As soon as you load a program into OllyDbg, you will see four windows filled with information that you will find useful for malware analysis, as shown in Figure 9-2.
These windows display information as follows:
Disassembler window ❶. This window shows the debugged program’s code—the current instruction pointer with several instructions before and after it. Typically, the next instruction to be executed will be highlighted in this window. To modify instructions or data (or add new assembly instructions), press the spacebar within this window.
Registers window ❷. This window shows the current state of the registers for the debugged program. As the code is debugged, these registers will change color from black to red once the previously executed instruction has modified the register. As in the disassembler window, you can modify data in the registers window as the program is debugged by right-clicking any register value and selecting Modify. You will be presented with the Modify dialog, as shown in Figure 9-3. You can then change the value.
Stack window ❸. This window shows the current state of the stack in memory for the thread being debugged. This window will always show the top of the stack for the given thread. You can manipulate stacks in this window by right-clicking a stack location and selecting Modify. OllyDbg places useful comments on some stack locations that describe the arguments placed on the stack before an API call. These aid analysis, since you won’t need to figure out the stack order and look up the API argument ordering.
Memory dump window ❹. This window shows a dump of live memory for the debugged process. Press CTRL-G in this window and enter a memory location to dump any memory address. (Or click a memory address and select Follow in Dump to dump that memory address.) To edit memory in this window, right-click it and choose Binary ▶ Edit. This can be used to modify global variables and other data that malware stores in RAM.
