Ingeniería Inversa/Depuradores

<<Ingeniería Inversa

Los depuradores son, con la posible excepción de un descompilador potente, el mejor amigo de un ingeniero inverso. Un depurador permite al usuario ejecutar el programa paso a paso, y examinar varios valores y acciones.

Los depuradores avanzados a menudo contienen por lo menos un desensamblador rudimentario, caracteristicas de reensamblado o edición hexadecimal. Los depuradores generalmente permiten al usuario colocar puntos de ruptura en instrucciones, llamadas a funión e incluso lugares de la memoria.

Un punto de ruptura (breakpoint) es una instrucción al depurador que permite parar la ejecución del programa cando cierta condición se cumpla. Por ejemplo, cuando un programa accede a cierta variable, o llama a cierta función de la API, el depurador puede parar la ejecución del programa.

Depuradores Windows

editar
OllyDbg
OllyDbg es un potente depurador Windows con un motor de ensamblado y desensamblado integrado. Tiene numerosas otras características incluyendo un precio de 0$. Muy util para parcheado, desensamblado y depuración.



SoftICE
Un estándar de facto para depuración Windows. SoftICE puede ser usado para local kernel debugging, que es una característica muy extraña, y muy valiosa. SoftICE desapareció del mercado en abril del 2006.



WinDBG
WinDBG es una pieza de software gratuita de Microsoft que puede ser usada para depuración local en modo usuario, o incluso depuración remota en modo kernel. WinDBG no es lo mismo que el mejor conocido depurador de Visual Studio, pero viene con un interfaz gráfico de todas maneras. Viene en versiones de 32 y 64 bits.
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
IDA Pro
El desensamblador interactivo multiprocesador y multiplataforma, por DataRescue.
http://www.datarescue.com

Linux Debuggers

editar
gdb El depurador GNU, viene con la instalación de Linux. Es muy potente y bastante programable,aunque la interfaz de usuario es bastante deficiente
emacs
El editor GNU, puede ser usado como un front-end. Esto proporciona un potente editor hexadecimal y permite secuencias de scripting completas en un lenguaje LISP-like.
ddd
the Data Display Debugger. It's another front-end to gdb. This provides graphical representations of data structures. For example, a linked list will look just like a textbook illustration.
strace, ltrace, and xtrace
let you run a program while watching the actions it performs. With strace, you get a log of all the system calls being made. With ltrace, you get a log of all the library calls being made. With xtrace, you get a log of some of the funtion calls being made.
valgrind
executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
NLKD
A kernel debugger.
http://forge.novell.com/modules/xfmod/project/?nlkd

Debuggers for Other Systems

editar

Plantilla:Reverse Engineering Stub

dbx
the standard Unix debugger on systems derived from AT&T Unix. It is often part of an optional development toolkit package which comes at an extra price. It uses an interactive command line interface.
ladebug
an enhanced debugger on Tru64 Unix systems from HP (originally Digital Equipment Corporation) that handles advanced functionality like threads better than dbx.
DTrace
an advanced tool on Solaris that provides functions like profiling and many others on the entire system, including the kernel.
mdb
The Modular Debugger (MDB) is a new general purpose debugging tool for the Solaris™ Operating Environment. Its primary feature is its extensibility. The Solaris Modular Debugger Guide describes how to use MDB to debug complex software systems, with a particular emphasis on the facilities available for debugging the Solaris kernel and associated device drivers and modules. It also includes a complete reference for and discussion of the MDB language syntax, debugger features, and MDB Module Programming API.
gdb
comes standard, as a debugger, but is very often used for disassembly. If you have loose hex dump data that you wish to disassemble, simply enter it (interactively) over top of something else or compile it into a program as a string like so: char foo[] = {0x90, 0xcd, 0x80, 0x90, 0xcc, 0xf1, 0x90};

Debugger Techniques

editar

Plantilla:Reverse Engineering Stub

Setting Breakpoints

editar

As previously mentioned in the section on disassemblers, a 6-line C program doing something as simple as outputting "Hello, World!" turns into massive amounts of assembly code. Most people don't want to sift through the entire mess to find out the information they want. It can even be time consuming just to FIND the information one desires by just looking through. As an alternative, one can choose to set breakpoints to halt the program once it has reached a given point within the program.

For instance, let's say that in your program, you consistantly experience crashes at one particular section, immediately after closing a message box. You set a breakpoint on all calls to MessageBoxA. You run your program with the breakpoints, and it stops, ready to call MessageBoxA. Stepping line by line through the program and watching the stack, you see that a buffer overflow occurs shortly after.

Further Reading

editar
  • Microsoft debugging tools main page:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
  • Solaris observation and debugging tools main page:
http://www.opensolaris.org/os/community/dtrace/
http://www.opensolaris.org/os/community/mdb/