![]() ![]() This allows you to set breakpoints on API functions. While in the Names window, you can right-click on any of these functions names to toggle a break point (Right-click -> “Toggle breakpoint” or press the F2 key). The MSDN API documentation site ( is a useful resource in looking up these functions to learn what they do, the parameter’s these functions take in, and what these functions return. For example, if you see functions opening an internet connection and downloading files from an URL, the sample may be a downloader. ![]() Examining a malware’s imported functions may give a general idea of the malware’s functionality. The Names Window shows the list of imported and exported functions for a given module. Choosing the “View names” (Ctrl-N) opens the Names Window. While in this window, right-clicking on a module opens a context menu. Red text means that the module was loaded dynamically. The Executable Modules Window shows the base virtual address, the virtual size (the size the binary takes up in memory), the Entry Point’s virtual address, the module name, file version, and file path for each module loaded in the process. OpenRCE ( has OllyDump, Olly Advanced, and many other useful plug-ins to help hide the debugger from malware attacks or to help automate your dynamic analysis process. The OllyDump plug-in will come in handy during manual unpacking and it contains two heuristics for locating the OEP (Original Entry Point). Two recommended plug-ins you should get are OllyDump to dump a process’ memory and Olly Advanced to get around any anti-debugging a malware sample may throw against you. Any plug-in loading errors can usually be attributed to placing the plug-in in a directory other than Olly’s default plug-ins directory. The Log window is also useful in checking to ensure any plug-ins you installed were loaded correctly. If you need to do some trouble-shooting during your debugging session, the Log Window may be useful in tracking down unusual or unexpected behaviors while stepping through mal-code. This window displays all debugging events such as module loads, thread creations, breakpoint hits, and errors. ![]() Clicking on the Log (Alt+L) option will bring up the Log Window. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |