Time
10 minutes
Difficulty
Intermediate

Video Transcription

00:05
welcome to breaking stuff with Joe. Here on Cyber Eri on demand, I is always in your host, Joe Perry, and today we're talking about the Windows reverse engineering or debugging tool Ali Bey. But all he is a 32 bit focused Windows Focus portable excusable debugging tool.
00:24
It's a really famous tool form. Our analysts reverse engineers, people who have kind of had to work in,
00:30
um, window, sort of the shade of your parts of windows, reversing for a very long time. It's a really, really popular tool, even though it's still only supports 32 bit executed bols. You'll still find it in a surprising number of places, and it's one of my favorite tools that I use, Ah, great deal earlier on in my career.
00:46
So that's what we're talking about today. We're gonna walk through the menus, walk through the Gu ae CNN. You can interact with the tools, see what it looks like to actually run,
00:53
and then you'll be able to run off and do a little bit of damage with it.
00:56
So stay tuned. It's gonna be a great time. I really love this tool. Hopefully, you will, too, and you're watching, breaking stuff with Joe on Cyber Eri on demand.
01:07
So here we are in our Windows 10 machine and as I mentioned on Lee is a windows tool. So we will be using a Windows VM to do this in before we actually load all that. We're gonna go ahead and load this program right here, which is note pad plus plus, I've got it all there. You know, Bad Plus Plus,
01:22
uh, the reason why I have this on my desktop for this specific courses because I downloaded the 32 bit version of note pad plus plus
01:29
so that we would be able to capture it with Ali. Bud,
01:33
once you've downloaded it from the website will include the download link in. Our supplemental resource is you should get a zip that contains all of these files that you can then very
01:42
easily extract your desktop
01:44
once they're all you need to do is run the application with the little splatter icon.
01:49
Now, before we do that to show you the two different ways you can start debugging program first, I'm going to launch note pad plus plus.
01:57
Then I'm going to jump back into this folder
02:00
and they're going to launch Ali.
02:04
So here you can see that already have a bunch of windows set up I when you first install and run all e. Generally speaking, it's not going to have all of these windows that's going to be a blank screen. You can very, very easily, and I'll show you how. Add new windows to it, and we'll do that here in just a 2nd 1st we're going to attach ourselves. So these are the two options
02:23
for actually debugging a process you've got open and you have attached open is for processes that are not currently running.
02:30
Attached is for processes, which are so we'll just get attached and you can see here it spits out a little menu if you first run this and you don't see the executed Lee you're looking for. Odds are that what you're looking for is not a 32 bit p e. It might be a 64 bit. It might be a different type of executing ble format that nurture that all he doesn't recognize.
02:50
But that's generally what's happening if you don't see your process listed.
02:53
If you do have the correct type of executed all. However, you'll see it right here. You'll be able to theoretically identify the name, although the font and
03:01
table sizes for this application can sometimes leave something to be desired. Said no pad plus Plus, we're gonna go ahead and hit, attach, and you should start seeing things get populated. So you see, we're loading all over. Executed modules are memory mapping. This is a really great tool. If you're trying to come across like a hacker, if you're recording a class or
03:20
video and you just wanna have just the right hacker look
03:23
Ali. But it's the perfect tool for that. It has just a ridiculous display of memory addresses. Execute a bles, all sorts of stuff. And to get a little bit more of that, we're gonna do what I mentioned at the very beginning. We just actually look at some of the different windows we can open, so we have, for example, a log on all open Oh,
03:42
pull that a little bit wider for you to see it grow fast. You can see this is essentially
03:46
all of the debugging law that different executed was put out all the information thread creation, module access all of that. There's a window here that all they will track all of that information for you as well as logging some custom information that's built into this, too.
04:02
Under night underneath that, you can see I have my call stack. That call stack is just the the stack of functions that we're currently in. So Maine down to print deaf as random example down to the windows implementations that print up is built on top of general speaking right file
04:21
on then right file a sort of all the way down until you get to whatever function you're currently in.
04:27
Generally speaking, when you first break in, you're only going to see this one, which is the break point. And that's because you have injected that break point into execution, and therefore it's the only call that you currently have
04:36
here. You see, we have all of the executed all modules that have been accessed her loaded. You can see the names here, and you can also want to expand that you can see system. You can see whether or not something is a system executed Well, so, for example, mime tool is not nbb. Export
04:55
is not whereas, for example, down here near the bottom, you'll see some of the old famous ones. For example, nt DLL Colonel 32. You'll see kind of just going through this, that the vast majority of executed was loaded by most, if not all, products. I'm going to see a huge number of system executed ALS.
05:15
And the reason for that is just because any time you do anything in Windows
05:17
there is a Thanh happening under the hood that you know nothing about. This is a great thing to have loaded. If, for example, you know that they're going to be using some sort of malicious library or if they're, you know, abusing existing Windows libraries. This is a quick way of being able to look through and see what deals are being accessed on what executed balls are being used.
05:35
And then over here on the left, up at the top, you'll see this.
05:39
This is sort of what people are used to fora de bugger, including even having multiple windows and panels inside of it. You have your different memory addresses with the hex dump of the actual excusable. You have your running the bug or you're running disassembly. You have your registers over here
05:55
and then down here you have your call stack, and you're different memory addresses
06:00
being referenced in your function stack.
06:02
But that is, as you can see, just one component of all the many things that all ladybug has to offer, which is why it's such a great tool that still finds use because they're still 32 but executed a lt's all over the place, especially even particularly in the world of malware.
06:18
So we're gonna add back one more of you if I can remember which one it was that I had up there
06:23
and we'll say references.
06:26
No, wasn't that one?
06:31
Yeah, I hear you threatens. There we go
06:34
and threads is for those who are not terribly familiar with it, Basically, a threat is just ah sequence of execution that is happening outside of the parent program. So it's sort of not not actually, for those who are strict, program is this is not a perfect definition, but sort of like a mini process being run inside of the executed ble. It's an execution threat,
06:55
and this is a great way to keep track of. You'll be able to see lots of activity happening over here. If threats are being injected to or being captured, you'll be able to identify all sorts of information about them. What we're gonna do now. Now you've noticed that all of this is static. None of this information has changed. Was isn't really something you're used to seeing when you're running a D bugger
07:13
if the code is actually running, and the reason for that, very simply, is that it's not. In fact, if you look down here, you'll notice that you may not be able to tell easily. But I am clicking on the note pad plus plus icon, and it's not coming back to the top of the screen. All ladybug is giving up control. You can see by the way the menu changes.
07:29
But no pad plus plus is not capable of taking control or taking the foreground.
07:33
And if we click back to here and we minimize all the windows in front of it, you can see that we're not able to get any interaction whatsoever from note pad plus plus. And that's because all he has frozen its execution to start it back up again. All we're going to do here is hit play
07:46
and you you'll notice that something's immediately changed just a little bit to note that you're back into execution. Your call stack doesn't change because you haven't broken into the program. And so it doesn't. This isn't being actively tract yet, but if we click back to note pad here, you can see once again we can interact with it. And then if we open a file, what I want you to see is just all of the things that are happening over here,
08:07
sort of behind the scenes as we're doing that.
08:09
And it's slowly working to spit out that dialogue. There you go.
08:11
And before we actually try and open a file and deal with all that, I'm actually going to
08:16
shrink this window a little bit. If I could get no pad plus plus to respond to me
08:24
might be overloading this computer a little bit.
08:28
There we go.
08:31
Just shrink this down a little bit so that you can see what's happening in these windows,
08:35
and I'll put it over our handles menu, since we're not really worried about that just yet.
08:39
And once again, I'll hit open and you can see all of the different threads being executed. Executed modules being loaded, log data being entered. And I'm just gonna open up this bash text document here.
08:50
And once again, you can see a bunch of models get unloaded. A thread gets killed. That threat is the actual interaction. The interface that we're using to open that file.
09:00
You can see all of these threads. They're active, and being marked ist un active and deleted will move. And that's sort of a
09:07
sense of just all of the information again, it's happening under the hood with any windows that's a curable and you can see once I've closed it way, have all the threads terminate. We spit out on the handles that were accessed during that execution, particularly here. One of the things that's great we're doing now analysis is that it will show you the registry keys that are being accessed.
09:26
A CZ Well, as any files, any any
09:28
other execute a ble sections that are being created, all of it
09:31
really, really useful information that could be used for all sorts of reversing techniques and tools. But that's where we're gonna go ahead and call this one you've seen all anybody in action you've seen all of the information provides on actual in depth explanation of these different Windows would be the subject of its own courts. And in fact,
09:48
it's very likely that you'll be seeing our reverse engineering courses here in the very near future.
09:52
So that's all there is for all anybody today. Thank you all so much for watching I highly hope that you found this to a useful and interesting And you have been inspired to explore it more on your own. A cZ always thank you for watching breaking stuff with Joe. You have been watching this with me. Your host, Joe Perry here on Cyber Eri on.

How to Use OllyDBG (BSWJ)

Welcome to Breaking Stuff with Joe, where we review some of the most essential cybersecurity tools that come packaged and utilized within Kali Linux. In this section, we will be reviewing OllyDBG, an analyzing debugger that works at assembler level for 32-bit Windows programs.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor