SlideShare a Scribd company logo

CNIT 126: 8: Debugging

Sam Bowne
Sam Bowne
Sam BowneInstructor at CCSF

Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901. Instructor: Sam Bowne Class website: https://samsclass.info/126/126_F18.shtml

CNIT 126: 8: Debugging

1 of 48
Download to read offline
Practical Malware Analysis
Ch 8: Debugging
Rev. 9-11-18
Disassemblers v. Debuggers
• A disassembler like IDA Pro shows the state
of the program just before execution
begins
• Debuggers show
– Every memory location
– Register
– Argument to every function
• At any point during processing
– And let you change them
Two Debuggers
• Ollydbg
– Most popular for malware analysis
– User-mode debugging only
– IDA Pro has a built-in debugger, but it's not as
easy to use or powerful as Ollydbg
• Windbg
– Supports kernel-mode debugging
Source-Level v. Assembly-Level
Debuggers
• Source-level debugger
– Usually built into development platform
– Can set breakpoints (which stop at lines of code)
– Can step through program one line at a time
• Assembly-level debuggers (low-level)
– Operate on assembly code rather than source code
– Malware analysts are usually forced to use them,
because they don't have source code
Windows Crashes
• When an app
crashes,
Windows may
offer to open it
in a debugger
• Usually it uses
Windbg
• Links Ch 8c, 8d
Kernel v. User-Mode
Debugging

Recommended

CNIT 126 8: Debugging
CNIT 126 8: DebuggingCNIT 126 8: Debugging
CNIT 126 8: DebuggingSam Bowne
 
Practical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbgSam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingCNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingSam Bowne
 

More Related Content

What's hot

CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgSam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?Sam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)Sam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingSam Bowne
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 

What's hot (20)

CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Is Your Mobile App Secure?
Is Your Mobile App Secure?Is Your Mobile App Secure?
Is Your Mobile App Secure?
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 

Similar to CNIT 126: 8: Debugging

Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsVMware Tanzu
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgSam Bowne
 
Ch 16 & 17 Fault Injection & Fuzzing
Ch 16 & 17 Fault Injection & FuzzingCh 16 & 17 Fault Injection & Fuzzing
Ch 16 & 17 Fault Injection & FuzzingSam Bowne
 
Software coding & testing, software engineering
Software coding & testing, software engineeringSoftware coding & testing, software engineering
Software coding & testing, software engineeringRupesh Vaishnav
 
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPages
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPagesJava: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPages
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPagespanagenda
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsAnju ML
 
Test driven development - Zombie proof your code
Test driven development - Zombie proof your codeTest driven development - Zombie proof your code
Test driven development - Zombie proof your codePascal Larocque
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012Ashish Bhasin
 
Chelberg ptcuser 2010
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010Clay Helberg
 
19-reliabilitytesting.ppt
19-reliabilitytesting.ppt19-reliabilitytesting.ppt
19-reliabilitytesting.pptAnilteaser
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Algorithmic problem sloving
Algorithmic problem slovingAlgorithmic problem sloving
Algorithmic problem slovingMani Kandan
 
Gearman - Northeast PHP 2012
Gearman - Northeast PHP 2012Gearman - Northeast PHP 2012
Gearman - Northeast PHP 2012Mike Willbanks
 
Compilers and interpreters
Compilers and interpretersCompilers and interpreters
Compilers and interpretersRAJU KATHI
 
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Rogue Wave Software
 

Similar to CNIT 126: 8: Debugging (20)

Cloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For OperationsCloud Foundry Summit 2015: 12 Factor Apps For Operations
Cloud Foundry Summit 2015: 12 Factor Apps For Operations
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbg
 
Exception handling
Exception handlingException handling
Exception handling
 
PHP - Introduction to PHP Bugs - Debugging
PHP -  Introduction to  PHP Bugs - DebuggingPHP -  Introduction to  PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - Debugging
 
Ch 16 & 17 Fault Injection & Fuzzing
Ch 16 & 17 Fault Injection & FuzzingCh 16 & 17 Fault Injection & Fuzzing
Ch 16 & 17 Fault Injection & Fuzzing
 
Software coding & testing, software engineering
Software coding & testing, software engineeringSoftware coding & testing, software engineering
Software coding & testing, software engineering
 
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPages
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPagesJava: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPages
Java: Finding Bugs, Fixing Bugs in IBM Domino Designer and XPages
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Test driven development - Zombie proof your code
Test driven development - Zombie proof your codeTest driven development - Zombie proof your code
Test driven development - Zombie proof your code
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debugging
 
Chelberg ptcuser 2010
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010
 
19-reliabilitytesting.ppt
19-reliabilitytesting.ppt19-reliabilitytesting.ppt
19-reliabilitytesting.ppt
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Plc by Mohamed Al-Emam, Session3
Plc by Mohamed Al-Emam, Session3Plc by Mohamed Al-Emam, Session3
Plc by Mohamed Al-Emam, Session3
 
Algorithmic problem sloving
Algorithmic problem slovingAlgorithmic problem sloving
Algorithmic problem sloving
 
Gearman - Northeast PHP 2012
Gearman - Northeast PHP 2012Gearman - Northeast PHP 2012
Gearman - Northeast PHP 2012
 
Compilers and interpreters
Compilers and interpretersCompilers and interpreters
Compilers and interpreters
 
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Different types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxDifferent types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxPunamSahoo3
 
Sudden Death of Beliefs
Sudden Death of BeliefsSudden Death of Beliefs
Sudden Death of BeliefsRay Poynter
 
mean stack mean stack mean stack mean stack
mean stack mean stack  mean stack  mean stackmean stack mean stack  mean stack  mean stack
mean stack mean stack mean stack mean stackNuttavutThongjor1
 
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptx
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptxCapTechTalks Webinar Feb 2024 Darrell Burrell.pptx
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptxCapitolTechU
 
BTKi in Treatment Of Chronic Lymphocytic Leukemia
BTKi in Treatment Of Chronic Lymphocytic LeukemiaBTKi in Treatment Of Chronic Lymphocytic Leukemia
BTKi in Treatment Of Chronic Lymphocytic LeukemiaFaheema Hasan
 
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...Nguyen Thanh Tu Collection
 
Appendicular SkeletonSystem PPT.....pptx
Appendicular SkeletonSystem PPT.....pptxAppendicular SkeletonSystem PPT.....pptx
Appendicular SkeletonSystem PPT.....pptxRenuka N Sunagad
 
John See - Narrative Story
John See - Narrative StoryJohn See - Narrative Story
John See - Narrative StoryAlan See
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfWriting Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfMr Bounab Samir
 
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptx
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptxEnglish 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptx
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptxRusselMartinezPagana
 
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptx
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptxFILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptx
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptxmarielouisemiranda1
 
D.pharmacy Pharmacology 4th unit notes.pdf
D.pharmacy Pharmacology 4th unit notes.pdfD.pharmacy Pharmacology 4th unit notes.pdf
D.pharmacy Pharmacology 4th unit notes.pdfSUMIT TIWARI
 
2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptxMaryPotorti1
 
The Ministry of Utmost Happiness by Arundhati Roy
The Ministry of Utmost Happiness by Arundhati RoyThe Ministry of Utmost Happiness by Arundhati Roy
The Ministry of Utmost Happiness by Arundhati RoyTrushali Dodiya
 
Uncovering Consumers’ Hidden Narratives
Uncovering Consumers’ Hidden NarrativesUncovering Consumers’ Hidden Narratives
Uncovering Consumers’ Hidden NarrativesRay Poynter
 
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptx
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptxCONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptx
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptxAnupkumar Sharma
 
Media Relations for Public Relations Class
Media Relations for Public Relations ClassMedia Relations for Public Relations Class
Media Relations for Public Relations ClassCorinne Weisgerber
 

Recently uploaded (20)

Different types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxDifferent types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptx
 
Sudden Death of Beliefs
Sudden Death of BeliefsSudden Death of Beliefs
Sudden Death of Beliefs
 
mean stack mean stack mean stack mean stack
mean stack mean stack  mean stack  mean stackmean stack mean stack  mean stack  mean stack
mean stack mean stack mean stack mean stack
 
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptx
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptxCapTechTalks Webinar Feb 2024 Darrell Burrell.pptx
CapTechTalks Webinar Feb 2024 Darrell Burrell.pptx
 
BTKi in Treatment Of Chronic Lymphocytic Leukemia
BTKi in Treatment Of Chronic Lymphocytic LeukemiaBTKi in Treatment Of Chronic Lymphocytic Leukemia
BTKi in Treatment Of Chronic Lymphocytic Leukemia
 
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...
50 ĐỀ THI THỬ TỐT NGHIỆP THPT TIẾNG ANH 2024 CÓ GIẢI CHI TIẾT - GIỚI HẠN KHO...
 
Appendicular SkeletonSystem PPT.....pptx
Appendicular SkeletonSystem PPT.....pptxAppendicular SkeletonSystem PPT.....pptx
Appendicular SkeletonSystem PPT.....pptx
 
John See - Narrative Story
John See - Narrative StoryJohn See - Narrative Story
John See - Narrative Story
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Caldecott Medal Book Winners and Media Used
Caldecott Medal Book Winners and Media UsedCaldecott Medal Book Winners and Media Used
Caldecott Medal Book Winners and Media Used
 
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfWriting Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
 
Time-Honored Wisdom: African Teachings for VUCA Leaders
Time-Honored Wisdom: African Teachings for VUCA LeadersTime-Honored Wisdom: African Teachings for VUCA Leaders
Time-Honored Wisdom: African Teachings for VUCA Leaders
 
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptx
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptxEnglish 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptx
English 7-Quarter 3-Module 3-FACTORS THAT MAY INFLUENCE LITERATURE.pptx
 
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptx
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptxFILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptx
FILIPINO 7 IKATLO AT IKAAPAT NA LINGGO 3RD QUARTER.pptx
 
D.pharmacy Pharmacology 4th unit notes.pdf
D.pharmacy Pharmacology 4th unit notes.pdfD.pharmacy Pharmacology 4th unit notes.pdf
D.pharmacy Pharmacology 4th unit notes.pdf
 
2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx
 
The Ministry of Utmost Happiness by Arundhati Roy
The Ministry of Utmost Happiness by Arundhati RoyThe Ministry of Utmost Happiness by Arundhati Roy
The Ministry of Utmost Happiness by Arundhati Roy
 
Uncovering Consumers’ Hidden Narratives
Uncovering Consumers’ Hidden NarrativesUncovering Consumers’ Hidden Narratives
Uncovering Consumers’ Hidden Narratives
 
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptx
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptxCONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptx
CONCEPTS OF ENVIRONMENT & ECOSYSTEM.pptx
 
Media Relations for Public Relations Class
Media Relations for Public Relations ClassMedia Relations for Public Relations Class
Media Relations for Public Relations Class
 

CNIT 126: 8: Debugging

  • 1. Practical Malware Analysis Ch 8: Debugging Rev. 9-11-18
  • 2. Disassemblers v. Debuggers • A disassembler like IDA Pro shows the state of the program just before execution begins • Debuggers show – Every memory location – Register – Argument to every function • At any point during processing – And let you change them
  • 3. Two Debuggers • Ollydbg – Most popular for malware analysis – User-mode debugging only – IDA Pro has a built-in debugger, but it's not as easy to use or powerful as Ollydbg • Windbg – Supports kernel-mode debugging
  • 4. Source-Level v. Assembly-Level Debuggers • Source-level debugger – Usually built into development platform – Can set breakpoints (which stop at lines of code) – Can step through program one line at a time • Assembly-level debuggers (low-level) – Operate on assembly code rather than source code – Malware analysts are usually forced to use them, because they don't have source code
  • 5. Windows Crashes • When an app crashes, Windows may offer to open it in a debugger • Usually it uses Windbg • Links Ch 8c, 8d
  • 7. User Mode Debugging • Debugger runs on the same system as the code being analyzed • Debugging a single executable • Separated from other executables by the OS
  • 8. Kernel Mode Debugging The Old Way • Requires two computers, because there is only one kernel per computer • If the kernel is at a breakpoint, the system stops • One computer runs the code being debugged • Other computer runs the debugger • OS must be configured to allow kernel debugging • Two machines must be connected
  • 9. Windows 7 Advanced Boot Options • Press F8 during startup • "Debugging Mode"
  • 10. Side-Effect of Debug Mode • PrntScn key causes BSOD • Created great suffering in S214 in previous semesters • Use Shift+PrntScn instead
  • 11. Kernel Mode Debugging The New Way • Mark Russinovich's Livekd tool allows you to debug the kernel with only one computer! • MUCH easier :) • Tool has some limitations (Link Ch 8e)
  • 13. Good Intro to OllyDbg • Link Ch 8a
  • 16. Two Ways • Start the program with the debugger – It stops running immediately prior to the execution of its entry point • Attach a debugger to a program that is already running – All its threads are paused – Useful to debug a process that is affected by malware
  • 17. Single-Stepping • Simple, but slow • Don't get bogged down in details
  • 18. Example • This code decodes the string with XOR
  • 19. Stepping-over v. Stepping-Into • Single step executes one instruction • Step-over call instructions – Completes the call and returns without pausing – Decreases the amount of code you need to analyze – Might miss important functionality, especially if the function never returns • Step-into a call – Moves into the function and stops at its first command
  • 20. Pausing Execution with Breakpoints • A program that is paused at a breakpoint is called broken • Example – You can't tell where this call is going – Set a breakpoint at the call and see what's in eax
  • 21. • This code calculates a filename and then creates the file • Set a breakpoint at CreateFileW and look at the stack to see the filename
  • 23. Encrypted Data • Suppose malware sends encrypted network data • Set a breakpoint before the data is encrypted and view it
  • 26. Types of Breakpoints • Software execution • Hardware execution • Conditional
  • 27. Software Execution Breakpoints • The default option for most debuggers • Debugger overwrites the first byte of the instruction with 0xCC – The instruction for INT 3 – An interrupt designed for use with debuggers – When the breakpoint is executed, the OS generates an exception and transfers control to the debugger
  • 28. Memory Contents at a Breakpoint • There's a breakpoint at the push instruction • Debugger says it's 0x55, but it's really 0xCC
  • 29. When Software Execution Breakpoints Fail • If the 0xCC byte is changed during code execution, the breakpoint won't occur • If other code reads the memory containing the breakpoint, it will read 0xCC instead of the original byte • Code that verifies integrity will notice the discrepancy
  • 30. Hardware Execution Breakpoints • Uses four hardware Debug Registers – DR0 through DR3 – addresses of breakpoints – DR7 stores control information • The address to stop at is in a register • Can break on access or execution – Can set to break on read, write, or both • No change in code bytes
  • 31. Hardware Execution Breakpoints • Running code can change the DR registers, to interfere with debuggers • General Detect flag in DR7 – Causes a breakpoint prior to any mov instruction that would change the contents of a Debug Register – Does not detect other instructions, however
  • 32. Conditional Breakpoints • Breaks only if a condition is true – Ex: Set a breakpoint on the GetProcAddress function – Only if parameter being passed in is RegSetValue • Implemented as software breakpoints – The debugger always receives the break – If the condition is not met, it resumes execution without alerting the user
  • 33. Conditional Breakpoints • Conditional breakpoints take much longer than ordinary instructions • A conditional breakpoint on a frequently- accessed instruction can slow a program down • Sometimes so much that it never finishes
  • 36. Exceptions • Used by debuggers to gain control of a running program • Breakpoints generate exceptions • Exceptions are also caused by – Invalid memory access – Division by zero – Other conditions
  • 37. First- and Second-Chance Exceptions • When a exception occurs while a debugger is attached – The program stops executing – The debugger is given first chance at control – Debugger can either handle the exception, or pass it on to the program – If it's passed on, the program's exception handler takes it
  • 38. Second Chance • If the application doesn't handle the exception • The debugger is given a second chance to handle it – This means the program would have crashed if the debugger were not attached • In malware analysis, first-chance exceptions can usually be ignored • Second-chance exceptions cannot be ignored – They usually mean that the malware doesn't like the environment in which it is running
  • 39. Common Exceptions • INT 3 (Software breakpoint) • Single-stepping in a debugger is implemented as an exception – If the trap flag in the flags register is set, – The processor executes one instruction and then generates an exception • Memory-access violation exception – Code tries to access a location that it cannot access, either because the address is invalid or because of access-control protections
  • 40. Common Exceptions • Violating Privilege Rules – Attempt to execute privileged instruction with outside privileged mode – In other words, attempt to execute a kernel mode instruction in user mode – Or, attempt to execute Ring 0 instruction from Ring 3
  • 43. Skipping a Function • You can change control flags, the instruction pointer, or the code itself • You could avoid a function call by setting a breakpoint where at the call, and then changing the instruction pointer to the instruction after it – This may cause the program to crash or malfunction, or course
  • 44. Testing a Function • You could run a function directly, without waiting for the main code to use it – You will have to set the parameters – This destroys a program's stack – The program won't run properly when the function completes
  • 46. Example (A Real Virus) • Operation depends on language setting of a computer – Simplified Chinese • Uninstalls itself & does no harm – English • Display pop-up "Your luck's no good" – Japanese or Indonesian • Overwrite the hard drive with random data
  • 47. Break at 1; Change Return Value