Name a Disassembler / Debugger?
Disassembler: IDApro, GHIDRA
Debugger: OllyDbg, x64dbg
Name the types of debugger?
- User-mode debugger
- Local kernel mode debugger
- remote kernel mode debugger
What is debugging?
Debugging malware is analyzing the behavior of an unknown malicious program. Be able to break in and stop code. Be able to get the current values of all the registers, memory, stack ,etc.
What are the three most important debug functions of Windows Debug API?
DebugActiveProcess() - Attach to existing process
WaitForDebugEvent() - Wait for debug event to occur in debuggee process
DebugBreakProcess() - Break into running debuggee process
There are two main ways of exception handling?
- Structured Exception Handling (SEH)
- OS service to allow applications handle their own exceptions
- Exceptions will be handled by the thread that caused them
- Many handlers can be registered, they are called in a chain
- Vectored Exception Handling (VEH)
- Expands on capabilities of SEH
- Take precedence over the SEH chain
- Use the AddVectoredExceptionHandler
- Gets called regardless of where in code exception occures
- Lets programmer have one or several generic exception handlers to handle exceptions anywhere in the code
The VEH checks each of the exeption types it knows how to handle. If all of these don’t work, control is handed back to the SEH and we continue as normal.
What are the five breakpoint types?
- Single stepping (using Trap Flag)
- SW Breakpoints (INT3 / 0xCC); no limits, modifies code, can only monitor execution.
- HW Breakpoints: DR0-3 used. Can monitor read/writes. No modification. Limited number(4), debuggee can alter registers.
- Reading/Writing Memory
- Initial Breakpoint: Point when debugger first gains control. 3 Options (System Breakpoint; Entry Point; WinMain)
Why Debugging Malware?
- Much faster to execute the code than just read it
- It’s all you need sometimes - they all have built in disassembler
- Matter of taste
- A lot of malware has encryption loops (aka Packers), debugger can step through them
Name a few Anti-Debugging tricks?
- APIs (IsDebuggerPresent, CheckRemoteDebuggerPresent)
- Standard tricks (look for files, devices, processes)
- Breakpoints (check for SW breakpoints)
- Timing (detecting through timing check rdtsc)
- Check IsDebugged value in Process Environment Block
- Prevent Attaching (Self Debugging)
- Make it tricky (useless code, change TF flag via stack)
- Obfuscate string by using XOR
Name a few Anti-Anti-Debugging tricks?
- Make Debugger less visible (OllyDBG plugins)
- Change your method (HW breakp => SW breakp)
- Clear bytes in PEB.IsBeingDebugged
- Change code manually (step through problem areas)
- Anti-Anti Debug Plugins (Scyllahide)
What is the difference between Software and Hardware breakkpoints?
In general, breakpoints allow you to just stop at the interesting code.
SWBP: Adds INT3 to memory to raise interrupt. ++ No limit to number of breakpoints. – Modifies code, only for execution but not reads/writes to memory.
HWBP: via Debug registers. ++ no modification of code. Breaks on read/write/execution. – limited number (4), debugee process can alter breakpoints registers.
What two APIs are used to read/write to the processes virtual memory?
- ReadProcessMemory()
- WriteProcessMemory()
What is the initial breakpoint and what three options are available?
Point when debugger first gains access.
- System BP: Debugger breaks into exe loader before any application code is run
- Entry Point: EP is defined in every exe and states where the code starts.
- WinMain (if known): Attempts to skip compiler stub code and go straight to high level main.
For Entry Point / WinMain: application code can run first.
