Table of contents
Dynamic Analysis Technique Debugger
Dynamic Analysis Technique Debugger
The most important tool in dynamic analysis technology is the debugger, which is divided into two types: user mode and kernel mode. A user-mode debugger refers to a debugger used to debug user-mode applications. It works at the Ring3 level, such as llyDbgx64dbg, VisualC++ and other compilers that come with the debugger. A kernel-mode debugger refers to a debugger that can debug the operating system kernel, such as OllyDbg.
What is OllyDbg
OllyDbg (abbreviated as "OD") is created by leh Yuschuk (I searched the Internet for a long time, but there is very little news about the author of OD. On a foreign site, I found some information sporadically: Oleh Yuschuk: It may be the former Soviet Union -> Russians, After the disintegration of the former Soviet Union, I immigrated to Germany and have been living in an old town in Germany. I can’t find specific information) written a user-mode debugger with a visual interface, which can run on various versions of Windows. NT system architecture update Can play the powerful function of OllyDbg.
What can OllyDbg do?
OllyDbg combines dynamic debugging and static analysis, has a GUI interface, is very easy to use, and is quite flexible in tracking and processing exceptions. These features make OllyDbg the tool of choice for debugging Ring3 level programs. Its disassembly engine is very powerful, it can identify thousands of functions frequently used by C and Wimdows, and can annotate its parameters. It will automatically analyze the strings in the code of the function, process, loop statement, etc. In addition, the open design gives this software a strong vitality. Through continuous modification and expansion by enthusiasts, OllyDbg's script execution capability and open plug-in interface make it more and more powerful.
Official download link: OllyDbg v1.10 OllyDbg here recommends my favorite plug-ins, which are super easy to use.
OllyDbg window introduction
After OllDbg is started, multiple sub-windows will be opened. Click shortcut buttons such as "L", "E" and "M" on the toolbar to switch between sub-windows, as shown in the figure below. These shortcuts correspond to the function items of the "View" menu, including the Log window, CPU window and other window function descriptions, please refer to the help document of 0llyDbg.
Click the "File" "Open" option (shortcut key "F3") to open an EXE file. OllyDbg will immediately load the file, automatically analyze and list the assembly code. The default current window is the CPU window, which is the most important window in 0yDbg, and the corresponding icon is C, and most operations of the debugger must be performed in this window. This window includes 5 panel windows, which are disassembly panel, register panel, information panel, data panel and stack panel, as shown in the figure below. The appearance properties of each window, such as the title bar (bar) font (font), etc., can be controlled through the "Appearance" (interface option) option in the right-click shortcut menu of the corresponding window.
1. Disassembly panel window
The disassembler window (Disassembler window) shows that the code of the debugged program has 4 columns which are address (Address), hexadecimal machine code (Hexdump), disassembly code (Disassembly) and comment (Comment). In the last column of comments, it shows the relevant API parameters or operation brief form, which is very useful.
00B2109B . B9 F8BAB400 mov ecx,路径修复.00B4BAF8
00B210A0 . E9 26670000 jmp 路径修复.00B277CB
00B210A5 . B9 FBBAB400 mov ecx,路径修复.00B4BAFB
00B210AA . E8 58760000 call 路径修复.00B28707
00B210AF . 68 83F9B300 push 路径修复.00B3F983
00B210B4 . E8 B5890000 call 路径修复.00B29A6E
00B210B9 . 59 pop ecx ; kernel32.777D0099
00B210BA . C3 retn
00B210BB . B9 B8BBB400 mov ecx,路径修复.00B4BBB8
00B210C0 . E8 42760000 call 路径修复.00B28707
00B210C5 . 68 8DF9B300 push 路径修复.00B3F98D
00B210CA . E8 9F890000 call 路径修复.00B29A6E
00B210CF . 59 pop ecx ; kernel32.777D0099
00B210D0 . C3 retn
00B210D1 . 68 97F9B300 push 路径修复.00B3F997
00B210D6 . E8 93890000 call 路径修复.00B29A6E
In the column (note: not the column header) of the disassembly panel window, by default, double-clicking can complete the following operations.
- Address column: Displays the relative address of the double-clicked row address, and double-clicks again to return to the standard address mode.
- Hexdump column: set or cancel unconditional breakpoint, the corresponding shortcut key is "F2" key.
- Disassembly column: Call the assembler, you can directly modify the assembly code, and the corresponding shortcut key is the space bar.
- Comment column: Allows to add or edit comments, and the corresponding shortcut key is the "" key.
Select multiple lines from the keyboard, which can be realized by pressing the "Shit" key and the up and down cursor keys (or "PgUp"/"PgDn" keys) or by using the right-click shortcut menu command. Press the "Ctl" key and press the up/down cursor keys to scroll the assembly window line by line (useful when data is mixed with code).
2. Information panel window
When performing dynamic tracking, the information panel window (Information window) will display information such as the value of each register related to the instruction, API function call prompt and jump prompt.
3. Data panel window
The data panel window (Dumpwindow) displays the data in the memory of the file in hexadecimal and character. To display the data of the specified memory address, you can click the "Cotoexpression" command in the right-click shortcut menu or press the "Ctl+G" shortcut key to open the address window and enter the address.
00B40260 62 72 6F 6B 65 6E 20 70 69 70 65 00 63 6F 6E 6E broken pipe.conn
00B40270 65 63 74 69 6F 6E 20 61 62 6F 72 74 65 64 00 00 ection aborted..
00B40280 63 6F 6E 6E 65 63 74 69 6F 6E 20 61 6C 72 65 61 connection alrea
00B40290 64 79 20 69 6E 20 70 72 6F 67 72 65 73 73 00 00 dy in progress..
00B402A0 63 6F 6E 6E 65 63 74 69 6F 6E 20 72 65 66 75 73 connection refus
00B402B0 65 64 00 00 63 6F 6E 6E 65 63 74 69 6F 6E 20 72 ed..connection r
00B402C0 65 73 65 74 00 00 00 00 64 65 73 74 69 6E 61 74 eset....destinat
00B402D0 69 6F 6E 20 61 64 64 72 65 73 73 20 72 65 71 75 ion address requ
00B402E0 69 72 65 64 00 00 00 00 65 78 65 63 75 74 61 62 ired....executab
00B402F0 6C 65 20 66 6F 72 6D 61 74 20 65 72 72 6F 72 00 le format error.
00B40300 66 69 6C 65 20 74 6F 6F 20 6C 61 72 67 65 00 00 file too large..
00B40310 68 6F 73 74 20 75 6E 72 65 61 63 68 61 62 6C 65 host unreachable
00B40320 00 00 00 00 69 64 65 6E 74 69 66 69 65 72 20 72 ....identifier r
00B40330 65 6D 6F 76 65 64 00 00 69 6C 6C 65 67 61 6C 20 emoved..illegal
00B40340 62 79 74 65 20 73 65 71 75 65 6E 63 65 00 00 00 byte sequence...
00B40350 69 6E 61 70 70 72 6F 70 72 69 61 74 65 20 69 6F inappropriate io
00B40360 20 63 6F 6E 74 72 6F 6C 20 6F 70 65 72 61 74 69 control operati
00B40370 6F 6E 00 00 69 6E 76 61 6C 69 64 20 73 65 65 6B on..invalid seek
00B40380 00 00 00 00 69 73 20 61 20 64 69 72 65 63 74 6F ....is a directo
00B40390 72 79 00 00 6D 65 73 73 61 67 65 20 73 69 7A 65 ry..message size
00B403A0 00 00 00 00 6E 65 74 77 6F 72 6B 20 64 6F 77 6E ....network down
00B403B0 00 00 00 00 6E 65 74 77 6F 72 6B 20 72 65 73 65 ....network rese
00B403C0 74 00 00 00 6E 65 74 77 6F 72 6B 20 75 6E 72 65 t...network unre
00B403D0 61 63 68 61 62 6C 65 00 6E 6F 20 62 75 66 66 65 achable.no buffe
00B403E0 72 20 73 70 61 63 65 00 6E 6F 20 63 68 69 6C 64 r space.no child
00B403F0 20 70 72 6F 63 65 73 73 00 00 00 00 6E 6F 20 6C process....no l
00B40400 69 6E 6B 00 6E 6F 20 6D 65 73 73 61 67 65 20 61 ink.no message a
00B40410 76 61 69 6C 61 62 6C 65 00 00 00 00 6E 6F 20 6D vailable....no m
00B40420 65 73 73 61 67 65 00 00 6E 6F 20 70 72 6F 74 6F essage..no proto
4. Register panel window
The register panel window (Registers window) displays the value of each register of the CPU and supports floating-point MMX and 3DNow! registers. You can right-click or window title to switch the way the register is displayed.
5. Stack panel window
The content displayed in the Stack window is the content of the address pointed to by ESP. The operation of putting data into the stack is called push, and the operation of taking data out of the stack is called pop. The window is very important. All API functions and subroutines use it to pass parameters and variables.
010FFC74 |00000000
010FFC78 |00000000
010FFC7C |00000000
010FFC80 |00000000
010FFC84 |00000000
010FFC88 |00000000
010FFC8C |00000000
010FFC90 |010FFC58
010FFC94 |00000000
010FFC98 |010FFCB0 Pointer to next SEH record
010FFC9C |77C7AE30 SE handler
010FFCA0 |875B3DC9
010FFCA4 |00000000
010FFCA8 \010FFCB8
010FFCAC 77C67B3E RETURN to ntdll.77C67B3E from ntdll.77C67B3F
010FFCB0 FFFFFFFF End of SEH chain
010FFCB4 77C88C8F SE handler