Advanced Dynamic Analysis

PreviousAdvanced Static Analysis NextMalware Development

Last updated 6 days ago

Advanced Dynamic Analysis

In this we will run programs with debuggers to see control flow of executables

like x32dbg, x64dbg

coorelating debugger and wireshark together to see exact moment a call is made to internet

EIP is the instruction register which holds address to register who will execute next.

analyzing stack content before a function call

using procmon too with debugger to see exact instructions it executed

Exact instructions that drop new .exe file in documents directory

In x32dbg we can do Ctrl+G to go to a offset address. e.g. from cutter we know certain function is at certain aaddress we can use that in x32dbg to go that location

in cutter the second column you see is

✅ Raw bytes (opcode + operands) of the instruction in hexadecimal

55 is code for push ebp

in x32dbg if you do follow disassembler and want to go back use - button to go back

the and esp,ffffff0 you see doing stack alignment meaning making the esp address value divisible by 16

also

0x2E = 0010 1110 = 46

which: 32 14 = 46

edit

from dump sectionw we can change binary data or select individual hex char and update them to manipuate program.

from right side we can double click on zero flags to edit them.

What is "Nopping" in Assembly?

"Nopping" (from the instruction NOP, which stands for "No Operation") is the act of replacing code—usually instructions—with NOPs, which are assembly instructions that do literally nothing except advance the instruction pointer.

🔧 The NOP Instruction:

In x86 assembly, the NOP instruction has the opcode: 0x90

Example of Nopping Out a Jump:

Original:

asmCopyEditcmp eax, ebx
je  SHORT some_label ; 2-byte jump

Nopped version:

asmCopyEditcmp eax, ebx
nop
nop

Now the jump never happens, so the code always continues straight through.

Full Function Call Lifecycle (x86, 32-bit)

📌 Key players:

call ➝ pushes return address (aka EIP) onto the stack.
leave ➝ does mov esp, ebp + pop ebp
ret ➝ pops the return address (EIP) from the stack and jumps there.

⚙️ Step-by-step: What pushes EIP and when?

💥 1. call some_function

What happens:
- CPU pushes the current EIP (address of next instruction after the call) onto the stack.
- Then it jumps to some_function.

call some_function
; Behind the scenes:
push eip  ; (not literally written like this, but that's what happens)
jmp some_function

So now the stack looks like:

p[esp] → return address (the EIP to go back to after the function)

📦 2. In some_function (Prologue):

Typical function setup looks like:

push ebp         ; save old base pointer
mov ebp, esp     ; set new base pointer
sub esp, XX      ; reserve space for local variables

Now we’ve got a stack frame set up.

🔚 3. At the end: leave + ret

asmCopyEditleave            ; does:
  mov esp, ebp
  pop ebp        ; restores caller’s frame

ret              ; does:
  pop eip        ; grab return address from stack and jump to it

So:

Who pushed EIP? → call did.
Who popped EIP? → ret did.

🧠 TL;DR

PreviousAdvanced Static Analysis NextMalware Development

Last updated 6 days ago

In this we will run programs with debuggers to see control flow of executables

like x32dbg, x64dbg

coorelating debugger and wireshark together to see exact moment a call is made to internet

EIP is the instruction register which holds address to register who will execute next.

analyzing stack content before a function call

using procmon too with debugger to see exact instructions it executed

Exact instructions that drop new .exe file in documents directory

In x32dbg we can do Ctrl+G to go to a offset address. e.g. from cutter we know certain function is at certain aaddress we can use that in x32dbg to go that location

in cutter the second column you see is

✅ Raw bytes (opcode + operands) of the instruction in hexadecimal

55 is code for push ebp

in x32dbg if you do follow disassembler and want to go back use - button to go back

the and esp,ffffff0 you see doing stack alignment meaning making the esp address value divisible by 16

also

0x2E = 0010 1110 = 46

which: 32 14 = 46

edit

from dump sectionw we can change binary data or select individual hex char and update them to manipuate program.

from right side we can double click on zero flags to edit them.

What is "Nopping" in Assembly?

🔧 The NOP Instruction:

In x86 assembly, the NOP instruction has the opcode: 0x90

Example of Nopping Out a Jump:

Original:

asmCopyEditcmp eax, ebx
je  SHORT some_label ; 2-byte jump

Nopped version:

asmCopyEditcmp eax, ebx
nop
nop

Now the jump never happens, so the code always continues straight through.

Full Function Call Lifecycle (x86, 32-bit)

📌 Key players:

call ➝ pushes return address (aka EIP) onto the stack.
leave ➝ does mov esp, ebp + pop ebp
ret ➝ pops the return address (EIP) from the stack and jumps there.

⚙️ Step-by-step: What pushes EIP and when?

💥 1. call some_function

What happens:
- CPU pushes the current EIP (address of next instruction after the call) onto the stack.
- Then it jumps to some_function.

call some_function
; Behind the scenes:
push eip  ; (not literally written like this, but that's what happens)
jmp some_function

So now the stack looks like:

p[esp] → return address (the EIP to go back to after the function)

📦 2. In some_function (Prologue):

Typical function setup looks like:

push ebp         ; save old base pointer
mov ebp, esp     ; set new base pointer
sub esp, XX      ; reserve space for local variables

Now we’ve got a stack frame set up.

🔚 3. At the end: leave + ret

asmCopyEditleave            ; does:
  mov esp, ebp
  pop ebp        ; restores caller’s frame

ret              ; does:
  pop eip        ; grab return address from stack and jump to it

So:

Who pushed EIP? → call did.
Who popped EIP? → ret did.