Wednesday, August 31, 2011

Malware Analysis Tutorial 2 - Ring3 Debugging

Learning Objectives:
  • Efficiently master a Ring3 debugger such as Immunity Debugger
  • Can control program execution (step in, over, breakpoints)
  • Can monitor/change program state (registers, memory)
  • Comments annotation in Immunity Debugger
This tutorial can be used as a lab module in
  • Computer architecture
  • Operating systems
  • Discrete Maths (number system)
1. Introduction

To reverse engineer a malware, a quality debugger is essential. There are two types of debuggers: user level debuggers (such as OllyDbg, Immunity Debugger, and IDA Pro), and kernel debugger (such as WinDbg, SoftIce, and Syser). The difference between user/kernel level debuggers is that kernel debuggers run with higher privilege and hence can debug kernel device drivers and devices, while user level debuggers cannot. It is well known that modern OS such as Windows relies on the processor (e.g., Intel CPU) to provide a layered collection of protection domains. For example, on a typical Intel CPU, programs can run in four modes, from ring0 (kernel mode) to ring3 (user level). In this case, we also call user level debuggers "ring3 debuggers".

A natural question you might have is: Since ring0 debuggers are more powerful than ring3 debuggers, why not use ring0 debuggers directly? Well, there is no free lunch as always. Ring3 debuggers usually come with a nice GUI which can greatly improve the productivity of a reverse engineer. Only when necessary, we'll use the command-line ring0 debuggers (such as WinDbg). There is one exception though - recently, IDA Pro has introduced a GUI module which can drive WinDbg for kernel debugging. This is a nice feature and you'll have to pay for it.

In this tutorial, we assume that you would like to use open-source/free software tools. The following is a combination of debuggers we'll use throughout the tutorial: Immunity Debugger (IMM for short) and WinDbg.

2. Brief Tour of IMM

Now we will have a brief introduction of IMM. If you have not installed your Virtual Machine test bed, check out the first tutorial Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for setting up the experimental platform.

Figure 1. Screenshot of IMM

As shown in Figure 1, from left-top anti-clockwise, we have the CPU pane (which shows the sequence of machine instructions and user comments), the Register pane (which you can watch and modify the values of registers), the Stack pane and the Memory dump. Before we try to reverse engineer the first section of Max++, it is beneficial to learn how to use the short-cut keys in the debugger efficiently.

In general, to use a debugger efficiently, you need to know  the following :
  1. How to control the execution flow? (F8 - step over, F7 - step in, F9 - continue, Shift+F9 - continue and intercept exceptions)
  2. How to examine data? (In Memroy pane: right click -> binary -> edit, in Register pane: right click -> edit)
  3. How to set breakpoints? (F2 for toggle soft-breakpoint, F4 - run to the cursor, right click on instruction -> Breakpoint -> for hardware and memory access point)
  4. Annotation (; for placing a comment)
Most of the above can be found in the Debug menu of the IMM debugger, however, it's always beneficial to remember the shortcut keys. We now briefly explain some of the functions that are very useful in the analysis.

2.1 Execution Flow Control

The difference between step over/step in is similar to all other debuggers. Step in (F7) gets into the function body of a Call instruction. Step over (F8) executes the whole function and then stops at the next immediate instruction. Notice that F8 may not always get you the result you desire -- many malware employ anti-debugging techniques and use return-oriented programming technique to redirect program control flow (and the execution will never hit the next instruction). We will later see an example in Max++.

F9 (continue) is often used to continue from a breakpoint. Notice that the debugger automatically handles a lot of exceptions for you. If you want to intercept all exceptions, you should use SHIFT+F9. Later, we will see an example that Max++ re-writes the SEH (structured exception handler) to detect the existence of debuggers. To circumvent that anti-debug trick, you will use SHIFT+F9 to manually inspect SEH code.

2.2 Data Manipulation

In general, you have three types of data to manage: (1) registers, (2) stack, and (3) all other segments (code, data, and heap).

To change the value of a register, you can right click on the register and select Edit to change its value. Notice that when a register contains a memory pointer (the address of a memory slot), it is very convenient to right click on it and select "Follow in Dump" or "Follow in Stack" to watch its value.

The design of IMM does not allow you to directly change the value of EIP register in the Register pane. However, it is possible to change EIP using the Python shell window. We leave it as a homework question for you to figure out how to change EIP.

In the Memory Dump pane, select and right click on any data, and then select Binary->Edit. You can enter data conveniently (either as a string or binary number).

You are able to reset the code (as data). In CPU pane, right click and select "Assemble", you can directly modify the code segment by typing assembly instructions! You can even modify a program using this nice feature. For example, after modifying the code segment, you can save the modified program using the following approach:

   (1) Right click in CPU pane
   (2) Copy to Executable
   (3) Copy All
   (4) Close the dialog window (list of instructions that are modified)
   (5) Then a dialog asking for "save the file" pops. Select "yes" and save it as a new executable file.
2.3 Breakpoints

Software breakpoints (F2) are the post popular breakpoints. It is similar to the breakpoints available in your high-level language debuggers. You can have an unlimited soft breakpoints (BPs) and you can set conditions on a soft BP (e.g., to specify that the BP should stop the program only when the value of a register is equal to a certain number).

Soft BPs are implemented using the INT 3 instruction. Basically, whenever you set a breakpoint at a location, the debugger replaces the FIRST byte of that instruction with INT 3 (a one-byte instruction), and saves the old byte. Whenever the program executes to that location, an interrupt is generated and the debugger is called to handle that exception. So the debugger can then perform the condition check on the breakpoint and stop the program.

Hareware breakpoints can be set by right click in the CPU pane and then select Breakpoints -> Hardware, on execution. Notice that there are two other types hard BPs availalbe (memory read, memory access). As its name suggests, hard BPs are accomplished by taking advantage of hardware. On a Intel CPU, there are four hardware BP registers which records the location of hard BPs. This means that at any time, you can have up to 4 hard BPs.

Hardware BPs are very useful if you need to find out which part of the code modifies a variable. Just set a memory access BP on it and you don't have to look over the entire source code to find it out.

2.4 User Annotation

Although seemingly trivial, user comments and annotation is a very important function during a reverse engineering effort. In the CPU pane, pressing ";" allows you to add a comment to a machine instruction and pressing ":" allows you to label a location. Later when the location is referred to as a variable or a function, its label will be displayed. This will greatly ease the process of analysis.

3. Challenges of the Day

It's time to roll-up your sleeves and put all we have learned into practice! The objective today is to analyze the code snippet from 0x413BC8 to 0x413BD8. Answer the following questions. We will post the solution to these questions in the comments area.

Q1. What is the value of EAX at 0x413BD5 (right before int 2d is executed)?
Q2. Is the instruction "RET" at 0x413BD7 ever executed?
Q3. If you change the value of EAX to 0 (at 0x413BD5), does it make any difference for Q2?
Q4. Can you change the value of EIP at 0x413BD5 so that the int 2d instruction is skipped?
Q5. Modify the int 2d instruction at (0x413BD7) to "NOP" (no operations) and save the file as "max2.exe". Execute max2.exe. Do you observe any difference of the malware behavior? (check tutorial 1 Malware Analysis Tutorial - A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) for monitoring the network traffic)

Thursday, August 25, 2011

Malware Analysis Tutorial 1 - VM Based Analysis Platform

Learning Goals:
  1. Configure a virtual machine based experimental platform for malware analysis.
  2. Master basic network sniffing/monitoring skills
This Lesson Can be Used as a Lab Module in:
  1. Computer Networks and Communication Protocols
  2. Operating Systems
Challenge of the day:

          Run the Max++ malware, can you describe its network activities?

For those of you who had trouble with downloading the sample from offensive computing, here is another link:

Or follow Bonfa's tutoria [1] on the download instructions. Bonfa's tutorial is perfect a general introduction/analysis of Max++.

    1. Introduction

    This tutorial is intended for those who are interested in malware analysis. We take a step-by-step approach to analyzing a malware named ZeroAccess. Giuseppe Bonfa has provided an excellent analysis [1] of the malware. This mini-series will help you to gain hands-on experiences with the analysis. We assume that you have some basic understanding of X86 assembly, debugging, operating systems, and programming language principles. Instructors are welcome to use this tutorial and integrate it in computer science courses such as computer architecture and operating systems. If you are using this material in your classes, we would appreciate if you follow up with a comment on this site and provide some basic information about your course so that we know our tutorial is helpful.

    The purpose of this lesson is to set up a virtual machine based analysis environment. Before rolling up your sleeves, please make sure you have the following:
    1. Windows XP SP2 installation disk (Note: it has to be SP2)
    2. Linux Ubuntu installation disk (the version we use in this tutorial: Ubuntu 10.04 lucid LTS. The version does not really matter)
    3. A computer loaded with XP, with at least 50GB of disk space. (later, we refer to this computer: the "host XP")
    4. High-speed Internet
    5. An account on (
         If the screen resolution is too small, start the XP guest, and then click the "Install Guest Additions", and then reboot the XP Guest and adjust its screen resolution ("Right click on desktop -> Properties -> Settings").

    2. Software Installation

    We will need to download a number of other open-source/free software tools. The installation process is straightforward and we omit most of the details here. The installation process may take about 5 hours. (Hofstra students can check out DVD images of VBox instances from my office Adams 203.)
    1. Install Oracle Virtual Box v4.04 on your host XP. (
    2. Create a Windows XP Guest (using your SP2 installation disk. For the VM itself, assign at least 256MB RAM and 10GB disk space.) on VBox manager.(later we refer to this VM instance as "guest XP"). Install the following on your guest XP.
      1. Python 2.7.
      2. Immunity Debugger (
      3. IDA Pro Debugger Free Version ( Note: get the free version but not the evaluation version - it does not allow saving dbg databases)
      4. HxD (a binary editor
      5. * Download the Malware instance of Max++ from (instructions available in [1]. The file name is "Max++ downloader install_2010". Don't run it!!!)
      6. After the above is done, take a snapshot of the guest SP in VBox. A snapshot allows you to quickly recover to the original status of the system.
    3. On your host XP, install WinDbg ( You might choose to download the entire XP debugging symbols on your host XP (which might speed up the debugging a little).
    4. Create a Linux Ubuntu Guest (using your Ubuntu 10.04 installation disk. Assign at least 512MB RAM and 10GB disk space) on VBox. Install the following (you can use apt-get or System->Administration->Synaptic Package Manager which has GUI).
      1. Wireshark (a sniffer. "sudo apt-get install wireshark" to install) 
      2. GDB (GNU debugger)
      3. g++ (c++ compiler)
      4. Python

        The current resolution of Linux guest is too small. You can change the screen resolution following the instructions listed on Linux Format Forum [2].
    3. Configuration

    Up to now, both of your VM guests should have Internet access. What we will do next is to configure both instances so that all the traffic from the XP guest will have to go through the Linux guest. On the Linux guest, we use Wireshark to monitor the network traffic of XP guest when the malware is running. The design is shown in the following figure.

    3.1 XP Guest

    Now power off your XP Guest.In VBox manager, right click on the XP Guest and select "Setting". We will set up the network adapters of XP Guest.

    In Network -> Tab "Adapter 1": (1) click the "Enable network adapter" checkbox, and (2) select "Internal Network" for "Attached To". (Note: please make sure to use the default network name "intnet" assigned by the VBox manager.)This allows us to separate the XP Guest from the outside world and connects to an internal network managed by the VBox manager.

    Then we will enable a serial port for WinDbg. The setting is shown as below. Note that it is important to set up the Port/File Path "\\.\pipe\com_11" and the simulate the port as "Host Pipe".

    Vt-x is a special CPU technology that is used to support virtualization. In Virtual Box, you have to enable it, otherwise hardware breakpoints will not work. Later you will see that the Max++ malware smartly takes advantage of hardware BP for hijacking system calls and it relies on hardware BP - you have to enable the Vt-x, as shown in the following figure.

    3.2 Linux Guest

    We now set up the Linux guest as the gateway computer of the internal network (power off the VBox instance first). It will have two adapters: one connects to the internal network and the other connects to the outside.The following figure shows the setting of the first adapter (Internal Network). In adapter 2, sets the network type ("Attached To") to "NAT". As you know, NAT stands for Network Address Translation. This provides a further layer protection of our VM instances.

    Note: click the "Advanced" key and make sure that the "Adapter Type" is "Intel Pro/1000". Also change the last two digits of the MAC address to "01" (so that we can easily identify it as Adapter 1 later); similarly change the last two digits of the MAC of the second adapter to "02". If you are using VBox 4.1.0 or later, in the Advanced tab, there is an additional checkbox for "Promiscuous" mode, select "allow for all" (so that all traffic will be intercepted).

     Now reboot the Linux Ubuntu guest. We need to configure it as a gateway computer. Follow the instructions below:
    1. Start a terminal window and type "ifconfig" to get the information of all available adapters. You should be able to see three of them, e.g., in my case "eth1", "eth2", and "lo" (the local loophole interface). If you look at their MAC addresses, you can verify that they are the ones that we set in the VBox manager earlier. Let us assume "eth1" corresponds to the adapter "xx...:01" and "eth2" corresponds to adapter "xx...:02".
    2. System -> Preference -> Network Connections. First delete all existing network connections, and set up the first wireless connection following the figures below (use as the static IP). Note that you can get the Gateway for it should be "" (make sure to hit enter when you finish typing in the third cell - the GUI of Ubuntu has some problems - if you don't hit enter, it will forget the entry you just added), because this is the link to the local internal network and the computer itself is the gateway. Similarly, set up the second wired connection (for the NAT connection), but this time, use DHCP for assigning the IP addresses. Here we are lazy to use the Ubuntu GUI. There are equivalent ifconfig commands for achieving the above if you are interested in exploring by yourself.

        3. Now now set up the IP forwarding. Create a file named "" and "chmod 755". The shell script consists of three commands as shown below:

      sudo sysctl -w net.ipv4.ip_forward=1
     sudo iptables -P FORWARD ACCEPT
     sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

     The first is to enable the ip_forward features of the ipv4 stack in the Linux kernel. The second is to set up the internal firewall called "iptables" to allow forwarding packets. The third is to add a post routing tool and forward all packets to eth2 (note: eth2 is your outlink which corresponds to adapter 2. On your system, it may be a different name).

    3.3 Reconfigure XP Guest

    Now we go back and reset the XP Guest so that it has the Internet access via the Ubuntu guest. Do a "nslookup" in your Ubuntu guest and find out DNS server used. Then go to the XP Guest -> Control Panel -> Network Connections -> Right Click (Properties) -> TCP/IP (Properties) -> set the static IP to and set the gateway computer to Set up the DNS server correspondingly. Start a browser and you will NOT have the Internet access yet!.

       You need to go back to the Ubuntu guest and  "sudo ./".  Then you can verify that your XP guest now has the Internet access. Again, "sudo wireshark " you can intercept all the traffic from/to the XP guest (note: when wireshark is started, be sure to click ok on the dialog it pops - otherwise your wireshark is frozen).

    4. Challenge of the Day and Conclusion

    We have successfully constructed a simple analysis environment for Max++. Using the Linux Ubuntu Guest, we can intercept all the packets sent by the malware. The virtual machine technology has provided us the great benefits of quick restoration if any system is broken.

    You should now make a snapshot of both the XP and Ubuntu guest systems.

    Finally, the challenge of the day:

              Run the Max++ malware, can you describe its network activities?

    [1] Guiseppe Bonfa, "Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit", Available at

    [2] udroomla , "How To Increase Screen Resolution with VirtualBox and Ubuntu", Available at

    Copyright. 2011. Dr. Xiang Fu. Department of Computer Science, Hofstra University.
    GNU Generic Public License V3.