📒
cybersecurity notes
  • Welcome
  • Memory Forensics
    • Resources
    • autovol
    • Memory Forensics - 13cubed
      • Intro to Memory Forensics
      • Windows Memory Analysis
      • Windows Process Genealogy
      • Pulling threads
      • Persistence in Memory
      • Memory Forensics Baselines
      • Extracting Prefetch
      • Shellbag forensics
    • Challenges
      • BTLO
        • Memory Analysis - Ransomware
      • Memlabs
        • Lab 1 - Beginner's Luck
    • Analysis
      • Stuxnet
      • Zeusbot
      • Darkcomet RAT
      • ZeroAccess Rootkit
  • Linux
    • Linux commands
  • Malware Analysis
    • Triaging
    • Malware Analysis - 13cubed
    • gdb
  • Networking
    • CCNA notes
      • Network devices
      • Interfaces and cables
      • OSI model & TCP-IP suite
      • Intro to CLI
      • Ethernet LAN switching (1)
      • Ethernet LAN switching (2)
      • IPv4 addressing (1)
      • IPv4 addressing (2)
      • Switch Interfaces
      • IPv4 Header
      • Static routing
      • Life of a Packet
      • Subnetting (1)
      • Subnetting (2)
      • Subnetting (3)
      • VLAN (1)
      • VLAN (2)
      • VLAN (3)
      • DTP & VTP
      • Spanning Tree Protocol (1)
      • Spanning Tree Protocol (2)
      • RSTP
      • Etherchannel
      • Dynamic routing
      • RIP & EIGRP
      • OSPF (1)
      • Others (gdrive)
Powered by GitBook
On this page
  • GDB notes & commands
  • Finding main() in stripped binaries:
  • Memory mappings in proc:
  • Disable ASLR
  1. Malware Analysis

gdb

GDB notes & commands

  • layout next

  • break *main

  • run

  • next, nexti

  • info registers

  • x/i $pc

  • refresh

  • start (break *main && run)

  • b 7 (add breakpoint at line 7)

  • del 1 (deletes 1st breakpoint)

  • x/10i 0x11a9 (examine 10 lines from that address)

  • print $sp (print stack pointer)

  • ctrl+x A (TUI mode)

  • ctrl+l (refresh)

  • ctrl+x 2 (multiple windows)

  • ctrl+x 1 (go back)

  • ctrl+p (previous command)

  • ctrl+n (next command)

  • ctrl+x o (switch panels)

  • python (python interpreter)

    • python print (gdb.breakpoints())

    • python print (gdb.breakpoints()[0].location)

    • python gdb.Breakpoint('8')

  • info proc mappings (look at memory map when the process in running)

Finding main() in stripped binaries:

  • to find the offset : find the entry point and examine few lines after that, where you can recognize the main functions prologue (or) use Ghidra to find the offset of the main function.

  • to set a breakpoint at main : load the binary into memory by setting a breakpoint at _start and then use "info proc mappings" to find the entry point base address. now add the base address and offset and set a breakpoint at main().

Memory mappings in proc:

cat /proc/pidof main_stripped/maps

Disable ASLR

echo 0 > sudo /proc/sys/kernel/randomize_va_space

PreviousMalware Analysis - 13cubedNextCCNA notes

Last updated 1 year ago