Friday, June 17, 2005

MS Debugging Tools vs. DD & Strings

How do you analyze memory (live or dumped)? Most people I know, texts read and classes taken speak of using strings (cli) or bintext (gui) against a dd of memory. Strings will pull out all kinds of interesting information like URLs, IPs, usernames, passwords, parts of files, so on and so forth. Of course, all the information is a pain to sort through thanks to all the non-human readable crap contained within memory. Pmdump (cli) or CurrProcess (gui) are used on live systems to dump running processes letting us see decrypted malware to help determine its intent through strings or running against a slew of virus scanners to see if its core is a variant of something else.

Harlan Carvey has a couple of blog entries about "RAM, memory dumps and debuggers" that raises several issues I hadn't thought of before now. I have tried my hand at Ollydbg and a couple of pieces of malware to learn more about their protection scheme and the underlying goal of the writer but never really knew what I was doing. Now, I have new tools to learn to pick apart malware. The next step is to add them to my custom Helix CD and see what I can break. Also, Harlan (or is it Mr Carvey) linked several MS KB articles about generating full memory dumps, kernel memory dumps and small memory (64K) dumps on command.

I will write more when I get some testing time in. For now, I have to work on a review for NWC. That, and my list too. I will add the MS debugger to that list, now.

No comments: