OllyDbg

From aldeid
Jump to: navigation, search
Draft.png
DRAFT
This page is still a draft. Thank you for your understanding.

Description

What is OllyDbg?

OllyDbg is an x86 debugger developed by Oleh Yuschuk. OllyDbg is commonly used by malware analysts and reverse engineers because it's easy to use and it has many plug-ins that extend its capabilities.

Versions

There are 2 main versions available for OllyDbg:

  • Version 1: this version is still in use by many analysts because the majority of the plugins have been developped for this release
  • Version 2: more advanced with new features but not all plugins have been ported yet for this version

OllyDbg's Interface

Main view

OllyDbg's main interface is split into 5 different regions as follows:

  1. Disassembler window: shows the disassembled code as it is executed
  2. Registers window: shows the registers along with their value in real time (when a value is changed, it appears in red). You can modify the value of these registers but right-clicking on the value.
  3. Information window: brings information about the current line of code (e.g. if a jump is taken)
  4. Stack window: current state of the stack in memory
  5. Memory dump window: dump of live memory for the debugged process

OllyDbg-interface.png

Main menu

OllyDbg-menu.png

Executing code Windows
Icon Hotkey Description
OllyDbg-icon-run.png F9 Run
OllyDbg-icon-pause.png F12 Pause
OllyDbg-icon-step-into.png F7 Single-step / Step-into
OllyDbg-icon-step-over.png F8 Step-over
OllyDbg-icon-animate-into.png Ctrl+F7 Animate into
OllyDbg-icon-animate-over.png Ctrl+F8 Animate over
OllyDbg-icon-run-until-return.png Ctrl+F9 Run until return
OllyDbg-icon-execute-till-user-code.png Alt+F9 Run until user code
Icon Description
[L] Log data
[E] Executable modules
[M] Memory map
[T] Threads
[W] Windows
[H] Handles
[C] CPU
[/] Patches
[K] Call stack of main thread
[B] Breakpoints
[R] References
[…] Run trace
[S] Source

Windows

Names

The Names window shows the IAT:

OllyDbg-log-names-window.png

Log data

Displays logs.

OllyDbg-log-data-window.png

Executable modules

Displays a list of executable modules loaded with the debugged program.

OllyDbg-executable-modules-window.png

Memory map

The Memory Map window displays all memory blocks allocated by the debugged program. If you double click on a row, it will bring you to the memory dump of the section.

OllyDbg-memory-map-window.png

Threads

OllyDbg-threads-window.png

Windows

OllyDbg-windows-window.png

Handles

OllyDbg-handles-window.png

CPU

Display the main interface.

Patches

Shows modifications (patches) that have been applied to the code.

OllyDbg-patches-window.png

Call stack of main thread

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Breakpoints

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

References

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Run trace

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Source

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Debugging malware

Load malware

Open an executable

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Attaching to a Running Process

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Load a DLL

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Executing the malware

Run (F9)

Commonly used to run the analyzed executable immediately or after a breakpoint has been reached.

Run to selection (F4)

Run until the selected instruction

Pause (F12)

Very seldom used. Enables to pause the analyzed executable

Step into (F7)

Execute a single instruction and pause. Dive into the function's instructions.

Suppose we are analyzing the following code:

Ollydbg-step-in-001.png

Step into will follow the function and the debugger will pause at the first instruction of the called function:

Ollydbg-step-in-002.png

Step over (F8)

Execute a single instruction and pause. If the instruction is a function, does not dive into the function's instructions

In the previous example, step over will make the debugger pause at the next line:

Ollydbg-step-over.png

Execute till Return (Ctrl+F9)

Will pause execution just before the current function is set to return.

Useful when you want a program to pause immediately after the current function is finished executing

Execute till User (Alt+F9)

Useful during malware analysis if you get lost in the code.

Will cause the program to run until the execution returns to compiled malware code (typically the .text section)

Execute a given function

This can be useful when debugging a DLL. It consists of modifying the EIP to point to the address of the function to be executed.

Go to the address of the function (
Ctrl
+
G
), right click and select "New origin here":

Flare-on-challenge-1-c5-071.png

Then press
F9
to run the executable.

Breakpoints

Info.png
Note
Refer to this page for more information about breakpoints.
Software breakpoint
To implement a software breakpoint, go to the line you want the program to pause and hit F2 or right click and select "Breakpoint > Toggle".
Hardware breakpoint
To implement a software breakpoint, right click on the line where you want to set the breakpoint and select "Breakpoint > Hardware, on Execution".
Conditional breakpoint
To implement a software breakpoint, go to the line you want the program to pause and hit Shift+F2 or right click and select "Breakpoint > Conditional".
Memory breakpoint (on access)
To apply a memory breakpoint on access (read, write or execute), select "Breakpoint > Memory, on Access" from the right-click menu.
Memory breakpoint (on write)
To apply a memory breakpoint on access (read, write or execute), select "Breakpoint > Memory, on Write" from the right-click menu.

Tracing

  • To activate the trace:
    Debug
    >
    Trace Into
    (or
    Ctrl
    +
    F11
    )
  • To see the trace log:
    View
    >
    Run trace

Plugins


Comments

blog comments powered by Disqus