GDB
LLDB
WinDbg
x64dbg
BREAKPOINT
STEP
WATCH
TRACE
EAX=
RIP=
ESP+
INT3
SYSCALL
API
DLL
VMM
EIP
HEAP
STACK
REGS
MEM
PEB
TEB
NtDll
Kernel32
academy$ gdb ./malware.exe
(gdb) break *main
Breakpoint 1 at 0x401000
(gdb) run
[LESSON_05][INTERMEDIATE]

[โšก DYNAMIC ANALYSIS & DEBUGGING]

// Master the art of analyzing malware during execution. Learn debugging techniques, API monitoring, memory analysis, and behavioral observation to uncover runtime secrets that static analysis can't reveal.

academy$ cat learning_objectives.md

[๐ŸŽฏ LEARNING_OBJECTIVES]

> mastery_goals.list

  • [โœ“]Master debugging tools (GDB, x64dbg, WinDbg, LLDB)
  • [โœ“]Set effective breakpoints and trace execution flow
  • [โœ“]Monitor API calls and system interactions
  • [โœ“]Analyze memory dumps and heap/stack corruption
  • [โœ“]Bypass anti-debugging and evasion techniques

> prerequisites.cfg

  • - Completed Lesson 4: Static Analysis
  • - Assembly language proficiency
  • - Operating system internals knowledge
  • - Virtual machine setup experience
# Estimated completion time: 4 hours
academy$ man dynamic_analysis

[๐Ÿ“š DYNAMIC_ANALYSIS_FUNDAMENTALS]

โšก What is Dynamic Analysis?

Dynamic analysis involves executing malware in a controlled environment while monitoring its behavior. It's like watching a suspect in action - observing every move, interaction, and side effect as the program runs.

โœ… Advantages

  • โ€ข Reveals actual runtime behavior
  • โ€ข Bypasses some obfuscation techniques
  • โ€ข Shows network communications
  • โ€ข Captures file system modifications
  • โ€ข Reveals decrypted payloads

โš ๏ธ Limitations

  • โ€ข Requires safe sandbox environment
  • โ€ข May not trigger all code paths
  • โ€ข Can be detected by anti-analysis
  • โ€ข Time-consuming setup and execution
  • โ€ข Risk of malware escape

๐Ÿ› ๏ธ Dynamic Analysis Workflow

1. Environment Setup

VMware, VirtualBox, Cuckoo Sandbox

Isolated VM, snapshots, monitoring tools

2. Baseline Recording

Process Monitor, Registry Monitor

System state before malware execution

3. Execution & Monitoring

API Monitor, Wireshark, Procmon

Run malware with comprehensive logging

4. Interactive Debugging

x64dbg, GDB, WinDbg, OllyDbg

Step through code, examine memory

5. Behavioral Analysis

MITRE ATT&CK, Custom Scripts

Correlate observations, identify TTPs

๐Ÿ”ง Essential Debugging Tools

x64dbg

Windows

Modern Windows debugger with plugin support

Ring 3 debuggingScript engineMemory mapsPlugin ecosystem

GDB

Linux/macOS

GNU Debugger - powerful command-line debugging

Python scriptingRemote debuggingCore dump analysisMulti-threading

WinDbg

Windows

Microsoft's kernel and user-mode debugger

Kernel debuggingCrash dump analysisTime Travel DebuggingJavaScript scripting

LLDB

macOS/iOS

Apple's debugger for Xcode and command line

Swift/Obj-C supportiOS debuggingPython APIDWARF symbols
academy$ ls -la labs/dynamic-analysis/

[๐Ÿงช HANDS_ON_LABS]

Lab 1: Basic Debugging Workflow

BEGINNERโฑ 45 min

> objectives:

  • โ”œโ”€ Set up x64dbg with a simple malware sample
  • โ”œโ”€ Practice setting breakpoints at entry point and key functions
  • โ”œโ”€ Step through execution and examine register values
  • โ”œโ”€ Identify and trace function calls using call stack

> deliverables:

  • โ”œโ”€ Screenshot of successful breakpoint hit
  • โ”œโ”€ Register dump analysis
  • โ”œโ”€ Function call trace
๐Ÿ“ Malware Samples:
๐Ÿ“ฅ Windows๐Ÿ“ฅ macOS๐Ÿ“ฅ Linux
๐Ÿ“ [WALKTHROUGH]

Lab 2: API Monitoring & System Calls

INTERMEDIATEโฑ 60 min

> objectives:

  • โ”œโ”€ Monitor Windows API calls using API Monitor
  • โ”œโ”€ Trace file system operations with Process Monitor
  • โ”œโ”€ Capture network traffic during malware execution
  • โ”œโ”€ Correlate API calls with static analysis findings

> deliverables:

  • โ”œโ”€ API call log with analysis
  • โ”œโ”€ Network traffic PCAP
  • โ”œโ”€ File system changes report
๐Ÿ“ Malware Samples:
๐Ÿ“ฅ Windows๐Ÿ“ฅ macOS๐Ÿ“ฅ Linux
๐Ÿ“ [WALKTHROUGH]

Lab 3: Memory Analysis & Heap Inspection

INTERMEDIATEโฑ 75 min

> objectives:

  • โ”œโ”€ Analyze heap allocations and memory layouts
  • โ”œโ”€ Dump and examine process memory regions
  • โ”œโ”€ Identify string decryption in memory
  • โ”œโ”€ Track memory corruption and buffer overflows

> deliverables:

  • โ”œโ”€ Memory dump analysis
  • โ”œโ”€ Decrypted strings extraction
  • โ”œโ”€ Heap corruption evidence
๐Ÿ“ Malware Samples:
๐Ÿ“ฅ Windows๐Ÿ“ฅ macOS๐Ÿ“ฅ Linux
๐Ÿ“ [WALKTHROUGH]

Lab 4: Anti-Debugging Bypass

ADVANCEDโฑ 90 min

> objectives:

  • โ”œโ”€ Identify common anti-debugging techniques
  • โ”œโ”€ Bypass IsDebuggerPresent() and PEB checks
  • โ”œโ”€ Handle timing-based detection mechanisms
  • โ”œโ”€ Use ScyllaHide or similar evasion tools

> deliverables:

  • โ”œโ”€ Anti-debug technique documentation
  • โ”œโ”€ Successful bypass demonstration
  • โ”œโ”€ Evasion tool configuration
๐Ÿ“ Malware Samples:
๐Ÿ“ฅ Windows๐Ÿ“ฅ macOS๐Ÿ“ฅ Linux
๐Ÿ“ [WALKTHROUGH]
academy$ cat advanced_techniques.md

[๐Ÿš€ ADVANCED_TECHNIQUES]

๐ŸŽฏ Code Coverage Analysis

Maximize analysis coverage by ensuring all code paths are executed during dynamic analysis.

  • โ€ข DynamoRIO: Dynamic instrumentation framework
  • โ€ข Intel Pin: Binary instrumentation tool
  • โ€ข Frida: JavaScript-based instrumentation
  • โ€ข Custom harnesses: Trigger specific behaviors

๐Ÿง  Behavioral Modeling

Create comprehensive behavioral profiles by correlating multiple analysis dimensions.

  • โ€ข MITRE ATT&CK: Map techniques to framework
  • โ€ข Kill chain analysis: Identify attack phases
  • โ€ข IOC extraction: Generate detection signatures
  • โ€ข Family clustering: Group related samples

๐Ÿ›ก๏ธ Evasion Detection

Identify and bypass sophisticated anti-analysis techniques employed by modern malware.

  • โ€ข VM detection: Hardware fingerprinting bypass
  • โ€ข Timing attacks: Performance-based detection
  • โ€ข Debugger detection: PEB, API hooks, exceptions
  • โ€ข Environmental keying: Context-aware execution

โš™๏ธ Automation & Scaling

Scale dynamic analysis using automated frameworks and distributed analysis systems.

  • โ€ข Cuckoo Sandbox: Automated malware analysis
  • โ€ข CAPE Sandbox: Configuration extraction
  • โ€ข Joe Sandbox: Commercial analysis platform
  • โ€ข Custom pipelines: Tailored analysis workflows
academy$ cat resources.txt

[๐Ÿ“š RESOURCES_&_TOOLS]

> debuggers.list

  • x64dbg
    Modern Windows debugger
  • GDB
    GNU Debugger (Linux/macOS)
  • WinDbg
    Microsoft kernel debugger
  • LLDB
    LLVM debugger (macOS/iOS)
  • OllyDbg
    Classic 32-bit debugger

> monitoring.tools

  • Process Monitor
    File/Registry monitoring
  • API Monitor
    API call tracking
  • Wireshark
    Network traffic analysis
  • Sysmon
    System activity logging
  • Regshot
    Registry change detection

> sandboxes.env

  • Cuckoo Sandbox
    Open-source automation
  • CAPE
    Configuration extraction
  • VMware
    Virtual machine platform
  • VirtualBox
    Free virtualization
  • FlareVM
    Malware analysis VM
academy$ ./assessment.sh --lesson=5

[๐Ÿ“Š ASSESSMENT_&_NEXT_STEPS]

โœ… Knowledge Check

  • โ€ข Can you set breakpoints and trace execution in multiple debuggers?
  • โ€ข Do you understand different types of breakpoints (software, hardware, conditional)?
  • โ€ข Can you monitor API calls and correlate them with malware behavior?
  • โ€ข Are you comfortable analyzing memory dumps and heap structures?
  • โ€ข Can you identify and bypass basic anti-debugging techniques?
  • โ€ข Do you understand the integration between static and dynamic analysis?

๐Ÿš€ Continue Learning

Next: Lesson 6 - Advanced Static Analysis
Master sophisticated reverse engineering techniques with professional tools
Practice: Real Malware Samples
Apply skills to actual malware families
Advanced: Tool Integration
Combine static and dynamic analysis for comprehensive research
โœ… Dynamic Analysis Complete!
Use the navigation below to continue to Lesson 6 or return to the lesson overview.