To change the value of a register, you can right click on the register and select Edit to change its value. In general, you have three types of data to manage: (1) registers, (2) stack, and (3) all other segments (code, data, and heap). To circumvent that anti-debug trick, you will use SHIFT+F9 to manually inspect SEH code. Later, we will see an example that Max++ re-writes the SEH (structured exception handler) to detect the existence of debuggers. If you want to intercept all exceptions, you should use SHIFT+F9. Notice that the debugger automatically handles a lot of exceptions for you. We will later see an example in Max++.į9 (continue) is often used to continue from a breakpoint. Notice that F8 may not always get you the result you desire - many malware employ anti-debugging techniques and use return-oriented programming technique to redirect program control flow (and the execution will never hit the next instruction). Step over (F8) executes the whole function and then stops at the next immediate instruction. Step in (F7) gets into the function body of a Call instruction. The difference between step over/step in is similar to all other debuggers. We now briefly explain some of the functions that are very useful in the analysis. Most of the above can be found in the Debug menu of the IMM debugger, however, it's always beneficial to remember the shortcut keys.
The following is a combination of debuggers we'll use throughout the tutorial: Immunity Debugger ( IMM for short) and WinDbg.
In this tutorial, we assume that you would like to use open-source/free software tools. This is a nice feature and you'll have to pay for it. There is one exception though - recently, IDA Pro has introduced a GUI module which can drive WinDbg for kernel debugging. Only when necessary, we'll use the command-line ring0 debuggers (such as WinDbg). Ring3 debuggers usually come with a nice GUI which can greatly improve the productivity of a reverse engineer.
In this case, we also call user level debuggers "ring3 debuggers".Ī natural question you might have is: Since ring0 debuggers are more powerful than ring3 debuggers, why not use ring0 debuggers directly? Well, there is no free lunch as always. For example, on a typical Intel CPU, programs can run in four modes, from ring0 (kernel mode) to ring3 (user level).
It is well known that modern OS such as Windows relies on the processor (e.g., Intel CPU) to provide a layered collection of protection domains.
The difference between user/kernel level debuggers is that kernel debuggers run with higher privilege and hence can debug kernel device drivers and devices, while user level debuggers cannot.
There are two types of debuggers: user level debuggers (such as OllyDbg, Immunity Debugger, and IDA Pro), and kernel debugger (such as WinDbg, SoftIce, and Syser). To reverse engineer a malware, a quality debugger is essential. This tutorial can be used as a lab module in Comments annotation in Immunity Debugger.Can monitor/change program state (registers, memory).Can control program execution (step in, over, breakpoints).Efficiently master a Ring3 debugger such as Immunity Debugger.