2 min read Malware_Analysis

Malware Debugging Basics

a dell laptop computer with a red screen

What is Debugging?

Debuggers allow you to see the value of every memory location, register, and argument to every function.

Debuggers provide information about program that would be difficult or impossible to get from a disassembler.

A debugger is a piece of software or hardware used to test or examine the execution of another program.

Source level vs Assembly-level debuggers

Source level debuggers allows programmers to debug while coding. It is usually built in Integrated development environments (IDE's)

Kernel vs User-mode Debugging

WinDbg is a popular tool that supports kernel debugging. OllyDbg is another popular tool for user mode debugging but it does not support kernel level debugging

In user mode, the debugger is running on the same system as the code being debugged.

Kernel level debugging is more challenging that user-mode debugging. For kernel level debugging there is usually two systems are required; if the kernel is at a breakpoint, no applications can be able to run on the system.

Debugger Types / Ways

  • Step into
  • Step Over
  • Single Step

Breakpoints

Breakpoints are needed because you can't access registers or memory addresses while program is running, since these values are constantly changing.

Breakpoints are used to pause execution and allow you to examine program's state. When a program is paused at breakpoint, it is referred as 'broken'.

Breakpoint types

Conditional Breakpoints

Conditional breakpoints are software breakpoints that will break only if a certain condition is true. For example if breakpoint is set on function GetProcAddress. This will break every time that GetProcAddress is called.

Hardware Execution Breakpoints:

The x86 architecture supports hardware execution breakpoints through dedicated hardware registers. Every time the processor executes an instruction, there is hardware to detect if the instruction pointer is equal to the breakpoint address.

Software Execution Breakpoints:

The debugger implements a software breakpoint by overwriting the first byte of an instruction with 0xCC, the instruction for INT 3 (Call to interrupt procedure), the breakpoint interrupt designed for use with debuggers.

Exceptions

Exceptions are the principal way that a debugger gains control of a running program. Under the hood, even breakpoints generate exceptions but non debugging related events also generate exceptions as well

  • First and Second Chance Exceptions
  • If an application does not handle the exception, the debugger is given another chance to handle it - the second chance of exception.
  • When an exception occurs while debugger is attached, the program being debugged stops executing, and the debugger is given a first chance at control
  • Debuggers are usually given two opportunities to handle the exception: a first-chance exception and a second- chance exception.

When analyzing malware, you are not looking for bugs, so first chance exceptions can often be ignored. However, if you encounter second-chance exceptions (usually program crash) while debugging malware, there may be bugs in the malware that are causing it to crash, but it is more likely that the malware doesn't like the environment in which it is running