11/09/2008

Reverse Engineering Tools

Microsoft Windows

Three tools pervade the warchest of the contemporary analyst on the Windows platform: IDA, SoftICE, and PE Tools. IDA is the Interactive Disassembler from Data Rescue. IDA is used to examine the executable on-disk. IDA provides useful features such as call graphs for analyzing program flow and automatic library detection.

SoftICE is a Ring 0 debugger from Compuware. Though SoftICE is no longer an offering from Compuware, it's use is still very common. While the author now uses WinDbg in place of SoftICE, some analysts have turned to OllyDbg. It is presumed that once Compuware decides to sell SoftICE, the debugger will regain it's previous popularity.

PE Tools is used to dump either a partial (region) or full in-memory image of an executable. It also includes the ability to automatically remove "Anti Dump Protection", and find the original OEP (AddressOfEntryPoint value of the IMAGE_OPTIONAL_HEADER structure). This tool would be used with a packed or encrypted executable. After the decompression or decryption occurs, PE Tools would be used to copy the image from memory for further analysis.

IDA is used to perform a static analysis on-disk, while a debugger is used to interrogate the executing program while in-memory. Based on the tools, this leads to the observation that a Protection Scheme must be functional in two environments - on-disk and in-memory. In the virus research community, challenging disassembly occurs in the anti-disassembly layer, while the implementation deterring dynamic analysis is known as a anti-debug layer.

Unix and Linux

For Unix and Linux, objdump (with it's PERL based wrapper dasm) and gdb are two available tools. gdb supports debugging of C, C++, Java, Fortran and Assembly among other languages. In addition, gdb is designed to work closely with the GNU Compiler Collection (GCC). objdump and dasm collectively act as full disassembler. Alternately, one can run Windows applications such as IDA on Linux using Wine, which acts as a compatibility layer for running Windows programs on Linux. Kris Kaspersky introduces additional tools and details procedures specific to the ELF file format in Hacker Disassembling Uncovered.

沒有留言: