pc data.
https://approvedcrack.com/lightworks-pro-2020-crack/
ReplyDeleteLightworks Pro Crack is software. That gives good help. This service is used to change the videos. This software is a master changing component. It is used in film making to edit in the movies. It allows us to produce and change video clips. The software also pays the draw images. It also pays the audio data short clips to choose the video.
https://autocracked.org/cinema-4d-crack-with-keygen/
ReplyDeleteCINEMA 4D Crack is a 3D modelling software. That is most widely used for animation, rendering, graphics, and motions, etc. it is one of the top 50 graphics design products. It modified your requirements.
https://rootcracks.org/device-doctor-pro-keys-download-here/
ReplyDeleteDevice Doctor Pro Crack is very simple software, which function is to scan the device for new updates. If you have any kind of device it checks it very smoothly, using the internet is there any kind of update or not. Amazing thing is that it supports up to 3 terabytes of drivers. You have no need to use any updated operating system for its use. It supports a minimum 32 bit of operating system also. The software is very beneficial of the laptop users. And, this software is very easy to use no need for any science to operate it.
https://latestcracked.com/revo-uninstaller-pro-patch-serial-number-here/
ReplyDeleteRevo Uninstaller Pro Crack a potent utility to get rid of and disable apps without any remnants, tails, and traces on your computer. As everyone probably knows, lots of software throughout setup to create diverse files. Folders and registry entries in distinct regions of the technique. This app tracks real-time exactly what effects have been made into this machine from new applications and also carries those changes under consideration in its work. Even if you have not tracked the installment of an app, it’s still feasible to disable it manually via a setup log. This may occur employing the logs out of your Logs Database.
https://activatorpros.com/mirc-crack-plus-keygen/
ReplyDeletemIRC Crack can be a social network that employs the Internet Relay Chat protocol. Its principal goal is always to make a digital connection involving users all around over the Earth, who is able to convey using its own conversation capacities. Additionally, in addition, it has scripting terminology, making it symmetrical and thoroughly user-friendly. If you require staff talks or one-on-one private requirements, this program is best for you personally.
https://autocracking.com/deezer-premium-apk-crack-full-activation-code/
ReplyDeleteDeezer Crack is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.
https://fixedcrack.com/fl-studio-2020-crack-here/
ReplyDeleteFL Studio Final Crack is the most powerful production tool. While, it is developed by the Fruity Edition, and Also the Signature Bundle. The features are available in line with the sound editing and also the audio. While the most recent variant contains all that you require for. Fl-studio can be an audio platform. All you’re looking for in one package to write. While you need to organize, document, edit, combine, and also genius proficient excellent new music.
download halo 2
ReplyDeleteHalo 2 Pc Game: is a famous action war fighting and shooting and Fighting Pc Game. Bungie Games developed it and Microsoft Games Studio Entertainments published Halo 2 Torrent worldwide for all platforms.
Good article! I found some useful educational information in your blog about Data Science, it was awesome to read, thanks for sharing this great content to my vision.
ReplyDeleteJava training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery