Reverse Engineering

Last modified: 2024-02-18

Malware Reverse Engineering

Analyze and get the knowledge of executables.

Static Analysis

File Information

file ./executable

Printable Contents

strings ./executable

# Get lines which include specific keyword
# -i: Ignore case
# -B: Print before N lines of target line
# -A: Print after N lines of target line
strings ./executable | grep -i password -B 5 -A 5

Shared Object (Library) Dependencies

ldd ./executable

Object Information

# -f: Display file headers
objdump -f ./executable

# -p: Print information that is specific to the object file format
objdump -p ./executable

# -h: Display section headers
objdump -h ./executable

# -d: Disassebmle executable sections
# -M intel: Specify Intel syntax
objdump -dM intel ./executable
# -D: Disassemble all
objdump -DM intel ./executable

# -s: Display full contents of any sections
objdump -s ./executable

# -x: Display all headers
objdump -x ./executable

# -g: Display debug information
objdump -g ./executable

# -t: Display the symbol table
objdump -t ./executable
# -T: Display the dynamic symbol table
objdump -T ./executable

# -R: Display the dynamic relocation table
objdump -R ./executable

Contents in Hexadecimal & ASCI

# -C: Canonical hex+ASCII display
hexdump -C ./executable
# less: Open pager
hexdump -C ./executable | less

xxd ./executable
# less: Open pager
xxd ./executable | less

Packer Detection

To check if a binary is compressed with packer such as UPX, dump the hex and extract text related to the packer as below.

# -B: Print before 20 lines from matched string.
# -A: Print after 20 lines from matched string.
hd ./sample | grep UPX -B 20 -A 20

xxd ./sample | grep UPX -B 20 -A 20

If found, we can decompress it.

upx -d ./sample 

Security Properties

checksec --file=./sample
Property Details
RELRO Relocation Read-Only, which makes the global offset table (GOT) read-only.
Stack Canaries Tokens placed after a stack to detect a stack overflow.
NX Non-Executable. It prevents from shellcode.
RWX Read-Write-Executable. It's vulnerable to shellcode.
PIE Position Independent Executable. It loads the program dependencies into random locations.

Code Analysis

Dynamic Analysis


# Executa binary and trace library calls
ltrace ./executable

# Executa binary and trace system calls and signals
strace -f ./executable