Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Patching
Дальше: Assistance Features

Analyzing Shellcode

OllyDbg has an easy (if undocumented) way to analyze shellcode. Follow these steps to use this approach:

  1. Copy shellcode from a hex editor to the clipboard.

  2. Within the memory map, select a memory region whose type is Priv. (This is private memory assigned to the process, as opposed to the read-only executable images that are shared among multiple processes.)

  3. Double-click rows in the memory map to bring up a hex dump so you can examine the contents. This region should contain a few hundred bytes of contiguous zero bytes.

  4. Right-click the chosen region in the Memory Map window, and select Set Access ▶ Full Access to give the region read, write, and execute permissions.

  5. Return to the memory dump window. Highlight a region of zero-filled bytes large enough for the entire shellcode to fit, right-click the selection, and select Binary ▶ Binary Paste. This will paste the shellcode to the selected region.

  6. Set the EIP register to the location of the memory you modified. (You can easily set the EIP register by right-clicking an instruction in the disassembler window and selecting New Origin Here.)

Now you can run, debug, and single-step through the shellcode, just as you would a normal program.

Назад: Patching
Дальше: Assistance Features

sss
sss