🔬 What is Dynamic Analysis?
Analyzing software while running it. Allows seeing values in real-time, tracking behavior, and modifying execution.
Software that allows running another program step by step, stopping at specific points, and examining/modifying memory and registers.
Advantages:
- See real values at runtime
- Can bypass checks and conditions
- Discover dynamically unpacked code
- Easy to follow complex logic
When analyzing malware, always use an isolated VM!
The code actually runs and can cause damage.
🛠️ Debugging Tools
The most popular debugger for Windows RE. Free, open-source, and with a convenient interface.
- Supports 32-bit (x32dbg) and 64-bit (x64dbg)
- Convenient graphical interface
- Plugin support
- Recommended for beginners!
Microsoft's official debugger. Very powerful but with a steep learning curve.
- Can debug kernel drivers
- Access to Windows symbols
- CLI interface (newer version has GUI)
Was the most popular tool before x64dbg. Still good but not updated.
🚀 Getting Started with x64dbg
User Interface
| Window | Content |
|---|---|
| CPU | Assembly code - the main view |
| Registers | Register values in real-time |
| Stack | Stack contents |
| Dump | Memory view (hex) |
| Memory Map | Map of memory regions |
| Breakpoints | List of breakpoints |
Keyboard Shortcuts
| Shortcut | Action |
|---|---|
| F2 | Toggle Breakpoint - enable/disable BP |
| F7 | Step Into - step inside (enters functions) |
| F8 | Step Over - step over (doesn't enter) |
| F9 | Run - run until next BP |
| Ctrl+F9 | Run until Return - run until function end |
| Ctrl+G | Go to Address - jump to address |
| G | Go to Expression |
| ; | Add comment |
| : | Rename (Label) |
🔴 Breakpoints
A point in the code where the debugger will stop execution. Allows examining state at a specific point.
Types of Breakpoints
| Type | Use | How |
|---|---|---|
| Software BP | Stop at specific instruction | F2 on the line |
| Hardware BP | Stop on memory access | Right-click → Breakpoint → Hardware |
| Memory BP | Stop when reading/writing to region | Right-click on dump → Breakpoint |
| Conditional BP | Stop only if condition is met | Right-click → Edit condition |
You can set BP on Windows API functions!
bp kernel32.CreateFileA
bp ws2_32.connect
This helps catch interesting operations.
👣 Stepping
Executes one instruction. If it's a CALL, enters the function.
Executes one instruction. If it's a CALL, runs the entire function and stops after it.
00401000: mov eax, 5
00401005: call func ; F7 enters func, F8 runs it and continues
0040100A: add eax, 1 ; We stop here after F8
🔧 Runtime Modification
Modifying Registers
Double-click on a register value in the Registers window and change it.
Modifying Memory
In the Dump window, double-click on a byte and change it.
Modifying Instructions (Patching)
Changing bytes in the code to modify behavior. For example, changing JE to JNE.
; Original code - checks password
cmp eax, 1
je valid_password ; jumps if correct
; After patch - always jumps
cmp eax, 1
jmp valid_password ; JE (0x74) → JMP (0xEB)
To modify instruction: Space on the line, or right-click → Assemble
To save changes to file: Right-click → Patches → Patch File
🔍 RE Techniques
Finding the Correct Password
; Typical password check code
call get_input ; get input from user
push eax ; the entered password
push correct_password ; the correct password
call strcmp ; comparison
test eax, eax
jnz wrong_password ; if not equal - failure
jmp success
Options:
- BP on strcmp - see what's being compared
- Change ZF - after TEST, change the Zero Flag
- Patch - change JNZ to JZ (or NOP)
Tracing
Running the code and recording every instruction executed. Useful for understanding flow.
In x64dbg: Debug → Trace over / Trace into
📋 Chapter Summary
- Dynamic Analysis - analysis while running
- x64dbg - recommended debugger for beginners
- Breakpoints - stopping points (F2)
- F7 = Step Into, F8 = Step Over
- F9 = Run until next breakpoint
- Can modify registers, memory, and instructions at runtime
- Patching - modifying code to change behavior
Now it's time for practical exercises.
Go to Labs to apply what you've learned!