Malware Analysis CIS-672

Lecture 06: Dynamic code analysis

Dr. Muhammad Abid,
DCIS, PIEAS

Malware Analysis, PIEAS

 Dynamic Code Analysis

malicious code is executed in a controlled

manner under the supervision of a program
called debugger
Debugger gives full control over the
malware's runtime behavior and allows you
to execute
a single instruction,
multiple instructions, or
select functions

Malware Analysis, PIEAS

 Dynamic Code Analysis

When you are debugging a malware, proper

care needs to be taken, as you will be
running the malicious code on a system.

Malware Analysis, PIEAS

 Debugging a Code

two ways to debug a program:

attach the debugger to a running process
launch a new process
1. Attach the debugger to a running process:
No opportunity to monitor/ control startup and
initialization code
the debugger suspends the process
inspect the process's resources or set a
breakpoint before resuming the process.

Malware Analysis, PIEAS

 Debugging a Code

2. launch a new process under a debugger

allows you to monitor or debug every action the
process takes
the execution will pause at the program's entry
point (System, Entry, TLS Callbacks, etc.
depending on Options->Preferences->Events
settings)

Malware Analysis, PIEAS

 Controlling Process Execution

The two important capabilities offered by a

debugger are:
the ability to control execution, and
the ability to interrupt execution (using
breakpoints).

Malware Analysis, PIEAS

 Controlling Process Execution

Common execution control options:

Continue (Run): This executes all of the
instructions, until a breakpoint is reached or an
exception occurs.
Step into and Step over: you can execute a
single instruction.
Execute till Return (Run until return): Using this
option inside a function will take you to the end of
the function (ret or retn)
Run to cursor (Run until selection): to execute
instructions until the current cursor location, or
until the selected instruction is reached.

Malware Analysis, PIEAS

 Interrupting a Program with
Breakpoints
Breakpoints can be used to
pause the execution at a particular instruction, or
when the program calls a function/API function, or
when the program reads, writes, or executes from
a memory address

Malware Analysis, PIEAS

 Interrupting a Program with
Breakpoints
Software Breakpoints:
By default, debuggers make use of software
breakpoints.
implemented by replacing the instruction at a
breakpoint address with a software breakpoint
instruction, such as the int 3 instruction (having an
opcode of 0xCC).
can set an unlimited number of
breakpoints

Malware Analysis, PIEAS

 Interrupting a Program with
Breakpoints
Hardware Breakpoints:
Support through the use of the CPU's debug
registers, e.g. in x86 DR0 - DR7.
maximum of four hardware breakpoints using
DR0-DR3; the other remaining debug registers
are used to specify additional conditions on each
breakpoint.
no instruction is replaced

Malware Analysis, PIEAS

 Interrupting a Program with
Breakpoints
Memory Breakpoints: These breakpoints
allow you to pause the execution when an
instruction accesses (reads from or writes to)
the memory, rather than the execution.
Conditional Breakpoints: Using conditional
breakpoints, you can specify the condition
that must be satisfied to pause the
breakpoint.
When a breakpoint is reached we say it’s a hit.
Unlike other breakpoints, conditional breakpoint
pauses execution only when it is a hit and a
condition is met
Malware Analysis, PIEAS
 Launching a New Process in x64dbg

Use x64dbg to debug both 32-bit and 64-bit

File | Open and choose a file
the original binary will be executed with the
privileges of the user running the debugger.
debugger will pause at the System
Breakpoint, the TLS callback, or the program
entry point function, etc. depending on the
configuration settings (Options | Preferences
| Events)

Malware Analysis, PIEAS

 Attaching to an Existing Process
Using x64dbg
File | Attach
When the debugger is attached, the process
is suspended
File | Detach (attached process is not
terminated)
debug privilege settings:
Run the debugger as an administrator;
Options | Preferences | Engine tab, checking
the Enable Debug Privilege

Malware Analysis, PIEAS

 x64dbg Debugger Interface

Malware Analysis, PIEAS

 x64dbg Debugger Interface

Disassembly Window (CPU Window):

disassembly of all of the instructions
synchronized with the current value of the
instruction pointer register (eip or rip).
display the control flow graph by pressing the G
hotkey.
Registers Window:
displays the current state of the CPU registers.
The value in a register can be modified by double-
clicking on the register
You can toggle the flag bits on or off by double-
clicking on the values of the flag bits.

Malware Analysis, PIEAS

 x64dbg Debugger Interface

Stack Window:
The stack view displays the data contents of the
process's runtime stack
Dump Window:
This displays the standard hex dump of the
system memory.

Malware Analysis, PIEAS

 x64dbg Debugger Interface

Memory Map Window:

provides the layout of the process memory
a great way to see where the executables and
their sections are loaded in the memory.
also contains information about the process DLLs
and their sections in the memory
Symbols Window:
display imports and exports with their locations in
system memory
Click any module to show its symbols on the right
side

Malware Analysis, PIEAS

 x64dbg Debugger Interface

References Window:
displays the references to the API calls.
To populate this window, right-click anywhere in
the disassembly (CPU) window, then select
Search for | Current Module | Intermodular
calls
Handles Window:
to display handles, right-click inside the handles
window and select Refresh (or F5).

Malware Analysis, PIEAS

 Controlling Process Execution Using
x64dbg

Malware Analysis, PIEAS

 Setting a Breakpoint in x64dbg

Software breakpoint: F2 key (or right-clicking

and selecting Breakpoint | Toggle).
Hardware breakpoint: right-click Breakpoint |
Set Hardware on Execution.

Malware Analysis, PIEAS

 Debugging using X64dbg

Sample Program
Build in MS Visual Studio
using Debug Configuration

Malware Analysis, PIEAS

 Debugging using X64dbg

Launch previous built program using x32dbg

-Debug file included

-easy to locate sum function–
just double click sum symbol

Malware Analysis, PIEAS

 Debugging using X64dbg

Sum function (easily located)

Malware Analysis, PIEAS

 Debugging using X64dbg

Launch previous built program using x32dbg

Debug file removed

Malware Analysis, PIEAS

 Debugging using X64dbg

Now how to locate sum function?

1. References | Functions: generate function
references by clicking fX

Malware Analysis, PIEAS

 Debugging using X64dbg
Now search for sum function. Is it sum function?

Malware Analysis, PIEAS

 Debugging using X64dbg

2. locate the sum function using IDA Pro

1st step: Find VA of

sum

Malware Analysis, PIEAS

 Debugging using X64dbg

2. locate the sum function using IDA Pro

2nd step: Find

segment

0041 2A10
3rd step: file offset
0041 1000
from segment
0000 1A10
beginning

Malware Analysis, PIEAS

 Debugging using X64dbg

2. locate the sum function using IDA Pro

0028 1000 + 0000 1A10 = 0028 2A10

4th step: Add text

section base
address and
difference (3rd step)
Malware Analysis, PIEAS
 Debugging using X64dbg

Sum function at 0028 2A10

Malware Analysis, PIEAS

 Debugging using X64dbg

Place a breakpoint at the 1st instruction of

sum
Run until this breakpoint

Malware Analysis, PIEAS

 Debugging using X64dbg

Call stack
displays the call stack of the current thread
Address: base address of the stack frame where
return address (To address) is stored
To: address of next inst. after function call in the
caller
From: address in the function that is going to
return.
Size: arguments size+ return address size + local
variables size.
Comment: a brief description of the call stack
frame.
Party: function belongs to user or OS
Malware Analysis, PIEAS
 Debugging using X64dbg

Call stack after breakpoint at the first

instruction of sum function

Malware Analysis, PIEAS

 Debugging using X64dbg

Instruction Tracing of sum function: two

steps
Sum function

1: Breakpoint @ 1st inst.

Malware Analysis, PIEAS

 Debugging using X64dbg

Instruction Tracing of sum function

2. Determine RA. Specify this address in
Break Condition of Trace into/ over

Sum function calling @

address 005D 14F5

Malware Analysis, PIEAS

 Debugging using X64dbg

Instruction Tracing of sum function

Malware Analysis, PIEAS

 Debugging using X64dbg

Function tracing
All functions called after main() function
1. Find the address of the main() and put
breakpoint there

Malware Analysis, PIEAS

 Debugging using X64dbg

Function tracing
2. Find Return Address: Once breakpoint is
placed at the 1st instruction of main() restart
dubugee using Debug | restart. Run until debugee
stops at main’s 1st instruction. Check call stack.
main will return at To address once finished
execution.

Specify this address in Break Condition of

Trace into/ over
Malware Analysis, PIEAS
 Debugging using X64dbg

Function tracing
Only log function calls

Malware Analysis, PIEAS

 Trace into/ Over log file

Program-visible state of current instruction

appears with next instruction in the trace file.
E.g. check sub esp, 0xD8 @ address:
ox005D14D3.

Malware Analysis, PIEAS

 X64dbg: String Formatting

Printing inst address, instr text, GPRs

0x {p:eip} {i:eip} eax: {x:eax} ebx: {x:ebx} ecx:
{x:ecx} edx: {x:edx} eBP: {x:eBP} esp: {x:esp} esi:
{x:esi} edi: {x:edi}

Malware Analysis, PIEAS

Malware Analysis, PIEAS
 Debugging using X64dbg

Memory breakpoint
First find address of memory
Then locate that address in memory dump
In the memory dump right click to address where
you want to put memory breakpoint and choose
breakpoint
Limitation: Xdbg62 currently
(version Nov 05 2020) only supports
memory breakpoint at page level so
use hardware breakpoint instead

Malware Analysis, PIEAS

 Debugging using X64dbg

Memory access breakpoint at global_array[9]

Use hardware breakpoint as we are interested
only in global_array[9]

Malware Analysis, PIEAS

 Debugging using X64dbg

Memory access breakpoint at global_array[9]

Which function’s instruction is accessing
global_array[9]?

Malware Analysis, PIEAS

 Debugging a Malicious DLL Using
x64dbg
Launch x64dbg (preferably with administrator
privileges) and load the DLL (via File |
Open).
x64dbg drops an executable (named
DLLLoader32_xxxx.exe, where xxxx are
random hexadecimal characters) into the
same directory where your DLL is located;
DLLLoader32_xxxx.exe acts as a generic
host process, which will be used to execute
your DLL (in the same manner as
rundll32.exe).

Malware Analysis, PIEAS

 Debugging a Malicious DLL Using
x64dbg

Malware Analysis, PIEAS

 Using rundll32.exe to Debug the DLL
in x64dbg
load rundll32.exe from the system32
directory (via File | Open) into the debugger
File | change command line

Breakpoints tab | right-click inside the

Breakpoints window | Add DLL breakpoint
enter DLL module name.
This will tell the debugger to break when the DLL
is loaded
Debug|Restart
Malware Analysis, PIEAS
 Using rundll32.exe to Debug the DLL
in x64dbg
Debug | Restart
click Run (F9) multiple times, till you reach
the DLL entry point

Malware Analysis, PIEAS