Advanced Dynamic Analysis
Table of Contents
1. Lecture 10
- Class: Malware Analysis and Incident Forencsis
- Topic: Dynamic Analysis
Basic dynamic analysis focuses on externally observable behavior, where Advanced static analysis focuses on malware internals; but both of them fall short for different reasons:
- Evasion
- Trigger-based behavior
- Code obfuscation and packing
- anti-disassembly, self-modifying code.
2. Debugging
A debugger enables the analysis of execution in different ways, at instruction level, or register and memory contents, function calls or threads and exceptions. A debugger also provide the ability to inspect and control execution to acquire critical insights, ad of course, the ability to alter the execution.
2.1. Debugging in user space
There are two ways to perform a debugging session, load a program from a debugger or attach it to an already running process. The feature of a debugger are:
- the ability to inspect and alter registers (including EIP)
- inspect and alter memory and its layout.
- capture control flow transfer and specific intructions
- control threads
- and modify the code while its being executed.
A debugger can follow one thread at a time, and it provides a way to control the execution: stepping. A single stepping steps through the instructions one at the time, exactly as how the CPU sees them; another approach is to use funciton calls and returns as milestones and perform a stepping into, stepping over and stepping out (execute until return).
2.2. Breakpoints
They are the key element, they allow to alter the execution where a point of interest is reached. Sometimes memory breakpoints can be used: for example when a specific memory address is read, write or executed. The last kind of breakpoint to consider are the Conditional breakpoints: suspend the execution only when an additional condition is matched.
2.2.1. Implementing Breakpoints
Instruction breakpoints can be implemented via software or via hardware. A software breakpoint replaces the first byte of the instruction at the given address with INT 3
(opcode 0xCC
); when the CPU see that opcode generate a software interrupt and the debugger capture the event. The problem is that the malware may look for the opcode to deduce if it is running inside a debugger; for example they may compute a checksum of the .text section to check if the code as been modified.
hardware breakpoints are tricky to detect, they do not alter the code and leverage on special CPU debug registers to trap execution automatically. They are limited (4 on x86).
Conditional Breakpoints must be implemented in software for now, extra code runs inside the debugger; they are very useful on loops, but they really slow down the execution because the they are based on the exeptions.
memory breakpoints can be software or hardware-based; at hardware level they can be up to 4 bytes per register. At software level they are not 100% reliable, as they change memory protection attributes. Memory breakpoints are useful when the malware is packed.
2.3. Exceptions
Exceptions are a mechanism for supporting an alternative control flow when recovering from an error. From the CPU perspective they are just an interrupt, debuggers can use them to regain control of the execution, a single stepping can be implmented when a trap flag TF in EFLAGS is set (operation popfd
). To handle an exceptio a corresponding handler must been registered.
A debugger can catch an exeption up to two times, the first-chance exception can be passed to the program when thay are unrelated to debugging, when the program can’t recover from the exception the debugger receives it again, without intervention the program will crash; they are used as an anti-debug technique.
Some exception are thrown by the malware to deduce if they are executed in a debugger.
2.4. ASLR
ASLR can be a nuisane when debugging, moder programs compiled with the &DYNAMICBASE flag the OS randomizes the base address for the .text section at every execution. For this reason IDA offers manual loading for a PE and a rebase option for the current session. Alternatively you can modify the PE header using a CFF Explorer but might not always work in Windows 10. Some popular debuggers are:
- WinDBG
- IDA Pro
- IDA Freeware
- x64dbg
- radare2
- Immunity Debugger (good for forensics tasks)