Reverse engineering has long been the leading method for understanding how malicious programs operate and what they’re engineered to do. Reverse engineering as a process has evolved as malware has become more sophisticated and detection tools have improved, but it remains critical.
Reverse engineering malware involves disassembling (and sometimes decompiling) a software program. Through this process, binary instructions are converted to code mnemonics (or higher level constructs) so that engineers can look at what the program does and what systems it impacts. Only by knowing its details are engineers then able to create solutions that can mitigate the program’s intended malicious effects.
Now, let’s look at techniques that can be utilized while analyzing malware.
-
First of all, we use static analysis. This is the process of analyzing malware or binaries without actually running them. It can be as simple as looking at metadata from a file. It can range from doing disassembly or decompilation of malware code to symbolic execution, which is something like virtual execution of a binary without actually executing it in a real environment.
-
Conversely, dynamic analysis is the process of analyzing a piece of malware when you are running it in a live environment. In this case, you are often looking at the behavior of the malware and looking at the side effects of what it is doing. You are running tools like process monitor and sysmon to see what kinds of artifacts a piece of malware produces after it is run.
-
We also use automated analysis. Oftentimes if you are looking at malware you want to automate things just to speed up the process to save time. However, use caution, as with automated analysis sometimes things get missed because you are trying to do things generically.
-
If a piece of malware contains things like anti-debugging routines or anti-analysis mechanisms, you may want to perform a manual analysis. You need to pick the right tools for the job.
A reverse engineer will use a range of tools to find out how a program is propagating through a system and what it is engineered to do. And in doing so, the reverser would then know which vulnerabilities the program was intending to exploit.
In order to reverse malware code, engineers will often use many tools. Below a small selection of the most important ones:
-
Disassemblers (e.g. IDA Pro). A disassembler will take apart an application to produce assembly code. Decompilers also are available for converting binary code into native code, although they’re not available for all architectures.
-
Debuggers (e.g. x64dbg, GDB, WinDbg and Wind River, Immunity Debugger). Reversers use debuggers to manipulate the execution of a program in order to gain insights into what it is doing when it is running. They also let the engineer control certain aspects of the program while it is running, such as areas of the program’s memory. This allows for more insight into what the program is doing and how it is impacting a system or network.
-
For Windows samples, PEiD, PEStudio, PE32 tools are great. PE Viewers (e.g. CFF Explorer, PE Explorer). PE (for Windows Portable Executable file format) viewers extract important information from executables to provide dependency viewing for example. For monitoring the activity on the system, we use system monitor and Regshot.
-
Network Analyzers (e.g. Wireshark). Network analyzers tell an engineer how a program is interacting with other machines, including what connections the program is making and what data it is attempting to send.
-
Other tools are:
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM