Advanced Dynamic Analysis
Last updated
Last updated
In this we will run programs with debuggers to see control flow of executables
like x32dbg, x64dbg
coorelating debugger and wireshark together to see exact moment a call is made to internet
EIP is the instruction register which holds address to register who will execute next.
analyzing stack content before a function call
using procmon too with debugger to see exact instructions it executed
Exact instructions that drop new .exe file in documents directory
In x32dbg we can do Ctrl+G to go to a offset address. e.g. from cutter we know certain function is at certain aaddress we can use that in x32dbg to go that location
in cutter the second column you see is
✅ Raw bytes (opcode + operands) of the instruction in hexadecimal
55 is code for push ebp
in x32dbg if you do follow disassembler and want to go back use - button to go back
the and esp,ffffff0 you see doing stack alignment meaning making the esp address value divisible by 16
also
0x2E = 0010 1110 = 46
which: 32 14 = 46
from dump sectionw we can change binary data or select individual hex char and update them to manipuate program.
from right side we can double click on zero flags to edit them.
"Nopping" (from the instruction NOP, which stands for "No Operation") is the act of replacing code—usually instructions—with NOPs, which are assembly instructions that do literally nothing except advance the instruction pointer.
In x86 assembly, the NOP instruction has the opcode:
0x90
Original:
Nopped version:
Now the jump never happens, so the code always continues straight through.
call ➝ pushes return address (aka EIP) onto the stack.
leave ➝ does mov esp, ebp + pop ebp
ret ➝ pops the return address (EIP) from the stack and jumps there.
💥 1. call some_function
What happens:
CPU pushes the current EIP (address of next instruction after the call) onto the stack.
Then it jumps to some_function.
So now the stack looks like:
📦 2. In some_function (Prologue):
Typical function setup looks like:
Now we’ve got a stack frame set up.
🔚 3. At the end: leave + ret
So:
Who pushed EIP? → call did.
Who popped EIP? → ret did.
SOmetimes when analyzing binary in cutter or other decompiler we need to changed assesmble instructions so we can force it to unexpected things. In cutter we can change assesmbly instructions and patch the binary. We just have to open binary in write binary.
this can be used for defeating anti-analysis techniques.
As we can force binaries to run irrespective of what it's defense mechanisms are
Malware authors use to make analyst life and process harder by:
general as obfuscation, where malware samples are filled with junk strings, null byte overlays, and other random stuff.
Special code to detect when it is beingdebugged, identify if it is in a virtual machine, and even identify if it is in a specific environment like FLARE-VM!
e.g.
Another basic technique would be usage of IsDebuggerPresent api call
Determines whether the calling process is being debugged by a user-mode debugger.
Return value
If the current process is running in the context of a debugger, the return value is nonzero.
If the current process is not running in the context of a debugger, the return value is zero.
We can update the binaries in run time to alter the execution behaviour , without actually changing the binary on disk.
liek updating jump instructions in x64dbg to change control flow to bypass something e.g. bypassing isdebuggerPresent call bypass.
THis medium article explains more:
