In the last tutorial we covered Assembly Language (ASM) which is the beginning of where the road starts in our journey. We covered an overview of Ollydbg. This tutorial we will be doing a part 2 Introduction of Ollydbg and I will show you how to use basic modules. We will cover the rest in Part 3 of Ollydbg. I will analyze a crypted .exe and see if I can get the IP Address of the source.
Introduction Part 2 Ollydbg: Using Ollydbg for the first time +
you can find all tools in the above link Whitehat Lab.
Ollydbg 1.0 (Not 2.0) r4ndoms Ollydbg Virtual Machine Exeinfo TCPView Cuckoo Sandbox KfSensor
What is Olly Debugger?
OllyDbg (named after its author, Oleh Yuschuk) is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It tracesregisters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.
Here’s a pic of Olly’s main display, along with some labels:
Olly opens with the default window, CPU, open. This is where most of the “big-picture” data is. It is separated into 4 main fields; Disassembly, Registers, Stack, and Dump.
You can find the main display under C in the letter toolbox.
We covered this in the last tutorial listed above on top. Intro Part 1. Now let’s see how to use it.
After you opened Cuckoo Sandbox in your virtual machine and have opened Ollydbg.
Load the .exe in ollydbg. I found this file on youtube your #1 place for finding malware, no joke.
Okay for this tutorial we aren’t going to really crack anything or reverse anything. We are going to see how to use Ollydbg when you barely open it with an .exe. The reason why I am doing it this way is because I posted a crackme so you can do homework to see if you learned anything.
Now on top in the menu bar Click Options>Debugging Options>Events
Now we will select the M button in the letter box on top of Olly to look at the memory tab.
First we will see the section called “PE Header”. This is a very important section, one we will get very much into in a future article. For now, just know that it is like an instruction manual for Windows with steps for loading this file into memory, how much space it needs to run, where certain things are etc. It is at the head of just about any exe (and DLL for that matter).
Look you can see the dependencies below:
A Dll file is a collection of functions that our program can call that have been provided by windows (or another programmer). These are things such as opening dialog boxes, comparing strings, creating windows and the like. Collectively, these are the Windows API. The reason programs use these is because if we had to program every function, just displaying a message box could take thousands of lines of code. Instead, Windows has provided a function like CreateWindow that does this for us. This makes programming much, much easier for the programmer.
Now up at the letter box Click E. This shows entry points in different modules.
First thing we notice is the starting address where the PE Header was that we saw in the memory tab is also where the entry point is
Right click the first one and click view all resources.
Resources box will open and you will see which resources are connected to that module. Pick one and right click>dump.
This shows us a .xml on that module is requesting privileges. Each dump will be different.
Running the program
If you look in the top left corner of Olly you should see a yellow window that says “Paused”. This is telling you that the app is paused (at the beginning in this case) and ready for you to do something. So let’s do something!. Try hitting F9 (or choose “Run” from the “Debug” menu option). After a second, our program will pop up a dialog box (it may open behind Olly, so minimize Olly’s window to make sure.)
Warning: This doesn’t mean go to File>Open, you already opened the .exe, Now go to Debug>Run or press F9 Also if you aren’t in a Virtual Machine don’t open a malicious .exe. Only crackmes.
That same box that said Paused should now say Running. This means that the app is running, but running inside Olly. You may interact with our program, in fact do See how it works and what it does. If you accidentally close it, click back over to Olly and hit ctrl-F2 (or choose Debug->Restart) to re-load the program, and you can hit F9 to run it again.
Now try this: as the program is running, click over to Olly and click the pause icon (or click F12, or choose Debug->Pause). This will pause our program wherever in memory it happened to be running. If you now try to view the program, it will look funny (or won’t show up at all). This is because Windows is not updating the view as it is paused. Now hit F9 again and you should be able to play with the program again. If anything goes wrong, just click the double left facing arrow icon or choose Debug-restart (or ctrl-F2) and the app will re=load and pause at the beginning. You can now run it again if you wish.
Now the program should be open.
Now you will have more info about the program is doing when its actually executed. Go to the letterbox and click T for Threads.
Okay we see Errors which in this case means
The operation completed successfully
See list to see what means what
Right click let’s suspend all threads.
Now go to C in the letterbox right click hit search for> All reference strings
Lots of Unicode with info about our registry. Click C on the letterbox. Go to Disassembler window right click Ultra String Reference> Find Unicode
Part of that giant text strings look what we see first down the code: Install Root, Disable Sessions, Disable Processes, svchost.exe
We will explain breakpoints in the next tutorial. Now the tracing part. Keep everything running open up TCPView. Look for svchost.exe. Now on my virtual machine I have zero svchost processes so I know this the botnet.
First let’s open the file up in exeinfoPE to see if it’s crypted.
It appears to be crypted but here’s what blackhats don’t understand just because your .exe is crypted doesn’t mean your connection is.
I will first open TCPView which shows us process names with IPs, Ports, etc. Then I will open KFSensor which is a honeypot for Botnets and other malware. -ro0ted
Lastly lets put the IP in our browser.
403 = The 403 Forbidden error means that whatever resource or webpage you were trying to access is forbidden from being accessed. In the next tut I will show you how to steal bots from IRC servers. Show you breakpoints, tracing API calls, and more til next time. - ro0ted
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.