![]() #TUTORIAL OLLYDBG ROHAN SOFTWARE#4425) Debugger restores overwritten byte upon continueĨ Debugging functions Hardware execution breakpointsĭedicated registers that store virtual addresses Can be set to break on access, rather than on execution Memory watchpoints on data (reads or writes) 4 hardware registers (DR0-DR3) Can be modified by running program! Malware can disable them Counter-measure is “General Detect” flag in DR7 that triggers a breakpoint on any mov involving debug registersĩ Debugging functions Conditional software execution breakpointsīreak only if a certain condition is met Example Break on GetProcAddress function only if address parameter is RegSetValue Implemented as normal software breakpoint, but debugger checks condition and automatically continues if not metġ0 Handling exceptions Exceptions pass control to debugger 4399, 4414) Implemented by overwriting INT 3 (0xcc) into opcode of instruction (Table 8-1, p. ![]() ![]() Set at virtual memory address of instruction or at source line Allows one to examine the state of the machine at critical execution points File creation (Listing 8-4, Figure 8-1, p, Loc. One machine instruction or source line at a time Stepping-over: calls to functions executed all at once before control returned to debugger (next instruction) Stepping-into: calls to functions followed (enters callee) one machine instruction at a time (step instruction) Stepping-out: execute until return back to calling function (finish)ħ Debugging functions Breakpoints (software) #TUTORIAL OLLYDBG ROHAN CODE#Map machine execution to corresponding source code lines Allow setting of breakpoints at source-code lines Assembly-level Strictly operate at machine instruction level Main debugger used for malwareĥ Types of debuggers User mode Kernel modeĭebug one program via another program all in user space Examples: OllyDbg, gdb Kernel mode Debugging a kernel requires a second machine Must configure target OS to allow kernel debugging Examples: WinDbg Presentation on theme: "Part 3: Advanced Dynamic Analysis"- Presentation transcript:ģ Debugger Hardware or software used to examine execution of another program Disassembler: static snapshot of what code looks like before execution Debugger: dynamic snapshot of what code does during executionĤ Types of debuggers Source-level Assembly-level Debug while coding ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |