runtime debugging tips for ollydbg

Discussion on reverse-engineering and debugging.
Post Reply
jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

runtime debugging tips for ollydbg

Post by jumbofreak » Wed Aug 14, 2013 4:07 pm

I was wondering if any one has any links or sources where they have got some material about debugging at runtime.
I'm using ollydbg for my analysis

To be specific -
I was analyzing a malware which kills all process except few common ones like explorer, cmd.exe etc, I wanted to find the code or thread where it is monitoring what new process user runs, i want to know the tips to add breakpoint to correct location so that i find the right code.


Thanks

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: runtime debugging tips for ollydbg

Post by EP_X0FF » Thu Aug 15, 2013 1:31 am

jumbofreak wrote:To be specific -
I was analyzing a malware
Which one? Attach it here please.
Ring0 - the source of inspiration

jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

Re: runtime debugging tips for ollydbg

Post by jumbofreak » Sun Aug 18, 2013 4:28 pm

there you go, attahced
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Mon Aug 19, 2013 6:26 am, edited 1 time in total.
Reason: Malware samples must be placed in password protected archive

jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

Re: runtime debugging tips for ollydbg

Post by jumbofreak » Sun Aug 18, 2013 4:31 pm

malware takes couple of mins to run, you will see a pop up after couple of mins.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: runtime debugging tips for ollydbg

Post by EP_X0FF » Mon Aug 19, 2013 7:02 am

Set break on NtFreeVirtualMemory. Once it called first time, dump memory address it tried to free. Inside will be fakeAV compressed with PECompact. Remove PECompact using any tutorial and inspect fakeAV body. Most of strings inside additionally encrypted. On a unpacked exe set breaks on Process32Next and lstrcmpiA. This (in theory) will reveal fakeAV blacklist. Patch TerminateProcess with return true, so fakeAV will always think operation was successful.
Ring0 - the source of inspiration

jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

Re: runtime debugging tips for ollydbg

Post by jumbofreak » Mon Aug 19, 2013 11:35 am

Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory (how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis), it worked fine and i was able to get PEcompact EP.(40afe8)

After this I dumped the file (attached) , then followed this tutorial http://comcrazy.net76.net/REA/Manual%20 ... 0Final.htm to get OEP , F9 ( run to exception for seh, then set mem breakpt on access on code section and then you break on rep instruction f3:a5 ( 340f13) and then Ctrl->f12 takes you to OEP(34026f) , After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .
where do you think i went wrong ?
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: runtime debugging tips for ollydbg

Post by EP_X0FF » Tue Aug 20, 2013 3:20 am

jumbofreak wrote:Thanks EP_X0FF ,
I couldn't set BP on NtfreeVirtualMemory using my olly ( used Ctrl+G) instead i used ZwFreeVirtualMemory
They are names of the same routine.
(how did you know to set break at this api, never seen any tutorials mentioning this api to break when unpacking or analysis)
Malware need to decrypt container somewhere so it firstly allocates memory then decrypts containter to it, overwrite original imagebase with new data, free temp buffer used for container (here we catch it) and then transfer control to decrypted code.
After this I dumped the file (attached)
You dumped wrong. I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact.
After this set break on Process32Next and lstrcmpiA but the process didn't hit the break point instead process terminated. ( probably because of new threads? ) .
If you debug it under VM then Rogue/Winwebsec is it known to be able detect virtual machines (VMWare, VBox, VPC) and quit if they are found.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

Re: runtime debugging tips for ollydbg

Post by jumbofreak » Fri Aug 23, 2013 10:53 am

Sorry for late reply, When you say
"I told you dump what NtFreeVirtualMemory trying to free, not exe itself as it not yet ready and this dump is full of fcuk. See attach for Pecompact."
When we stop Zwfreevirtualmemory , check the address , you mean "follow in dump" -> "rightclick on address" -> "save data to backupfile" ?

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: runtime debugging tips for ollydbg

Post by EP_X0FF » Sat Aug 24, 2013 3:19 am

img1.png
img2.png
img3.png
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

jumbofreak
Posts: 11
Joined: Mon Jun 18, 2012 10:11 am

Re: runtime debugging tips for ollydbg

Post by jumbofreak » Tue Aug 27, 2013 9:03 am

gotcha, EP_X0FF thanks for your help.

Post Reply