Debugging for Malware Analysis

Introduction

This article provides an overview of debugging and how to use some of the most commonly used debuggers. We will begin by discussing OllyDbg; using it, we will explore topics such as setting up breakpoints, stepping through the instructions and modifying the flow of execution. We will then discuss WinDbg, which can be used for both user mode and kernel mode debugging.

Basics of debugging using OllyDbg

In this article, we will begin with OllyDbg to understand debugging concepts. OllyDbg is a popular and powerful Windows debugger for malware analysis. The best part is, it’s free. OllyDbg can be downloaded from http://ollydbg.de/. It should be noted that OllyDbg supports only user-mode debugging.

The best way to learn reverse engineering is by reverse engineering. Pick a target and attempt to crack it. Since this is an introductory article, where we’re going to understand the basics of debuggers, let’s use a simple crackme challenge binary as our target. The target binary can be downloaded from https://crackmes.one/

During the process of cracking this challenge, we will understand various concepts of debuggers. When we run this crackme, we will see the following message. Our goal is to bypass this evaluation period warning by reversing this binary. 

There are two ways we can start reversing a binary:

  1. Open the application using the debugger and start it
  2. Start the application and attach debugger to the running process

We are going to use method 1 in this case.

To launch OllyDbg, right-click on the OllyDbg application and click on Run as Administrator. This will launch OllyDbg, which looks as shown below.

Next, navigate to File | Open and choose the target binary as shown below.

Click Open and it should open the target binary in OllyDbg, as shown below. 

The preceding (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/I682Yn2Rb6w/