1.2 Dynamic Reverse Engineering
1.2 Dynamic Reverse Engineering
Debugging Terminology
Software Breakpoints
A debugger replaces an instruction with a breakpoint, causing the CPU to raise a trap when it is
encountered. The original instruction is restored once the breakpoint is handled.
Hardware Breakpoints
These breakpoints are set using CPU debug registers and allow monitoring of memory or
instruction execution without modifying the code. They are limited in number but more stealthy.
Data Watchpoints
Used to track changes to memory locations and notify the debugger when specific data is
accessed or modified.
Stepping
Process Control
Provides the ability to start, stop, suspend, and resume execution of the debugged program or its
threads.
Debuggers can inspect and modify the program’s memory and registers, enabling runtime
manipulation of values.
Signal/Exception Interception
The debugger can catch signals or exceptions generated by the program, helping to analyze
faults or unexpected behaviors.
Checkpointing
Saves the process state at a specific point, allowing rollback and analysis without restarting from
scratch.
Anti-Debugging Techniques
The program checks for debugger-related artifacts in its memory or environment, such as
querying OS structures (e.g., Windows PEB, Linux /proc/status ) or searching for known
debugger processes.
Overview
Both strace and ltrace are command-line tools used in reverse engineering to monitor an
application's interactions with the system. They help in understanding how a program behaves
without modifying its execution.
strace captures and displays system calls made by a running process, including their
arguments and return values. It provides insights into how a program interacts with the operating
system.
Use Cases
Tracking file operations ( open , read , write ).
Monitoring memory allocation ( mmap , brk ).
Analyzing process management ( fork , execve ).
Example Usage
strace ls
ltrace monitors library function calls made by a program to dynamically linked libraries (e.g.,
libc ). It helps to identify how an application interacts with external libraries.
Use Cases
Example Usage
ltrace ls
This command traces all library function calls made by the ls command.
Q&A part
1. Environment dependencies:
Factors like disk space, network availability, time, and random number generators affect
execution.
2. Security mechanisms:
Techniques like Address Space Layout Randomization (ASLR) change memory
addresses on each execution.
3. Multithreading behavior:
Thread synchronization introduces timing variations, making program behavior
unpredictable.
Role of Record-Replay
What is Instrumentation?
Instrumentation is the insertion of code snippets into a program to collect execution data.
Goals of Instrumentation
PIN instruments code at runtime using a virtual machine, JIT compiler, and code cache,
ensuring minimal performance overhead.
Dynamic Crypto Key Localization Attack (Slides 18, 19, 21, 22, 23)
Targets of Analysis
Examples
Definition
Types of Fuzzing
Core Concepts
Using concrete inputs to guide execution along selected paths while maintaining symbolic
tracking.
Hybrid Analysis
Combining both methods to leverage the strengths of each, such as running static analysis for
structural insights and dynamic analysis for runtime behavior validation.
Example: Using static analysis to identify critical functions and dynamic analysis to monitor their
runtime execution.