4 - Dynamic Analysis

Dynamic Analysis Flow

Disable ASLR

(Optional) Run Behavioural Tools in Background

Perform Debugging

Unpack file

Patch file

2) Perform Behavioral Analysis (if required)

1) Analyse Unpacked File from Stage 1

Shellcode Analysis (if applicable)

4. Dynamic Analysis

Dynamic analysis allows you to unveil the full scope of the program. Assuming all of the conditions are met, you can inspect the flow of the program, and control how it operates. This step is useful to bypass anti-revering and anti-sandbox techniques that may be applied. It may also help in resolving dynamic generated strings, function calls, carving out shellcode, and inspecting the full capabilities of the program.

You may be required to analyse and patch, or unpack the program in order to obtain fuller picture.

For a reference sheet to assembly see: 1 - Assembly_ref and for a reference to interesting Windows API functions, see 2 - WinAPI_ref

4.1

Disable ASLR

Editbin

.\editbin /DYNAMICBASE:NO file.exe

CFFExplorer

Hint
You can use CFF Explorer to disable ASLR for later static & dynamic analysis (if required)

CFF Explorer -> Optional Header -> DllCharacteristics -> (uncheck) "DLL can move"

Start Behaviour Analysis Tools

4.2

Tip: Run in Parallel

It may be helpful, while debugging, to run some behavioural analysis tools in the background - this may help in identifying IoCs while debugging.

Procmon (set the process name or PID as the filter)

TCPView (set the process name or PID as the filter)

CMD Watcher

API Monitor

Process Hacker

Wireshark

For more, see 2 - Behavioral Analysis

x32Dbg / x64Dbg

Debugging Shortcuts

Operation	Shortcut
run	f9
execute to return	ctrl-f9
step over	f8
step into	f7
go to expression (address)	ctrl-g
graph mode	g
analyse function	a
add operation comment analysis	ctrl-shft-u
software breakpoint	f2
patch line	space

Tip to Defeat Anti Debugging

API Function	Notes
`IsDebuggerPresent`	This function checks the PEB flag to see if the current process is being debugged
`CheckRemoteDebuggerPresent`	This function checks to see if a debugger is present on the current process. The name can be misleading
`NtQueryInformationProcess`	Native API function in NTDLL that retrieves information about a given process. If The second parameter is set to ProcessDebugPort (0x7), it is requesting whether the process is being debugged
`OutputDebugString`	Used to send a string to a debugger for display. This can be used to detect the presence of a debugger
`fs:[30] (+2)`	PEB debug flag for a 32-bit process
`gs:[60] (+2)`	PEB debug flag for a 64-bit process
`QueryPerformanceCounter`	This is called to query the processor performance count
`GetTickCount`	This returns the number of milliseconds that have elapsed sinse the last system reboot

Below are some strategies that may be used to to defeat anti-debugging:

Find refs to anti-debugging functions, and patch any checks near them
Modify EFLAGS after the call to anti-debugging functions
jmp over anti-debugging checks
Rename your debugger filename

for more information on anti-debugging see: https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf

Tip to Find Injected Memory Segments

Put a breakpoint on memory allocation functions e.g: VirtualAlloc
Step over the function, and note the returned address
Watch the memory segment either in the dump or in Process Hacker
Put a breakpoint on memory writing functions e.g: RtlMoveMemory, WriteProcessMemory, memcpy etc.
Step over the function
Watch the memory segment either in the dump or in Process Hacker

Tip on Binary Unpacking

...

4.3

Perform dynamic analysis

Tip: Finding injected shellcode

Module call Reference

Look close to API calls like: WriteProcessMemory, virtualalloc etc. Then follow the relevant referenced pointer in memory/dump

Shellcode Analysis

If you have procured shellcode from the program - you can perform shellcode analysis:

See Step 3 of 3 - Static Analysis (SCDBG.exe)

4.4

if required