Reverse Engineering
Last modified: 2024-02-18
Malware
Reverse Engineering
Analyze and get the knowledge of executables.
Static Analysis
File Information
file ./executable
Printable Contents
strings ./executable
# Get lines which include specific keyword
# -i: Ignore case
# -B: Print before N lines of target line
# -A: Print after N lines of target line
strings ./executable | grep -i password -B 5 -A 5
Shared Object (Library) Dependencies
ldd ./executable
Object Information
# -f: Display file headers
objdump -f ./executable
# -p: Print information that is specific to the object file format
objdump -p ./executable
# -h: Display section headers
objdump -h ./executable
# -d: Disassebmle executable sections
# -M intel: Specify Intel syntax
objdump -dM intel ./executable
# -D: Disassemble all
objdump -DM intel ./executable
# -s: Display full contents of any sections
objdump -s ./executable
# -x: Display all headers
objdump -x ./executable
# -g: Display debug information
objdump -g ./executable
# -t: Display the symbol table
objdump -t ./executable
# -T: Display the dynamic symbol table
objdump -T ./executable
# -R: Display the dynamic relocation table
objdump -R ./executable
Contents in Hexadecimal & ASCI
# -C: Canonical hex+ASCII display
hexdump -C ./executable
# less: Open pager
hexdump -C ./executable | less
xxd ./executable
# less: Open pager
xxd ./executable | less
Packer Detection
To check if a binary is compressed with packer such as UPX, dump the hex and extract text related to the packer as below.
# -B: Print before 20 lines from matched string.
# -A: Print after 20 lines from matched string.
hd ./sample | grep UPX -B 20 -A 20
xxd ./sample | grep UPX -B 20 -A 20
If found, we can decompress it.
upx -d ./sample
Security Properties
checksec --file=./sample
| Property | Details |
|---|---|
| RELRO | Relocation Read-Only, which makes the global offset table (GOT) read-only. |
| Stack Canaries | Tokens placed after a stack to detect a stack overflow. |
| NX | Non-Executable. It prevents from shellcode. |
| RWX | Read-Write-Executable. It's vulnerable to shellcode. |
| PIE | Position Independent Executable. It loads the program dependencies into random locations. |
Code Analysis
- Decompiler Explorer
- Ghidra
Dynamic Analysis
Tracing
# Executa binary and trace library calls
ltrace ./executable
# Executa binary and trace system calls and signals
strace -f ./executable