reverse engineering - What's debug section in IDA Pro? -
i try analyze dll file poor assembly skills, forgive me if couldn't achieve trivial. problem that, while debugging application, find code i'm looking in debug session, after stop debugger, address gone. dll doesn't obfuscated, many of code readable. take @ screenshot. code i'm looking located @ address 07d1ebbf in debug376 section. btw, did debug376 section?
so question is, how can find function while not debugging? thanks
update
ok, said, stop debugger, code vanished. can't find via sequence of bytes (but can in debug mode). when start debugger, code not disassembled imediately, should add hardware breakpoint @ place , when breakpoint hit, ida show disassembled code. take @ screenshot see line of code i'm interested in, not visible if program not running in debug mode. i'm not sure, think it's unpacking code @ runtime, not visible @ design time.
anyway, appreciated. want know why code hidden, until breakpoint hit (it's shown "db 8bh" etc) , how find address without debugging if possible. btw, code different module (dll)?
thanks
update 2
i found out debug376 segment created @ runtime. simple question: how can find out segment came :)
so see code in debugger window once program running , seem not find verry same opcodes in raw hex-dump once it's not running more?
what might taking memory snapshot. pause program's execution near instructions you're interested in make sure there, choose "take memory snapshot" "debugger" menu. ida ask wether copy data found @ segments defined "loder segments" (those pe loader creates predefined table) or "all segments" seem belong debugged program (including such might have been created unpacking routine, decryptor, whatever). go "all segments" , should fine seeing memory contents including debug segments (a segment created or recognized while debugging) in ida when not debugging application.
you can view list of segements @ time pressing shift+f7 or clicking "segments" view > open subviews.
keep in mind programm trying analyze might choose create segment other place next time loaded make harder understand what's going on.
update match second question
when program unpacking data somewhere, have copy stuff somewhere. windows virtual machine nowadays get's real nasty @ when trying execute or write code @ locations you're not allowed to. program, long we're under windows somehow
- register bunch of new memory or overwrite memory owns. done calling malloc or [your code looks if have been verry pointer-intensive language... vb perhaps or object oriented] boils down call virtualalloc or virtualallocex windows's kernel32.dll, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366887(v=vs.85).aspx more detail on it's calling convention.
- perhaps set windows exception handling on , mark memory range als executable if wasn't when calling virtualalloc. done calling virtualprotect, again kernel32.dll. see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx , http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx more info on that.
so now, should take step trough programm, starting @ default entrypoint (oep) , calls tho 1 of functions, possibly memory protection set page_execute or descendant. after possibly come sort of loop decrypting memory contents, copying them new location. might want step on it, depending on interest in program justr placing cursor after loop (thick blue line in ida usually) , clicking "run cursor" menu appears upon right clicking assembler code.
if fails, try placing hardware breakpoint on kernel32.dll's virtualalloc , see if interestin when stepping return statement end wherever execution chain take after alloc or protect call.
Comments
Post a Comment