A close and personal look at debugging using OllyDbg, including a walkthrough of debugging a recent malware.
Introduction
OllyDbg is 32-bit debugging tool used to analyze binary code. Its popularity is tied to being able to use it despite not having access to the source code. OllyDbg can be used to evaluate and debug malware. Ollydbg is a popular debugger due to its ease of use and being freeware. Some of the other features of OllyDbg:
- Interactive GUI
- Traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings*
- Debugs DLLs
- Third party plugins available
- Logs known functions arguments
- Assembles commands into shortest binary form*
- Shows fixups
- Is not installed so no registry or directory clutter
(http://www.ollydbg.de)
Malware Analysis
Ollydbg is useful in analyzing malware. If you plan to analyze malware on your own you want to ensure you have your environment setup to protect yourself and your assets. This should be done in a closed environment within a virtual machine. Using a virtual machine is not enough. Do some research on best ways to isolate your environment. Avoid using bridged mode as it leaves your network exposed.
Ollydbg is meant to run on a windows platform. If you are creating a virtual environment using Kali Linux instead of Windows, you will need to use wine to run Ollydbg. This is important to note as many researchers prefer using Kali Linux for analysis. It is important to note that if using a dissembler, it is expected the user have knowledge of the assembly language. It will help tremendously in the evaluation of the code.
In order to do so navigate to:
and download the latest zip file (currently Odbg200.zip)
Once you unzip the file to your desired location, run the wine command from that location to launch the executable.
See example below:
I extracted ollydbg to my desktop. From the command line I navigated to my desktop then ran:
wine ollydbg.exe
Ollydbg then opens.
Once you are configured You then want to find some malware to examine. If you know some current malicious URLs you can navigate to them to obtain a sample. There are also websites available from other security researchers that contain malware samples.
Working in Ollydbg you will have multiple windows open as you evaluate various functions. Below is a list of helpful shortcuts.
| Ctrl+F2 | Restart program |
| Alt+F2 | Close program |
| F3 | Open new program |
| F5 | Maximize/restore active window |
| Alt+F5 | Make OllyDbg topmost |
| F9 | Run |
| Shift+F9 | Pass exception to standard handler and run |
| Ctrl+F9 | Execute till return |
| Alt+F9 | Execute till user code |
| Ctrl+F11 | Trace into |
| F12 | Pause |
| Ctrl+F12 | Trace over |
| Alt+B | Open Breakpoints window |
| F2 | Toggle breakpoint |
| Shift+F2 | Set conditional breakpoint |
| F4 | Run to selection |
| Alt+F7 | Go to previous reference |
| Alt+F8 | Go to next reference |
| Ctrl+A | Analyze code |
| Ctrl+B | Start binary search |
| Ctrl+C | Copy selection to clipboard |
| Ctrl+E | Edit selection in binary format |
| Ctrl+F | Search for a command |
| Ctrl+G | Follow expression |
| Ctrl+J | Show list of jumps to selected line |
| Ctrl+K | View call tree |
| Ctrl+L | Repeat last search |
| Ctrl+N | Open list of labels (names) |
| Ctrl+O | Scan object files |
| Ctrl+R | Find references to selected command |
| Ctrl+S | Search for a sequence of commands |
(http://www.ollydbg.de/quickst.htm)
Debugging
Evaluating malware normally involves using multiple tools. Ollydbg is just a debugger, so before you begin you may want to determine all the information you want to retrieve from the code. Other tools like Wireshark, PE editor, IDA Pro, and more may come in handy.
If you perform static analysis of malware code, the code is not actually executed. A dynamic analysis is an observation of the live code. A dynamic analysis gives a deeper picture of the functionality of the malware.
In order to perform a true dynamic analysis, you may want to allow your host to get infected while running a network analyzer like Wireshark. You would evaluate the results in Wireshark to see what type of network calls and other activity takes place. This gives you a network behavioral analysis.
Once you have the malware you want to evaluate, you can directly upload the executable into Ollydbg. We are going to take a look at what the Wannacry virus. Wannacry is ransomware that appeared in 2017 but is still considered one of the biggest malware threats. Due to its continued havoc, it has been highly researched and evaluated.
If you choose to launch the virus in a closed environment, you will see the following message:
With the below message cryptically lingering in the background:
In doing an initial evaluation of the code we find that once executed it runs the attrib +h command.
The attrib command is used to change the attributes of files. This particular command changes all files to hidden. It then executes icacls ./grant Everyone:F /T /C /Q command. The embedded encryptor launches to encrypt the files and to display the above messages.
To do further analysis you will obtain the wanacry_dropper.exe and upload it into Ollydbg. Once uploaded here is a snippet of the initial view you will see:
Wanna cry makes changes to the windows registry and loads a password protected file name “XIA”. Security researchers have discovered the password to be “WNcry@2oI7”
The XIA file contains the other binaries used to encrypt the files on the now infected system.
This includes the s.wnry cry DLL file as shown above.
Malware researchers often want to identify the strings associated with the malicious code. Identifying the strings can help to understand the functionality of the code. While evaluating the executed malware and network activity in Wireshark you may have identified a URL that the code tries to access after execution. Evaluating the strings could also confirm URLs in use by the code.
After uploading the code, you can right click and in the “Search for” option select, “All reference Strings”. This will open a new window with all of the found string references in the code.
In evaluating the strings, we can see various API calls, placeholders, create commands, etc., but as we scroll through, we also find a hardcoded URL reference. See below:
If you press F9 while at the URL reference line, you will be able to create a breakpoint for further evaluation. As we continue to look deeper into that function, we can see an internet call as identified below:
This gives the malware details on opening that particular URL and how to function if it cannot be reached or does not return expected results.
As you continue to examine the calls you can identify another encrypt function
This takes the files identified and exchanges the original extension, e.g. .xls, and replaces it with wncry.
You can continue to dig further into this function to understand how it interacts with the internet. You can then return to the main window and perform other searches. You can search for any of the following as shown in the image below:
- All intermodular calls
- For clarification this is a list of functions called from the main module. The rest of the list if self-explanatory
- All commands
- All command sequences
- All constants
- All modifications
- All referenced strings
- All references GUIDs
- All user comments
- All found procedures
- All found switches
- All floating constants
Packed Malware
Ollydbg is also useful in dissembling and analyzing packed malware. There are articles within the Infosec website that detail how to use Ollydbg for this purpose, so we won’t reiterate that here.
Conclusion
Ollydbg is a power disassembler that can prove useful in the analysis of malware. It can be used to perform a static analysis of the executable, or in conjunction with other tools to perform a dynamic analysis of the executed dropper. Malware analysis can be fun but ensure you only perform analysis in a secure environment to avoid affecting yourself or others.
Reference
https://medium.com/@pramos/why-you-need-you-a-malware-analysis-lab-and-how-to-build-it-10048eaa8e9
https://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html
https://courses.csail.mit.edu/6.857/2017/project/20.pdf
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
https://www.secureworks.com/research/wcry-ransomware-analysis