I. Debugging A. kinds of debugging ------------------------------------------ USER VS. KERNEL MODE Execution modes: provide security for the OS user mode: - most code - cannot access hardware directly - restricted set of instructions kernel mode: - heart of the OS - can access hardware directly - can use all instructions - fewer security checks - can manipulate user mode code ------------------------------------------ What kind of malware runs in kernel mode? ------------------------------------------ USER VS. KERNEL MODE DEBUGGING User mode debugging (OllyDbg) - a single executable - debugger runs on same system - OS provides separation Kernel mode debugging (WinDbg) - debugging OS code - normally needs 2 computers - OS must be configured ------------------------------------------ B. using Ollydbg for user-mode debugging ------------------------------------------ USING OLLYDBG http://www.ollydbg.de/ Use a VM! Why? Ways to debug: - start program in the debugger (File > Open) - attach debugger to running process (File > Attach) ------------------------------------------ 1. single-stepping ------------------------------------------ SINGLE-STEPPING Single-stepping executes In OllyDbg called step-into (F7) Use single-stepping to: ------------------------------------------ Why not single step an entire program? ------------------------------------------ DEALING WITH FUNCTIONS Step-over (F8) runs a function until it returns Potential problem: - function might not return Avoid by taking a snapshot beforehand Step-into (F7) allows looking a function details use execute-until-return (Ctrl-F9) if you get bored with it ------------------------------------------ 2. breakpoints ------------------------------------------ BREAKPOINTS Places that execution will stop Why? - to see if get to - to run full speed until get there - to extract information at those places e.g., - to avoid tedious single-stepping How? - right click on instruction - use Breakpoint menu ------------------------------------------ How to find interesting places? ------------------------------------------ KINDS OF BREAKPOINTS code software execution conditional hardware execution data access (read) data write ------------------------------------------ How could malware defeat a software breakpoint? Why use conditional breakpoints? 3. handling exceptions ------------------------------------------ HANDLING EXCEPTIONS When an exception occurs (e.g., divide by zero) 1. (first chance) a. the debugger is given control can pass it to the program b. if passed to program, then the program can handle it 2. (second chance) if the program doesn't handle it the debugger is given control (avoids crash) ------------------------------------------ 4. modifying execution ------------------------------------------ MODIFYING PROGRAM EXECUTION It is possible to change: - the control flags - the instruction pointer - the code itself ------------------------------------------ What could be done with that power? C. example