Summary: Find out what is involved in migrating 32-bit managed applications to 64-bit, issues that can impact migration, and the tools that are available to assist you. I need to thunk from a Delphi 2 app to a 16 bit DLL? Experts Exchange > Questions > Thunking 16 bit to 32 bit Want to Advertise Here? Failure recovering connection on Windows #72.
Virus Bulletin : : Unpacking x. PE+ binaries part 2: using Win. Dbg. In the first part of this tutorial series (see VB, July 2.
I described some fundamental differences between the 3. Windows PE+ file format. In that article, we looked at using the Bochs IDA plug- in to find the original entry point of a file. In this article I will describe using Win.
Dbg and demonstrate a different approach to the unpacking process. Before we start our analysis the first thing we need to do is to install Win. Dbg in the form of the Microsoft Windows Debugging Tools package . Honda Cbr600f Workshop Manual Pdf download free. Keep in mind that debugging tools are available for 3.
- I checked my processes and spotted one called Twunk
- 64-bit driver for Microsoft Access databases.
- You should show the connection. The Microsoft OLE DB Provider for Jet and the Jet ODBC driver are available in 32-bit.
- WinCleaner OneClick Professional Clean 12.0.
- 32 or 64 bit Mountain Lion Hi, I used to run my iMac & MPB in 32-bit mode. It didn't say in the OS X ML download.
You can install both on the same host, but for the rest of this tutorial we will be using the x. After installing Win. Dbg, the next thing we need to do is set up a symbol server – this will be handy when we step over system DLLs and other Windows components. In order to do this, enter the following line into the .
Since we are using a remote, public symbol store provided by Microsoft, our host needs an Internet connection. In the case of a real lab this requirement may be impossible to meet. In such a case you need to download the symbols and enter the path to the directory into which you have downloaded them. Win. Dbg as an unpacking tool.
Win. Dbg is definitively not user- friendly, and the more time you spend learning IDA’s quirks the more frustrating it will be to work around Win. Dbg- specific behaviour. Unfortunately, IDA’s built- in native debugger can’t handle ring 0 code yet, meaning, for example, that unpacking kernel drivers dynamically is not possible. In short: there are times when you might be forced to switch from your favourite tool to Win. Dbg (unless Win. Dbg is your favourite tool, which is something to be proud of I guess). In terms of unpacking 3.
PE files, Win. Dbg has one important advantage over other tools like IDA and especially over Olly. Dbg/Immunity Debugger – it is targeted a lot less by malware authors than the others. Many anti- Olly debugging tricks do not work under Win. Dbg, and I’m aware of at least a few cases when people fed up with having to bypass numerous protection/anti- debugging/obfuscation layers have switched from Olly to Win. Dbg and found that arriving at the original entry point was very swift. After this short introduction let’s get back to work. Let’s assume for a moment that our packed test executable is still unknown to us and we don’t know anything about the tools being used to compress it.
In order to proceed with our analysis we need to open the executable file (File- > Open Executable or Ctrl+E). This will trigger the loading of symbols and all modules required by the executable, and the initial breakpoint will be hit at: ntdll! Ldrp. Do. Debugger.
Break+0x. 30. 0. 00. This breakpoint is always set by Win.
Dbg by default. While sometimes such behaviour might be handy, in our case it is a bit useless since we need to break at our process entry point and not somewhere in ntdll. There are two methods we can use to achieve this: the long and more complicated one, and the short one. I’ll start with the longer one since it teaches us a bit about Windows operating system structures and the way they are used by the operating system when loading executable modules into memory. Note that from the PEB information we can learn: The Image.
Base. Address value – we will need this to find the current entry point. Keep in mind that the current entry point has nothing to do with the original entry point. That the Being. Debugged flag is set, signalling that the process is being debugged. This is the same flag as the kernel. Is. Debugger. Present() function is checking. Figure 1. Initial break after opening the executable. This reflects the PE+ header where the entry point address is calculated by adding the values of two fields: Image.
Base (eight bytes in the case of PE+) Address. Of. Entry. Point (four bytes both for PE and PE+). For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs.
When no entry point is present, this field must be zero.’Since our file is not a device driver, Address. Of. Entry. Point will point at the entry point (keep in mind that the instruction at the entry point might not be the first to be executed when running the executable module due to the functionality of TLS callbacks). Now we need to find the value of the Address.
Of. Entry. Point field. Unfortunately it is not available in the PEB information. However, we can use the . Fortunately, the PEB has given us this information. So we issue the command: ! The output not only reveals the address we are looking for (see Figure 3), but also shows us information about the file sections (Figure 4).
Finding the entry point address with the . Section information gathered from . Setting a breakpoint at the entry point. If you disassemble the rest of the entry point Prolog code using the . Using this fact we can assume that the RDI register and other registers can be restored before jumping to the original entry point. If this assumption is correct, we can use a completely different strategy from that described in the previous part of this tutorial.
Instead of tracing system calls we could set up a breakpoint on accessing the stack, hoping that right before transferring execution to the original entry point, this location will be read. Such tactics will allow us to completely bypass the decompression loop and import table address fixing loops. Since Win. Dbg does not provide anything similar to the IDA uunp plug- in out of the box, we might take our chances with the described approach since we don’t need any of the information we gathered in the previous tutorial. Now we need to enter the breakpoint on memory access – this is what the .
As with many other commands its syntax is rather cryptic at first sight: ba r 8 rsp. The . Other possible access types are: e – execution (the process retrieves an opcode from the address)w – writei – i/o access. The second argument is the size of a region which, in case of access, will trigger the breakpoint. Since all 6. 4- bit registers occupy eight bytes, we are interested in eight bytes on the stack. The third and final argument in our example is the address of the breakpoint.
Since we have a stream of PUSH . Obviously the current stack pointer address is kept in the RSP register. If you like you can pass the memory address instead of the register value. Now we just need to execute our target with the . You can now open the disassembly window (Figure 6) with the View- > Disassembly option. You can see that before our jump instruction there is a stream of POP opcodes which is a hint that default register values are being restored. After the jump we definitely see some garbage code.
Compilers usually lay code out in some order and are not trying to waste space (unless we are talking about DEBUG type compilation for example). Disassembly window showing execution transfer to the original entry point (OEP). Let’s execute this jump with the t(race) command and disassemble the code at the new RIP location using the . Since our code starts with the SUB RSP instruction this might be a hint that we are in fact at the original entry point.
Further code inspection and execution confirms this. Variations and other unpacking strategies. Setting a breakpoint on the first stack access seems reasonable since after unpacking, the stack must be restored to its initial state, just like used registers. However, it might be a wise strategy to set up breakpoints after the next PUSH and in consequence on a lower RSP value or even set a breakpoint for the whole stack memory region used by storing the initial register values at the beginning of our packed file. Coming back to the first part of this tutorial we used a completely different approach with IDA: setting breakpoints on some crucial API functions that were in the Import Table.
The same method can be applied when unpacking with Win. Dbg. Unfortunately, Win. Dbg does not automatically create nice table views of the import and export directories of PE+ files like IDA does. You can inspect those tables with Win. Dbg, obviously, but as always it requires a bit of additional work and poking around in process memory. IDA does it automatically in most cases. However, nothing stops us from using the function breakpoint method described in the first part with Win.
Dbg. Furthermore, if you are willing to reconstruct the IAT you will need to analyse the unpacking process more carefully. Right now we’ve just found the OEP. In order to set breakpoints on APIs let’s restart our target application and set a breakpoint on the entry point. When the breakpoint is being hit we can add breakpoints for Windows API functions like Get. Process. Address and Get. Module. Handle. A (those functions are in the import table).
The first hit is with Get. Module. Handle. A. We inspect the call stack using the . Again, we run the code and when our new breakpoint is hit, trace the unpacking process. You can quickly see how Get. Proc. Address is called. The rest of the process is the same as when using IDA.
Setting an entry point breakpoint – the easy way In the previous section we had to do some manual work to make Win. Dbg stop at the process entry point. However, there is a much easier way to achieve the same thing, although it is buried deep within the user- unfriendly Win. Dbg documentation.
If we go back to our initial breakpoint screen set- up by Win. Dbg you will notice the following line: Mod. Load: 0. 00. 00. 00. Toshiba Satellite C655d-S5303 Replacement Screen download free (Safford).
We can use the image. MASM syntax (which for some time was the only syntax available in the Debugging Tools package). The $iment operator returns the address of the image entry point in the loaded module list and can be used when setting up breakpoints like this: bp $iment(image. Now you can execute the module with the . The same field is checked by the Is. Debugger. Present() Windows API function.