A debugger gives you the ability to control/modify the behavior of the process while it is executing. The two important capabilities offered by a debugger are: (a) the ability to control execution, and (b) the ability to interrupt execution (using breakpoints). Using a debugger, you can execute one or more instructions (or select functions) before returning control to the debugger. During analysis, you will combine both the debugger's controlled execution and the interruption (breakpoint) feature to monitor a malware's behavior. In this section, you will learn about the common execution control functionalities offered by the debuggers; in later sections, you will learn how to use these features in IDA Pro, x64dbg, and dnSpy.

The following are some of the common execution control options provided by the debuggers:

• Continue (Run): This executes all of the instructions, until a breakpoint is reached or an exception occurs. When you load a malware into a debugger and use the continue (Run) option without setting the breakpoint, it will execute all of the instructions without giving you any control; so, you normally use this option along with breakpoint, to interrupt the program at the breakpoint location.
• Step into and Step over: Using step into and step over, you can execute a single instruction. After executing the single instruction, the debugger stops, giving you a chance to inspect the process's resources. The difference between step into and step over occurs when you are executing an instruction that calls a function. For example, in the following code, at ➊, there is a call to the function sub_401000. When you use the step into option on this instruction, the debugger will stop at the start of the function (at the address 0x401000), whereas when you use step over, the entire function will be executed, and the debugger will pause at the next instruction, ➋ (that is, the address 0x00401018). You will normally use step into to get inside a function, to understand its inner workings. Step over is used when you already know what a function does (such as in an API function) and would like to skip over it:

.text:00401010     push  ebp
.text:00401011     mov   ebp, esp
.text:00401013     call  sub_401000  ➊
.text:00401018     xor   eax,eax  ➋

• Execute till Return (Run until return): This option allows you to execute all of the instructions in the current function, until it returns. This is useful if you accidentally step into a function (or step into a function that is not interesting) and would like to come out of it. Using this option inside a function will take you to the end of the function (ret or retn), after which you can use either the step into or step over option to return to the calling function.
• Run to cursor (Run until selection): This allows you to execute instructions until the current cursor location, or until the selected instruction is reached.