This document provides an overview of using OllyDbg, an x86 debugger, to analyze malware. It discusses loading and debugging malware with OllyDbg, setting breakpoints, stepping through code, tracing execution, patching binaries, and analyzing shellcode. Recommended plugins include OllyDump for dumping processes and Hide Debugger to avoid debugger detection. Scriptable debugging can be done with the Immunity Debugger which supports Python scripts.
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingSam Bowne
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)Sam Bowne
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 127 Ch 16: Fault Injection and 17: The Art of FuzzingSam Bowne
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)Sam Bowne
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 6: Recognizing C Code Constructs in Assembly Sam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Apresentação institucional da Octadesk.
O Octadesk é um sistema de gestão de relacionamento com o cliente que otimiza as operações para você atender com qualidade, de maneira ágil e precisa.
Conheça mais sobre nós no site: https://www.octadesk.com
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne
Slides for a college course at City College San Francisco. The other lectures are based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q, but this topic is not in that book.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
Build software like a bag of marbles, not a castle of LEGO®Hannes Lowette
If you have ever played with LEGO®, you will know that adding, removing or changing features of a completed castle isn’t as easy as it seems. You will have to deconstruct large parts to get to where you want to be, to build it all up again afterwards. Unfortunately, our software is often built the same way. Wouldn’t it be better if our software behaved like a bag of marbles? So you can just add, remove or replace them at will?
Most of us have taken different approaches to building software: a big monolith, a collection of services, a bus architecture, etc. But whatever your large scale architecture is, at the granular level (a single service or host), you will probably still end up with tightly couple code. Adding functionality means making changes to every layer, service or component involved. It gets even harder if you want to enable or disable features for certain deployments: you’ll need to wrap code in feature flags, write custom DB migration scripts, etc. There has to be a better way!
So what if you think of functionality as loose feature assemblies? We can construct our code in such a way that adding a feature is as simple as adding the assembly to your deployment, and removing it is done by just deleting the file. We would open the door for so many scenarios!
In this talk, I will explain how to tackle the following parts of your application to achieve this goal: WebAPI, Entity Framework, Onion Architecture, IoC and database migrations. And most of all, when you would want to do this. Because… ‘it depends’.
A short introduction to the more advanced python and programming in general. Intended for users that has already learned the basic coding skills but want to have a rapid tour of more in-depth capacities offered by Python and some general programming background.
Execrices are available at: https://github.com/chiffa/Intermediate_Python_programming
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
2. History
• OllyDbg was developed more than a
decade ago
• First used to crack software and to
develop exploits
• The OllyDbg 1.1 source code was
purchased by Immunity and rebranded as
Immunity Debugger
• The two products are very similar
5. Ways to Debug Malware
• You can load EXEs or DLLs directly into
OllyDbg
• If the malware is already running, you can
attach OllyDbg to the running process
6. Opening an EXE
• File, Open
• Add command-line arguments if needed
• OllyDbg will stop at the entry point,
WinMain, if it can be determined
• Otherwise it will break at the entry point
defined in the PE Header
– Configurable in Options, Debugging Options
7. Attaching to a Running Process
• File, Attach
• OllyDbg breaks in and pauses the program
and all threads
– If you catch it in DLL, set a breakpoint on
access to the entire code section to get to
the interesting code
8. Reloading a File
• Ctrl+F2 reloads the current executable
• F2 sets a breakpoint
11. Modifying Data
• Disassembler window
– Press spacebar
• Registers or Stack
– Right-click, modify
• Memory dump
– Right-click, Binary, Edit
– Ctrl+G to go to a memory location
– Right-click a memory address in another pane
and click "Follow in dump"
13. • EXE and DLLs are identified
• Double-click any row to show a memory dump
• Right-click, View in Disassembler
14. Rebasing
• Rebasing occurs when a module is not loaded
at its preferred base address
• PE files have a preferred base address
– The image base in the PE header
– Usually the file is loaded at that address
– Most EXEs are designed to be loaded at
0x00400000
• EXEs that support Address Space Layout
Randomization (ASLR) will often be relocated
15. DLL Rebasing
• DLLs are more commonly relocated
– Because a single application may import many
DLLs
– Windows DLLs have different base addresses
to avoid this
– Third-party DLLs often have the same
preferred base address
16. Absolute v. Relative Addresses
• The first 3 instructions will work fine if
relocated because they use relative
addresses
• The last one has an absolute address that
will be wrong if the code is relocated
17. Fix-up Locations
• Most DLLS have a list of fix-up locations in
the .reloc section of the PE header
– These are instructions that must be changed
when code is relocated
• DLLs are loaded after the EXE and in any
order
• You cannot predict where DLLs will be
located in memory if they are rebased
• Example .reloc section on next slide
18.
19. DLL Rebasing
• DLLS can have their .reloc removed
– Such a DLL cannot be relocated
– Must load at its preferred base address
• Relocating DLLs is bad for performance
– Adds to load time
– So good programmers specify non-default
base addresses when compiling DLLs
20. Example of DLL Rebasing
Olly Memory Map
• DLL-A and DLL-B prefer location
0x100000000
21. IDA Pro
• IDA Pro is not attached to a real running
process
• It doesn't know about rebasing
• If you use OllyDbg and IDA Pro at the same
time, you may get different results
– To avoid this, use the "Manual Load" option in
IDA Pro
– Specify the virtual base address manually
22. Viewing Threads and Stacks
• View, Threads
• Right-click a thread to "Open in CPU", kill
it, etc.
26. Run and Pause
• You could Run a program and click Pause
when it's where you want it to be
• But that's sloppy and might leave you
somewhere uninteresting, such as inside
library code
• Setting breakpoints is much better
27. Run and Run to Selection
• Run is useful to resume execution after
hitting a breakpoint
• Run to Selection will execute until just
before the selected instruction is
executed
– If the selection is never executed, it will run
indefinitely
28. Execute till Return
• Pauses execution until just before the
current function is set to return
• Can be useful if you want to finish the
current function and stop
• But if the function never ends, the
program will continue to run indefinitely
29. Execute till User Code
• Useful if you get lost in library code
during debugging
• Program will continue to run until it hit
compiled malware code
– Typically the .text section
30. Stepping Through Code
• F7 -- Single-step (also called step-into)
• F8 -- Step-over
– Stepping-over means all the code is executed,
but you don't see it happen
• Some malware is designed to fool you, by
calling routines and never returning, so
stepping over will miss the most
important part
35. Saving Breakpoints
• When you close OllyDbg, it saves your
breakpoints
• If you open the same file again, the
breakpoints are still available
36. Software Breakpoints
• Useful for string decoders
• Malware authors often obfuscate strings
– With a string decoder that is called before
each string is used
37. String Decoders
• Put a breakpoint at the end of the
decoder routine
• The string becomes readable on the stack
Each time you press Play in OllyDbg, the
program will execute and will break when
a string is decoded for use
• This method will only reveal strings as
they are used
38. Conditional Breakpoints
• Breaks only when a condition is true
• Ex: Poison Ivy backdoor
– Poison Ivy allocates memory to house the
shellcode it receives from Command and
Control (C&C) servers
– Most memory allocations are for other
purposes and uninteresting
– Set a conditional breakpoint at the
VirtualAlloc function in Kernel32.dll
39. Normal Breakpoint
• Put a standard breakpoint at the start of
the VirtualAlloc function
• Here's the stack when it hits, showing five
items:
– Return address
– 4 parameters (Address, Size, AllocationType,
Protect)
41. Hardware Breakpints
• Don't alter code, stack, or any target
resource
• Don't slow down execution
• But you can only set 4 at a time
• Click Breakpoint, "Hardware, on Execution"
• You can set OllyDbg to use hardware
breakpoints by default in Debugging Options
– Useful if malware uses anti-debugging
techniques
42. Memory Breakpoints
• Code breaks on access to specified
memory location
• OllyDbg supports software and hardware
memory breakpoints
• Can break on read, write, execute, or any
access
• Right-click memory location, click
Breakpoint, "Memory, on Access"
43. Memory Breakpoints
• You can only set one memory breakpoint
at a time
• OllyDbg implements memory breakpoints
by changing the attributes of memory
blocks
• This technique is not reliable and has
considerable overhead
• Use memory breakpoints sparingly
46. loaddll.exe
• DLLs cannot be executed directly
• OllyDbg uses a dummy loaddll.exe
program to load them
• Breaks at the DLL entry point DLLMain
once the DLL is loaded
• Press Play to run DLLMain and initialize
the DLL for use
47. Demo
• Get OllyDbg 1.10, NOT 2.00 or 2.01
– Link Ch 9a
• Use Win 2008 Server
• In OllyDbg, open c:windowssystem32ws2_32.dll
• Click Yes at this box
48. Demo: Calling DLL Exports
• Click Debug, Call DLL Export – it fails
because DLLMain has not yet been run
• Reload the DLL (Ctrl+F2), click Run
button once
• Click Debug, Call DLL Export – now it
works
• Image on next slide
49.
50. Demo: Running ntohl
• Converts a 32-bit number from network to
host byte order
• Click argument 1, type in 7f000001
– 127.0.0.1 in "network" byte order
• Click "Follow in Disassembler" to see the
code
• Click "Call" to run the function
• Answer in EAX
54. Tracing
• Powerful debugging technique
• Records detailed execution information
• Types of Tracing
– Standard Back Trace
– Call Stack Trace
– Run Trace
55. Standard Back Trace
• You move through the disassembler with
the Step Into and Step Over buttons
• OllyDbg is recording your movement
• Use minus key on keyboard to see previous
instructions
– But you won't see previous register values
• Plus key takes you forward
– If you used Step Over, you cannot go back and
decide to step into
56. Call Stack Trace
• Views the execution path to a given
function
• Click View, Call Stack
• Displays the sequence of calls to reach
your current location
57. Demo from EasyCTF 2017
• Simple guessing game
• Wrong answer produces an insult
60. Step into again
• Click View, CPU
• Press F7 three times
• Click View, Call Stack
• New function appears at top
61. Return
• Click View, CPU
• Press F7 until the RETN and execute it
• Click View, Call Stack
62.
63. Run Trace
• Code runs, and OllyDbg saves every
executed instruction and all changes to
registers and flags
• Highlight code, right-click, Run Trace,
Add Selection
• After code executes, View, Run Trace
– To see instructions that were executed
– + and - keys to step forward and backwards
64. Demo: Run Trace of ntohl
• Click Debug, Call DLL Export
• Click argument 1, type in 7f000001
– 127.0.0.1 in "network" byte order
• Click "Follow in Disassembler" to see the
code
• Highlight code, right-click, Run Trace,
Add Selection
66. Demo: Run Trace of ntohl
• Click Debug, Call DLL Export
• Click Call
• Code is now marked with a red bar
• Indicating that it can be played back
• Step back with - and forward with +
68. Demo: Run Trace of ntohl
• Click Debug, Call DLL Export
• Click argument 1, type in 7f000001
– 127.0.0.1 in "network" byte order
• Click "Follow in Disassembler" to see the
code
• Click "Call" to run the function
• Answer in EAX
69.
70. Trace Into and Trace Over
• Buttons below "Options"
• Easier to use than Add Selection
• If you don't set breakpoints, OllyDbg will
attempt to trace the entire program,
which could take a long time and a lot of
memory
71. Debug, Set Condition
• Traces until a
condition hits
• This condition
catches Poison
Ivy shellcode,
which places
code in
dynamically
allocated
memory below
0x400000
73. When an Exception Occurs
• OllyDbg will stop the program
• You have these options to pass the
exception into the program:
– Shift+F7 Step into exception
– Shift+F8: Step over exception
– Shift+F9: Run exception handler
• Often you just ignore all exceptions in
malware analysis
– We aren't trying to fix problems in code
76. Fill
• Fill with 00
• Fill with NOP (0x90)
– Used to skip instructions
– e.g. to force a branch
77. Saving Patched Code
• Right-click disassembler window after
patching
– Copy To Executable, All Modifications, Save
File
– Copy All
• Right-click in new window
– Save File
79. Easy Way to Analyze Shellcode
• Copy shellcode from a hex editor to
clipboard
• Within memory map, select a region of
type "Priv" (Private memory)
• Double-click rows in memory map to show a
hex dump
– Find a region of hundreds of consecutive zeroes
• Right-click chosen region in Memory Map,
Set Access, Full Access (to clear NX bit)
80. Analyzing Shellcode
• Highlight a region of zeroes, Binary, Binary
Paste
• Set EIP to location of shellcode
– Right-click first instruction, New Origin Here
83. Watches Window
• View, Watches
– Watch the value of an expression
– Press SPACEBAR to set expression
– OllyDbg Help, Contents
• Instructions for Evaluation of Expressions
86. Recommended Plugins
• OllyDump
– Dumps debugged process to a PE file
– Used for unpacking
• Hide Debugger
– Hides OllyDbg from debugger detection
• Command Line
– Control OllyDbg from the command line
– Simpler to just use WinDbg
• Bookmarks
– Included by default in OllyDbg
– Bookmarks memory locations
88. Immunity Debugger (ImmDbg)
• Unlike OllyDbg, ImmDbg employs python
scripts and pas an easy-to-use API
• Scripts are located in the PyCommands
subdirectory under the install directory of
ImmDbg
• Easy to create custom scripts for ImmDbg