Advanced Dynamic Analysis

Introduction

---

Advanced dynamic malware analysis stands for running the malware inside debuggers so that we get complete control over it's execution flow.

A debugger is an application which acts as a broker between the end user and the operating system while the program is running. This enable us to have complete control over the program.

x32dbg : Flow And Breakpoints

---

Tools used - x32dbg

Opening the debugger, we are greeted with this window-->

Opening the malware in the debugger-->

On top right , we have the control panel-->

below it is the cpu instructions-->

On it's right, we have the register values-->

On bottom left, the hexdump is shown-->

And on it's right , we have the memory stack which will grow and shrink from time to time-->

Running the program using F9 we can see that we have entered into the program and stopped at a breakpoint before DownloadfromURL entrypoint. Hitting F8 we will step over onto the next instruction. We see that the stack has updated after the PUSH 14 instruction.

Step into means the debugger will enter the function and return the final value in it.

Step over means the debugger will assume that the function was run and will go over to the next instruction without caring for the returned value.

Press F2 to create a breakpoint . A breakpoint will pause the program whenever the debugger encounters it. Everytime F9 or run is executed, the debugger will jump onto the next breakpoint.