Debugging Running Process
GDB has capability to attach to the running process and debug it.
From the perspective of malware analysis, attaching GDB (or a similar debugger) to a running process can provide deep insights into how a piece of malware operates.
Dynamic Analysis (Behavioral Analysis)
Attaching GDB to a live process allows you to perform dynamic analysis, which involves running the malware and observing its behavior in real-time.
Memory Forensics
By attaching GDB, you can analyze the memory layout of a running malware process(encrypted strings, how the malware allocates and uses memory, presence of malicious shellcode)
Monitoring Process Injection
Malware often injects malicious code into other processes (process injection) to hide its presence or escalate privileges.
By attaching GDB we can monitor how the injection were performed, which system calls are used, how the injected code behaves in the target process.
Program with Multiple Threads
GDB has capability to deal with multiple threads of a process.
It can be very useful when you’re debugging multi-threaded applications or malware that uses threads for concurrency. In a multi-threaded environment, GDB allows you to inspect, control, and manipulate individual threads within a running process.
Thread Identification and Listing
GDB can identify and display all the threads running within a process. Each thread has a unique identifier (ID) that can be used to switch between and control threads.
Inspecting Thread-Specific Information
Once you’ve switched to a thread, you can inspect its call stack and local variables. Each thread has its own stack, so the backtrace and variables can be different for each thread.
Inspecting Deadlocks and Race Conditions
If the application or malware involves deadlocks or race conditions, GDB can help investigate by examining the call stacks of all threads. You can switch between threads and inspect their state to determine which threads are waiting for locks or resources and identify potential synchronization problems.
gcc sample.c -g -pthread -o sample
Above command line compile a C program with specific options that enable debugging and multi-threading support.
-pthread tells GCC to include support for POSIX threads (often referred to as pthreads), which is a threading library used in many Unix-like systems, including Linux.
Run the program in the background to keep interacting with the command prompt. This can be accomplished by using & character.