Practical Malware Analysis - Chapter 8 Lab Write-up

2 minute read


Chapter 8. Debugging

Source-Level vs. Assembly-Level Debuggers

  • Source-Level = Used within an Integrated Development Environment (IDE) during development
  • Assembly-Level = Used to operate on compiled binaries and their associated assembly code

Kernel vs. User-Mode Debugging

  • Kernel debugging is performed on 2 systems, as a breakpoint in kernel debugging would cause system to crash. WindDbg is a popular tool that supports kernel debugging.
  • OllyDbg is a popular debugger. This is useful for user mode debugging on single compiled binaries.
  • A newer popular debugger is x64dbg. Once again this is useful for user mode debugging on single compiled binaries.

Using a Debugger


This is what is used for running a single assembly instruction.

Stepping-Over vs. Stepping-Into

  • Step-Over = Bypass every instruction of sub-function and move to next instruction after sub-function returns.
  • Step-Into = Step into a sub-function/call and see the first instruction of called function.

Pausing Execution with Breakpoints

  • Breakpoints = Pause execution of program at instruction.

Software Execution Breakpoints

Most common, the debugger performs this by overwriting the first byte of an instruction with 0xCC (Int 3) which is a breakpoint used by debuggers. If this is modified during code execution then the breakpoint will be overwritten and removed.

Hardware Execution Breakpoints

x86 (32-bit) programs support hardware registers and hardware breakpoints. Hardware breakpoints work by checking addresses in the register and breaking where specified. Only 4 hardware addresses store hardware breakpoints.

Conditional Breakpoints

Created as software breakpoints based on comparing data on the stack. This is based on an instruction and whenever the instruction occurs it is checked. If this is accessed often will slow down a program from running.


First and Second Chance Exceptions

  • First Chance Exception = If an exception handler is registered it first catches an error and can choose to handle it a certain way (e.g. by ignoring or passing to an output the user can see). This occurs when no debugger is attached.
  • Second Chance Exception = If an exception occurs and it is passed as a second chance exception, it means a debugger will catch it and the program would have crashed if this wasn’t the case.

Common Exceptions

  • Most common is Int 3 exceptions (When debugger attached this gets first exception chance, e.g. a breakpoint).
  • Single stepping also generates an exception based on instructions with “trap flag” set.
  • Memory-access violation may occur based on incorrect memory address, or because of Access protections.

Modifying Execution with a Debugger

Common is implementing breakpoints and modifying instruction pointers (EIP Registers) to ignore functions.

Modifying Program Execution in Practice

Can add a breakpoint before a compare statement and modify the value of a register (e.g. EAX) being compared.

This concludes chapter 8, proceed to the next chapter.