T Hands-on 2. User-mode debuggers OllyDbg

Transcription

1 T Hands-on 2 User-mode debuggers OllyDbg

2 Disassemblers vs debuggers Static analysis / Disassemblers Theoretic approach Give us a static view of the binary Example: IDA Dynamic analysis / Debuggers Empiric approach Enable us to do measurements or experiments - what s the value at this memory address at this time? - what happens if I change this instruction? Example tools: OllyDbg Immunity Debugger, WinDbg 2

3 Getting started Download the package from course the exercises section Place the contents to the C drive, one of the binaries cannot handle network drive paths (UNC). E.g. C:\Users\username\Handson2\ Start OllyDbg2 from the package and open the binary hw1_ex3_no_dynamicbase.bin The tool may give you a warning about not being an administrator. This hasn t been a problem in my experience. Data Communications Software 3

4 Sample 1: Hw1_ex3.bin This binary is familiar from your round 1 homework Different constant Dynamic basing has been disabled We ll learn Basics of the GUI, browsing through the binary Execution breakpoints Setting command line arguments for the binary 4

5 Executing instructions Debug->Run (F9) Executes until next breakpoint/unprocessed exception Debug->Step Into (F7) Executes a single instruction Debug->Step Over (F8) Executes a single instruction, but does not go into subroutine calls Note that in the case of obfuscated code there is no guarantee that a call will ever return Animated versions of the previous actions (Animate Into/ Over, Ctrl+F7/F8) work as though you would continuously press F7/F8 until the next breakpoint 5

6 Breakpoint types Execution breakpoints (BPX) 1. Software breakpoint (F2) - Works by overwriting the instruction with an INT3 instruction 2. Hardware breakpoint - Works by changing the debug registers of the thread Memory breakpoints Can be set to trigger on writes only or on all accesses 1. Normal memory breakpoint - Works by changing the permissions of the whole page - Can be slow if there is a large amount of other memory reads/ writes to the same page 2. Hardware memory breakpoint - Works by changing the debug registers of the thread 6

7 Sample 2: Hw1ex4_no_dynamicbase.bin This is the round 1 exercise 4 from last year Somewhat different logic, no dynamic basing Topics: Navigating through many functions - You can look inside functions in a fashion similar to IDA (After a call has been selected, pressing Enter goes in and numpad minus goes back) Naming functions/memory locations - Semicolon and colon keys on the keyboard - In my experience, these don t persist as well names in IDA. If you are using this feature extensively, I recommend installing a plug-in to save the names to disk Memory breakpoints 7

8 Sample 3: Ollydbg_sample.bin Uses an exception handler Modifies the password before the actual comparison We ll learn Stepping into exception handlers Shift+F9 continues execution If you want to step into a SEH handler, set a breakpoint at the beginning of the handler (the address can often be seen from stack) and then press Shift+F9 Changing program flow We can change instructions (by pressing space or selecting Assemble from the right click menu) Processor state (registers, flags) can be changed from the upper right hand side Memory can be edited using the dump window (lower left quarter of screen) 8

9 We trick the binary into decrypting the password 1. Patch argv[1] to point to the encrypted string 2. Animate over the loop the password gets decrypted 9

10 Sample 4: exceptionexample.exe What exception(s) are caused? How does the program cause it/them? What happens in the exception handler? 10

11 General tips on the reversing process You may combine static/dynamic analysis (e.g IDA and OllyDBG) In more complicated cases it might be worthwhile to think about strategy Which parts of the code do I need to fully understand? Can I guess (and then verify using debugger) something? In some cases custom tools need to be written There s an ad-supported derivative of OllyDbg called Immunity Debugger It has support for Python scripting and other extra features 11