Microsoft Windows
Three tools pervade the warchest of the contemporary analyst on the Windows platform: IDA, SoftICE, and PE Tools. IDA is the Interactive Disassembler from Data Rescue. IDA is used to examine the executable on-disk. IDA provides useful features such as call graphs for analyzing program flow and automatic library detection.SoftICE is a Ring 0 debugger from Compuware. Though SoftICE is no longer an offering from Compuware, it's use is still very common. While the author now uses WinDbg in place of SoftICE, some analysts have turned to OllyDbg. It is presumed that once Compuware decides to sell SoftICE, the debugger will regain it's previous popularity.
PE Tools is used to dump either a partial (region) or full in-memory image of an executable. It also includes the ability to automatically remove "Anti Dump Protection", and find the original OEP (AddressOfEntryPoint value of the
IMAGE_OPTIONAL_HEADER
structure). This tool would be used with a packed or encrypted executable. After the decompression or decryption occurs, PE Tools would be used to copy the image from memory for further analysis.IDA is used to perform a static analysis on-disk, while a debugger is used to interrogate the executing program while in-memory. Based on the tools, this leads to the observation that a Protection Scheme must be functional in two environments - on-disk and in-memory. In the virus research community, challenging disassembly occurs in the anti-disassembly layer, while the implementation deterring dynamic analysis is known as a anti-debug layer.
沒有留言:
張貼留言