Scribd
Upload
91 views

Chapter 9 Ollydbg

The document discusses the use of the OllyDbg debugger to analyze malware and applications. It describes how to open and load programs into OllyDbg, navigate the different windows that display assembly code, registers, stack, and memory, set breakpoints, step through code, patch code and memory, and attach to running processes. The document also provides examples of using OllyDbg to analyze features like exception handling, DLL injection, and unpacking malware.

Uploaded by

Jayesh Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
91 views

Chapter 9 Ollydbg

The document discusses the use of the OllyDbg debugger to analyze malware and applications. It describes how to open and load programs into OllyDbg, navigate the different windows that display assembly code, registers, stack, and memory, set breakpoints, step through code, patch code and memory, and attach to running processes. The document also provides examples of using OllyDbg to analyze features like exception handling, DLL injection, and unpacking malware.

Uploaded by

Jayesh Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

OllyDBG

Chapter 9 OllyDBG
Loading Program in OllyDbg
 Open executable from within OllyDbg
 In class exercise:
 Opening executable notepad.exe (malware used in book)
 4 main windows of OllyDbg
 Disassembler, Registers, Stack, Memory dump
Attach to a running process
File->Attach

Current executing thread will be paused and displayed


OllyDbg Interface

DisassemblerWindow
Register Window

Memory Dump Window Stack Window


OllyDbg Interface
 Disassembler window: press spacebar to modify instruction
 Register Window: modify data in register by right-clicking
any register value selected (or enter)

 Stack Window: current state of the stack


in memory; right-click->modify

 Memory Dump Window: Dump of live


memory for the debugged process
Memory Map (notepad.exe)

PE header, code, imports,data

All DLLs imported are also viewable


Rebasing

 PE files have preferred base address (image base)


 Most executables loaded at 0x00400000
 Relocatable code allows libraries to be rebased
 Enables libraries to be written independent of each other
 Example: two libs have the same preferred load address, one is
relocated elsewhere
 Address space layout randomization – reduce the chances of
collision
 Absolute address references modified at load time via .reloc
information in PE header
In Class Exercise
 Most programs and malware multi-threaded
 View current threads by selecting View-> Threads
 Each thread has its own stack
 In-class exercise
 Launch Internet Explorer
 Attach OllyDbg
 View threads via View>Threads
 How many threads are there?
Executing Code
 Debug menu
 Run
 Breakpoint=>Run to selection
 Continue execution until specified instruction
 Debug=>Execute till Return
 Runs until next return hit (e.g. Finish)
 (useful when the you want pause after function finishes)
 Debug=>Execute till User Code
 Run until user program code is reached (malware code)
 Step into (single instruction)
 Step over (bypass the call)
Executing Code
 Malware making a mess out of step-over
Step over a “call” instruction sets breakpoint to next instruction after call
 The call may never execute a ret
 Cause the program to resume executing without pausing
Breakpoints
 Software breakpoints
 Unconditional breakpoint (Toggle)
 Right-click instruction to find sub-menu to set
 View->Breakpoints
 Conditional Breakpoints – break only if certain condition is true
(performance impact to check the condition)
 Use conditional breakpoints to detect memory allocations
above a certain size
 Book Example: Poison Ivy
 Backdoor that reads shellcode commands from socket and executes
them
 Command-and-control server sends a large quantity of shellcode
Conditional Breakpoints
 Uses a call to VirtualAlloc dynamically allocate memory
 Want to break only on large allocations indicative of a batch of
commands (> 100bytes)
 Size parameter at [ESP+8] (ESP top of the stack)
 Set breakpoint at VirtualAlloc entry point if condition [ESP+8] >
100
 Breakpoint=>Conditional (Figure 9-8, p. 190)
 Click Play and wait code to break

 OllyDbg can also set memory breakpoints to access a chunk of


memory (p. 190)
Loading DLLs
 Malware often delivered as DLLs to be injected into other
processes
DLL cannot be executed directly
OllyDbg uses loaddll.exe as dummy program
OllyDbg breaks at DllMain entry point once loaded
 In-class exercise
 Generate Figure 9-10, p. 191
 Open C:\WINDOWS\system32\ws2_32.dll in OllyDbg(32-bit
only)
 Hit play to initialize DLL
 Debug->Call DLL export to call a particular exported function with
custom parameters
In-class practice (ws_32.dll)
In-class practice
(ws_32.dll) Convert to Host
Byte Order

Network Byte
Order
127.0.0.1
Exceptions
• Exception handling with OllyDbg
 User options
 Step into exception
 Step over exception
 Run debugger exception handler
 Can also set in Debugging Options to ignore all exceptions
(immediately transfer control back to program)
Patching
 Modifying live data (registers and flags), assemble and patch
code directly into a program
 Example from the book

 JNZ will jump if password is not a match – NOP it so the


jump will not be taken
 Changes made in live memory, save it to file in Copy to
Executable-> All Modifications; Save File
 Patching can be used to permanently modify a piece of
malware to facilitate analysis
OllyDump – most common plug-in
 Dump a debugged process to a PE file; will use the current state (code,data, etc) in
memory
 Can be used for unpacked program – find entry point after unpacking and
decryption operations of malware performed
 Create a new PE file for IDAPro
 See other plug-ins from p. 198-200
In Class Homework

You might also like