SlideShare a Scribd company logo

UNIT 3.1 INTRODUCTON TO IDA.ppt

â€ĸDownload as PPT, PDFâ€ĸ
â€ĸ
M
ManjuAppukuttan2

Malware Analysis

Engineering
1 of 27
Chapter 1 INTRODUCTION TO IDA
Outline ī€Ē Disassembly Theory ī€Ē The Why and how of Disassembly ī€Ē Reversing and Disassembly Tools
Disassembly Theory ī€Ē First-generation languages ī‚ˇ These are the lowest form of language, generally consisting of ones and zeros or some shorthand form such as hexadecimal, and readable only by binary ninjas. ī‚ˇ Things are confusing at this level because it is often difficult to distinguish data from instructions since everything looks pretty much the same. ī‚ˇ First-generation languages may also be referred to as machine languages, and in some cases byte code, while machine language programs are often referred to as binaries.
Disassembly Theory ī€Ē Second-generation languages ī‚ˇ Also called assembly languages, second-generation languages are a mere table lookup away from machine language and generally map specific bit patterns, or operation codes (opcodes), to short but memorable character sequences called mnemonics. ī‚ˇ Occasionally these mnemonics actually help programmers remember the instructions with which they are associated. ī‚ˇ An assembler is a tool used by programmers to translate their assembly language programs into machine language suitable for execution.
Disassembly Theory ī€Ē Third-generation languages ī‚ˇ These languages take another step toward the expressive capability of natural languages by introducing keywords and constructs those programmers use as the building blocks for their programs. ī‚ˇ Third-generation languages are generally platform independent, though programs written using them may be platform dependent as a result of using features unique to a specific operating system. ī‚ˇ Often-cited examples include FORTRAN, COBOL, C, and Java. Programmers generally use compilers to translate their programs into assembly language or all the way to machine language (or some rough equivalent such as byte code).
The Why and How of Disassembly ī€Ē The Why of Disassembly ī‚ˇ The purpose of disassembly tools is often to facilitate understanding of programs when source code is unavailable. ī‚ˇ Common situations in which disassembly is used include these: o Analysis of malware o Analysis of closed-source software for vulnerabilities o Analysis of closed-source software for interoperability o Analysis of compiler-generated code to validate compiler performance/ correctness o Display of program instructions while debugging
The Why and How of Disassembly ī€Ē Malware Analysis ī‚ˇ Unless you are dealing with a script-based worm, malware authors seldom do you the favor of providing the source code to their creations. ī‚ˇ Lacking source code, you are faced with a very limited set of options for discovering exactly how the malware behaves. ī‚ˇ The two main techniques for malware analysis are dynamic analysis and static analysis. o Dynamic analysis involves allowing the malware to execute in a carefully controlled environment (sandbox) while recording every observable aspect of its behavior using any number of system instrumentation utilities. o In contrast, static analysis attempts to understand the behavior of a program simply by reading through the program code, which, in the case of malware, generally consists of a disassembly listing.
The Why and How of Disassembly ī€Ē Vulnerability Analysis ī‚ˇ For the sake of simplification, let’s break the entire security-auditing process into three steps: o vulnerability discovery, o vulnerability analysis, and o exploit development. ī‚ˇ The same steps apply whether you have source code or not; however, the level of effort increases substantially when all you have is a binary. ī‚ˇ The first step in the process is to discover a potentially exploitable condition in a program. ī‚ˇ This is often accomplished using dynamic techniques such as fuzzing, 1 but it can also be performed (usually with much more effort) via static analysis.
The Why and How of Disassembly ī‚ˇ Once a problem has been discovered, further analysis is often required to determine whether the problem is exploitable at all and, if so, under what conditions. ī‚ˇ Disassembly listings provide the level of detail required to understand exactly how the compiler has chosen to allocate program variables. ī‚ˇ For example, it might be useful to know that a 70-byte character array declared by a programmer was rounded up to 80 bytes when allocated by the compiler. ī‚ˇ Disassembly listings also provide the only means to determine exactly how a compiler has chosen to order all of the variables declared globally or within functions. ī‚ˇ Understanding the spatial relationships among variables is often essential when attempting to develop exploits. ī‚ˇ Ultimately, by using a disassembler and a debugger together, an exploit may be developed.
The Why and How of Disassembly ī€Ē Software Interoperability ī‚ˇ When software is released in binary form only, it is very difficult for competitors to create software that can interoperate with it or to provide plug-in replacements for that software. ī‚ˇ A common example is driver code released for hardware that is supported on only one platform. ī‚ˇ When a vendor is slow to support or, worse yet, refuses to support the use of its hardware with alternative platforms, substantial reverse engineering effort may be required in order to develop software drivers to support the hardware. ī‚ˇ In these cases, static code analysis is almost the only remedy and often must go beyond the software driver to understand embedded firmware.
The Why and How of Disassembly ī€Ē Compiler Validation ī‚ˇ Since the purpose of a compiler (or assembler) is to generate machine language, good disassembly tools are often required to verify that the compiler is doing its job in accordance with any design specifications. ī‚ˇ Analysts may also be interested in locating additional opportunities for optimizing compiler output and, from a security standpoint, ascertaining whether the compiler itself has been compromised to the extent that it may be inserting back doors into generated code.
The Why and How of Disassembly ī€Ē Debugging Displays ī‚ˇ Perhaps the single most common use of disassemblers is to generate listings within debuggers. ī‚ˇ Unfortunately, disassemblers embedded within debuggers tend to be fairly unsophisticated. ī‚ˇ They are generally incapable of batch disassembly and sometimes balk at disassembling when they cannot determine the boundaries of a function. ī‚ˇ This is one of the reasons why it is best to use a debugger in conjunction with a high- quality disassembler to provide better situational awareness and context during debugging. ī€Ē
The Why and How of Disassembly ī€Ē The How of Disassembly ī‚ˇ Now that you’re well versed in the purposes of disassembly, it’s time to move on to how the process actually works. ī‚ˇ Consider a typical daunting task faced by a disassembler: Take these 100KB, distinguish code from data, convert the code to assembly language for display to a user, and please don’t miss anything along the way. ī‚ˇ We could tack any number of special requests on the end of this, such as asking the disassembler to locate functions, recognize jump tables, and identify local variables, making the disassembler’s job that much more difficult. ī‚ˇ In order to accommodate all of our demands, any disassembler will need to pick and choose from a variety of algorithms as it navigates through the files that we feed it. ī‚ˇ The quality of the generated disassembly listing will be directly related to the quality of the algorithms utilized and how well they have been implemented.
The Why and How of Disassembly ī€Ē A Basic Disassembly Algorithm ī‚ˇ For starters, let’s develop a simple algorithm for accepting machine language as input and producing assembly language as output. ī‚ˇ In doing so, we will gain an understanding of the challenges, assumptions, and compromises that underlie an automated disassembly process. ī€Ē Step 1 The first step in the disassembly process is to identify a region of code to disassemble. This is not necessarily as straightforward as it may seem. Instructions are generally mixed with data, and it is important to distinguish between the two. In the most common case, disassembly of an executable file, the file will conform to a common format for executable files such as the Portable Executable (PE) format used on Windows or the Executable and Linking Format (ELF) common on many Unix-based systems. These formats typically contain mechanisms (often in the form of hierarchical file headers) for locating the sections of the file that contain code and entry points2 into that code.
The Why and How of Disassembly o Step 2 Given an initial address of an instruction, the next step is to read the value contained at that address (or file offset) and perform a table lookup to match the binary opcode value to its assembly language mnemonic. Depending on the complexity of the instruction set being disassembled, this may be a trivial process, or it may involve several additional operations such as understanding any prefixes that may modify the instruction’s behavior and determining any operands required by the instruction. For instruction sets with variable-length instructions, such as the Intel x86, additional instruction bytes may need to be retrieved in order to completely disassemble a single instruction.
The Why and How of Disassembly ī€Ē Step 3 Once an instruction has been fetched and any required operands decoded, its assembly language equivalent is formatted and output as part of the disassembly listing. It may be possible to choose from more than one assembly language output syntax. For example, the two predominant formats for x86 assembly language are the Intel format and the AT&T format. ī€Ē Step 4 Following the output of an instruction, we need to advance to the next instruction and repeat the previous process until we have disassembled every instruction in the file.
The Why and How of Disassembly ī‚ˇ Various algorithms exist for determining where to begin a disassembly, how to choose the next instruction to be disassembled, how to distinguish code from data, and how to determine when the last instruction has been disassembled. ī‚ˇ The two predominant disassembly algorithms are ī‚ˇ linear sweep and ī‚ˇ recursive descent.
The Why and How of Disassembly Linear Sweep Algorithm ī€Ē The linear sweep disassembly algorithm takes a very straightforward approach to locating instructions to disassemble: Where one instruction ends, another begins. ī€Ē As a result, the most difficult decision faced is where to begin. ī€Ē The usual solution is to assume that everything contained in sections of a program marked as code (typically specified by the program file’s headers) represents machine language instructions. ī€Ē Disassembly begins with the first byte in a code section and moves, in a linear fashion, through the section, disassembling one instruction after another until the end of the section is reached. ī€Ē No effort is made to understand the program’s control flow through recognition of nonlinear instructions such as branches.
The Why and How of Disassembly ī€Ē During the disassembly process, a pointer can be maintained to mark the beginning of the instruction currently being disassembled. ī€Ē As part of the disassembly process, the length of each instruction is computed and used to determine the location of the next instruction to be disassembled. ī€Ē Instruction sets with fixed-length instructions (MIPS, for example) are somewhat easier to disassemble, as locating subsequent instructions is straightforward.
The Why and How of Disassembly ī€Ē The main advantage of the linear sweep algorithm is that it provides complete coverage of a program’s code sections. ī€Ē One of the primary disadvantages of the linear sweep method is that it fails to account for the fact that data may be comingled with code.
The Why and How of Disassembly ī€Ē Recursive Descent Disassembly ī€Ē Recursive descent takes a different approach to locating instructions. ī€Ē Recursive descent focuses on the concept of control flow, which determines whether an instruction should be disassembled or not based on whether it is referenced by another instruction. ī€Ē To understand recursive descent, it is helpful to classify instructions according to how they affect the CPU Instruction pointer. ī€Ē Sequential Flow Instructions ī€Ē Conditional Branching Instructions ī€Ē Unconditional Branching Instructions ī€Ē Function Call Instructions ī€Ē Return Instructions
The Why and How of Disassembly
The Why and How of Disassembly ī€Ē Function call & Return
Reversing and Disassembly tools ī€Ē Classification Tools ī€Ē file ī€Ē The file command is a standard utility, included with most *NIX-style operating systems and with the Cygwin1 or MinGW2 tools for Windows. ī€Ē File attempts to identify a file’s type by examining specific fields within the file. ī€Ē PE Tools ī€Ē PE Tools4 is a collection of tools useful for analyzing both running processes and executable files on Windows systems.
Reversing and Disassembly tools ī€Ē Classification Tools ī€Ē PEiD ī€Ē PEiD6 is another Windows tool whose primary purposes are to identify the compiler used to build a particular Windows PE binary and to identify any tools used to obfuscate a Windows PE binary.
Reversing and Disassembly tools ī€Ē Summary Tools ī€Ē nm ī€Ē When nm is used to examine an intermediate object file (a .o file rather than an executable), the default output yields the names of any functions and global variables declared in the file ī€Ē Idd ī€Ē The ldd (list dynamic dependencies) utility is a tool used to list the dynamic libraries required by any executable. ī€Ē Objdump ī€Ē The purpose of objdump is to “display information from object files. ī€Ē otool ī€Ē otool is most easily described as an objdump-like utility for OS X, and it is useful for parsing information about OS X Mach-O binaries.
Reversing and Disassembly tools ī€Ē Deep Inspection Tools ī€Ē strings ī€Ē The strings utility is designed specifically to extract string content from files, often without regard for the format of those files. ī€Ē When using strings on executable files, it is important to remember that, by default, only the loadable, initialized sections of the file will be scanned. Use the -a command-line argument to force strings to scan the entire input file. ī€Ē strings gives no indication of where, within a file, a string is located. Use the -t command-line argument to have strings print file offset information for each string found. ī€Ē Many files utilize alternate character sets. Utilize the -e command-line argument to cause strings to search for wide characters such as 16-bit Unicode.

Recommended

How to debugging
How to debuggingHow to debugging
How to debuggingSiya Lee
 
Ss debuggers
Ss debuggersSs debuggers
Ss debuggerssweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 
Building of systems of automatic C/C++ code logging
Building of systems of automatic C/C++ code loggingBuilding of systems of automatic C/C++ code logging
Building of systems of automatic C/C++ code loggingPVS-Studio
 
Phases of Compiler
Phases of CompilerPhases of Compiler
Phases of CompilerA. S. M. Shafi
 
IDAPRO
IDAPROIDAPRO
IDAPROMatt Vieyra
 
Coding
CodingCoding
CodingVishal Singh
 
Computer Programming
Computer Programming Computer Programming
Computer Programming Newreborn Incarnation
 

Recommended

How to debugging
How to debuggingHow to debugging
How to debuggingSiya Lee
 
Ss debuggers
Ss debuggersSs debuggers
Ss debuggerssweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 
Building of systems of automatic C/C++ code logging
Building of systems of automatic C/C++ code loggingBuilding of systems of automatic C/C++ code logging
Building of systems of automatic C/C++ code loggingPVS-Studio
 
Phases of Compiler
Phases of CompilerPhases of Compiler
Phases of CompilerA. S. M. Shafi
 
IDAPRO
IDAPROIDAPRO
IDAPROMatt Vieyra
 
Coding
CodingCoding
CodingVishal Singh
 
Computer Programming
Computer Programming Computer Programming
Computer Programming Newreborn Incarnation
 
Computer
ComputerComputer
ComputerNewreborn Incarnation
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system softwaregayathri ravi
 
Language translators
Language translatorsLanguage translators
Language translatorsAditya Sharat
 
PROBLEM SOLVING
PROBLEM SOLVINGPROBLEM SOLVING
PROBLEM SOLVINGshahzadebaujiti
 
Unit iv
Unit ivUnit iv
Unit ivSangeetha Rangarajan
 
SWE-401 - 9. Software Implementation
SWE-401 - 9. Software ImplementationSWE-401 - 9. Software Implementation
SWE-401 - 9. Software Implementationghayour abbas
 
9. Software Implementation
9. Software Implementation9. Software Implementation
9. Software Implementationghayour abbas
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextLokendra Rawat
 
Programming
ProgrammingProgramming
Programmingvanesa4ab
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Ch 1.pptx
Ch 1.pptxCh 1.pptx
Ch 1.pptxwoldu2
 
Stnotes doc 5
Stnotes doc 5Stnotes doc 5
Stnotes doc 5Alok Jain
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmerLeylimYaln
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfDrIsikoIsaac
 
debuggingSession.pptx
debuggingSession.pptxdebuggingSession.pptx
debuggingSession.pptxmarawanwael
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 
01 overview
01 overview01 overview
01 overviewSuresh Kumar
 
01 overview
01 overview01 overview
01 overviewSuresh Kumar
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
CHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptCHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptManjuAppukuttan2
 

More Related Content

Similar to UNIT 3.1 INTRODUCTON TO IDA.ppt

.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system softwaregayathri ravi
 
Language translators
Language translatorsLanguage translators
Language translatorsAditya Sharat
 
SWE-401 - 9. Software Implementation
SWE-401 - 9. Software ImplementationSWE-401 - 9. Software Implementation
SWE-401 - 9. Software Implementationghayour abbas
 
9. Software Implementation
9. Software Implementation9. Software Implementation
9. Software Implementationghayour abbas
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextLokendra Rawat
 
Programming
ProgrammingProgramming
Programmingvanesa4ab
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Ch 1.pptx
Ch 1.pptxCh 1.pptx
Ch 1.pptxwoldu2
 
Stnotes doc 5
Stnotes doc 5Stnotes doc 5
Stnotes doc 5Alok Jain
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmerLeylimYaln
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfDrIsikoIsaac
 
debuggingSession.pptx
debuggingSession.pptxdebuggingSession.pptx
debuggingSession.pptxmarawanwael
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 

Similar to UNIT 3.1 INTRODUCTON TO IDA.ppt (20)

Computer
ComputerComputer
Computer
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system software
 
Language translators
Language translatorsLanguage translators
Language translators
 
PROBLEM SOLVING
PROBLEM SOLVINGPROBLEM SOLVING
PROBLEM SOLVING
 
Unit iv
Unit ivUnit iv
Unit iv
 
SWE-401 - 9. Software Implementation
SWE-401 - 9. Software ImplementationSWE-401 - 9. Software Implementation
SWE-401 - 9. Software Implementation
 
9. Software Implementation
9. Software Implementation9. Software Implementation
9. Software Implementation
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security Context
 
Programming
ProgrammingProgramming
Programming
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Ch 1.pptx
Ch 1.pptxCh 1.pptx
Ch 1.pptx
 
Stnotes doc 5
Stnotes doc 5Stnotes doc 5
Stnotes doc 5
 
The pragmatic programmer
The pragmatic programmerThe pragmatic programmer
The pragmatic programmer
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdf
 
debuggingSession.pptx
debuggingSession.pptxdebuggingSession.pptx
debuggingSession.pptx
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
 
01 overview
01 overview01 overview
01 overview
 
01 overview
01 overview01 overview
01 overview
 

More from ManjuAppukuttan2

CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
CHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptCHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptManjuAppukuttan2
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptManjuAppukuttan2
 
UNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.pptUNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.pptManjuAppukuttan2
 
SA UNIT III STORM.pdf
SA UNIT III STORM.pdfSA UNIT III STORM.pdf
SA UNIT III STORM.pdfManjuAppukuttan2
 
SA UNIT II KAFKA.pdf
SA UNIT II KAFKA.pdfSA UNIT II KAFKA.pdf
SA UNIT II KAFKA.pdfManjuAppukuttan2
 
SA UNIT I STREAMING ANALYTICS.pdf
SA UNIT I STREAMING ANALYTICS.pdfSA UNIT I STREAMING ANALYTICS.pdf
SA UNIT I STREAMING ANALYTICS.pdfManjuAppukuttan2
 
CHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdfCHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdfManjuAppukuttan2
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfManjuAppukuttan2
 

More from ManjuAppukuttan2 (9)

CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
CHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.pptCHAPTER 2 BASIC ANALYSIS.ppt
CHAPTER 2 BASIC ANALYSIS.ppt
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.pptCHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
 
UNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.pptUNIT 3.2 GETTING STARTED WITH IDA.ppt
UNIT 3.2 GETTING STARTED WITH IDA.ppt
 
SA UNIT III STORM.pdf
SA UNIT III STORM.pdfSA UNIT III STORM.pdf
SA UNIT III STORM.pdf
 
SA UNIT II KAFKA.pdf
SA UNIT II KAFKA.pdfSA UNIT II KAFKA.pdf
SA UNIT II KAFKA.pdf
 
SA UNIT I STREAMING ANALYTICS.pdf
SA UNIT I STREAMING ANALYTICS.pdfSA UNIT I STREAMING ANALYTICS.pdf
SA UNIT I STREAMING ANALYTICS.pdf
 
CHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdfCHAPTER 2 BASIC ANALYSIS.pdf
CHAPTER 2 BASIC ANALYSIS.pdf
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
 

Recently uploaded

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoÃŖo Esperancinha
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 

Recently uploaded (20)

High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 

UNIT 3.1 INTRODUCTON TO IDA.ppt

  • 2. Outline ī€Ē Disassembly Theory ī€Ē The Why and how of Disassembly ī€Ē Reversing and Disassembly Tools
  • 3. Disassembly Theory ī€Ē First-generation languages ī‚ˇ These are the lowest form of language, generally consisting of ones and zeros or some shorthand form such as hexadecimal, and readable only by binary ninjas. ī‚ˇ Things are confusing at this level because it is often difficult to distinguish data from instructions since everything looks pretty much the same. ī‚ˇ First-generation languages may also be referred to as machine languages, and in some cases byte code, while machine language programs are often referred to as binaries.
  • 4. Disassembly Theory ī€Ē Second-generation languages ī‚ˇ Also called assembly languages, second-generation languages are a mere table lookup away from machine language and generally map specific bit patterns, or operation codes (opcodes), to short but memorable character sequences called mnemonics. ī‚ˇ Occasionally these mnemonics actually help programmers remember the instructions with which they are associated. ī‚ˇ An assembler is a tool used by programmers to translate their assembly language programs into machine language suitable for execution.
  • 5. Disassembly Theory ī€Ē Third-generation languages ī‚ˇ These languages take another step toward the expressive capability of natural languages by introducing keywords and constructs those programmers use as the building blocks for their programs. ī‚ˇ Third-generation languages are generally platform independent, though programs written using them may be platform dependent as a result of using features unique to a specific operating system. ī‚ˇ Often-cited examples include FORTRAN, COBOL, C, and Java. Programmers generally use compilers to translate their programs into assembly language or all the way to machine language (or some rough equivalent such as byte code).
  • 6. The Why and How of Disassembly ī€Ē The Why of Disassembly ī‚ˇ The purpose of disassembly tools is often to facilitate understanding of programs when source code is unavailable. ī‚ˇ Common situations in which disassembly is used include these: o Analysis of malware o Analysis of closed-source software for vulnerabilities o Analysis of closed-source software for interoperability o Analysis of compiler-generated code to validate compiler performance/ correctness o Display of program instructions while debugging
  • 7. The Why and How of Disassembly ī€Ē Malware Analysis ī‚ˇ Unless you are dealing with a script-based worm, malware authors seldom do you the favor of providing the source code to their creations. ī‚ˇ Lacking source code, you are faced with a very limited set of options for discovering exactly how the malware behaves. ī‚ˇ The two main techniques for malware analysis are dynamic analysis and static analysis. o Dynamic analysis involves allowing the malware to execute in a carefully controlled environment (sandbox) while recording every observable aspect of its behavior using any number of system instrumentation utilities. o In contrast, static analysis attempts to understand the behavior of a program simply by reading through the program code, which, in the case of malware, generally consists of a disassembly listing.
  • 8. The Why and How of Disassembly ī€Ē Vulnerability Analysis ī‚ˇ For the sake of simplification, let’s break the entire security-auditing process into three steps: o vulnerability discovery, o vulnerability analysis, and o exploit development. ī‚ˇ The same steps apply whether you have source code or not; however, the level of effort increases substantially when all you have is a binary. ī‚ˇ The first step in the process is to discover a potentially exploitable condition in a program. ī‚ˇ This is often accomplished using dynamic techniques such as fuzzing, 1 but it can also be performed (usually with much more effort) via static analysis.
  • 9. The Why and How of Disassembly ī‚ˇ Once a problem has been discovered, further analysis is often required to determine whether the problem is exploitable at all and, if so, under what conditions. ī‚ˇ Disassembly listings provide the level of detail required to understand exactly how the compiler has chosen to allocate program variables. ī‚ˇ For example, it might be useful to know that a 70-byte character array declared by a programmer was rounded up to 80 bytes when allocated by the compiler. ī‚ˇ Disassembly listings also provide the only means to determine exactly how a compiler has chosen to order all of the variables declared globally or within functions. ī‚ˇ Understanding the spatial relationships among variables is often essential when attempting to develop exploits. ī‚ˇ Ultimately, by using a disassembler and a debugger together, an exploit may be developed.
  • 10. The Why and How of Disassembly ī€Ē Software Interoperability ī‚ˇ When software is released in binary form only, it is very difficult for competitors to create software that can interoperate with it or to provide plug-in replacements for that software. ī‚ˇ A common example is driver code released for hardware that is supported on only one platform. ī‚ˇ When a vendor is slow to support or, worse yet, refuses to support the use of its hardware with alternative platforms, substantial reverse engineering effort may be required in order to develop software drivers to support the hardware. ī‚ˇ In these cases, static code analysis is almost the only remedy and often must go beyond the software driver to understand embedded firmware.
  • 11. The Why and How of Disassembly ī€Ē Compiler Validation ī‚ˇ Since the purpose of a compiler (or assembler) is to generate machine language, good disassembly tools are often required to verify that the compiler is doing its job in accordance with any design specifications. ī‚ˇ Analysts may also be interested in locating additional opportunities for optimizing compiler output and, from a security standpoint, ascertaining whether the compiler itself has been compromised to the extent that it may be inserting back doors into generated code.
  • 12. The Why and How of Disassembly ī€Ē Debugging Displays ī‚ˇ Perhaps the single most common use of disassemblers is to generate listings within debuggers. ī‚ˇ Unfortunately, disassemblers embedded within debuggers tend to be fairly unsophisticated. ī‚ˇ They are generally incapable of batch disassembly and sometimes balk at disassembling when they cannot determine the boundaries of a function. ī‚ˇ This is one of the reasons why it is best to use a debugger in conjunction with a high- quality disassembler to provide better situational awareness and context during debugging. ī€Ē
  • 13. The Why and How of Disassembly ī€Ē The How of Disassembly ī‚ˇ Now that you’re well versed in the purposes of disassembly, it’s time to move on to how the process actually works. ī‚ˇ Consider a typical daunting task faced by a disassembler: Take these 100KB, distinguish code from data, convert the code to assembly language for display to a user, and please don’t miss anything along the way. ī‚ˇ We could tack any number of special requests on the end of this, such as asking the disassembler to locate functions, recognize jump tables, and identify local variables, making the disassembler’s job that much more difficult. ī‚ˇ In order to accommodate all of our demands, any disassembler will need to pick and choose from a variety of algorithms as it navigates through the files that we feed it. ī‚ˇ The quality of the generated disassembly listing will be directly related to the quality of the algorithms utilized and how well they have been implemented.
  • 14. The Why and How of Disassembly ī€Ē A Basic Disassembly Algorithm ī‚ˇ For starters, let’s develop a simple algorithm for accepting machine language as input and producing assembly language as output. ī‚ˇ In doing so, we will gain an understanding of the challenges, assumptions, and compromises that underlie an automated disassembly process. ī€Ē Step 1 The first step in the disassembly process is to identify a region of code to disassemble. This is not necessarily as straightforward as it may seem. Instructions are generally mixed with data, and it is important to distinguish between the two. In the most common case, disassembly of an executable file, the file will conform to a common format for executable files such as the Portable Executable (PE) format used on Windows or the Executable and Linking Format (ELF) common on many Unix-based systems. These formats typically contain mechanisms (often in the form of hierarchical file headers) for locating the sections of the file that contain code and entry points2 into that code.
  • 15. The Why and How of Disassembly o Step 2 Given an initial address of an instruction, the next step is to read the value contained at that address (or file offset) and perform a table lookup to match the binary opcode value to its assembly language mnemonic. Depending on the complexity of the instruction set being disassembled, this may be a trivial process, or it may involve several additional operations such as understanding any prefixes that may modify the instruction’s behavior and determining any operands required by the instruction. For instruction sets with variable-length instructions, such as the Intel x86, additional instruction bytes may need to be retrieved in order to completely disassemble a single instruction.
  • 16. The Why and How of Disassembly ī€Ē Step 3 Once an instruction has been fetched and any required operands decoded, its assembly language equivalent is formatted and output as part of the disassembly listing. It may be possible to choose from more than one assembly language output syntax. For example, the two predominant formats for x86 assembly language are the Intel format and the AT&T format. ī€Ē Step 4 Following the output of an instruction, we need to advance to the next instruction and repeat the previous process until we have disassembled every instruction in the file.
  • 17. The Why and How of Disassembly ī‚ˇ Various algorithms exist for determining where to begin a disassembly, how to choose the next instruction to be disassembled, how to distinguish code from data, and how to determine when the last instruction has been disassembled. ī‚ˇ The two predominant disassembly algorithms are ī‚ˇ linear sweep and ī‚ˇ recursive descent.
  • 18. The Why and How of Disassembly Linear Sweep Algorithm ī€Ē The linear sweep disassembly algorithm takes a very straightforward approach to locating instructions to disassemble: Where one instruction ends, another begins. ī€Ē As a result, the most difficult decision faced is where to begin. ī€Ē The usual solution is to assume that everything contained in sections of a program marked as code (typically specified by the program file’s headers) represents machine language instructions. ī€Ē Disassembly begins with the first byte in a code section and moves, in a linear fashion, through the section, disassembling one instruction after another until the end of the section is reached. ī€Ē No effort is made to understand the program’s control flow through recognition of nonlinear instructions such as branches.
  • 19. The Why and How of Disassembly ī€Ē During the disassembly process, a pointer can be maintained to mark the beginning of the instruction currently being disassembled. ī€Ē As part of the disassembly process, the length of each instruction is computed and used to determine the location of the next instruction to be disassembled. ī€Ē Instruction sets with fixed-length instructions (MIPS, for example) are somewhat easier to disassemble, as locating subsequent instructions is straightforward.
  • 20. The Why and How of Disassembly ī€Ē The main advantage of the linear sweep algorithm is that it provides complete coverage of a program’s code sections. ī€Ē One of the primary disadvantages of the linear sweep method is that it fails to account for the fact that data may be comingled with code.
  • 21. The Why and How of Disassembly ī€Ē Recursive Descent Disassembly ī€Ē Recursive descent takes a different approach to locating instructions. ī€Ē Recursive descent focuses on the concept of control flow, which determines whether an instruction should be disassembled or not based on whether it is referenced by another instruction. ī€Ē To understand recursive descent, it is helpful to classify instructions according to how they affect the CPU Instruction pointer. ī€Ē Sequential Flow Instructions ī€Ē Conditional Branching Instructions ī€Ē Unconditional Branching Instructions ī€Ē Function Call Instructions ī€Ē Return Instructions
  • 22. The Why and How of Disassembly
  • 23. The Why and How of Disassembly ī€Ē Function call & Return
  • 24. Reversing and Disassembly tools ī€Ē Classification Tools ī€Ē file ī€Ē The file command is a standard utility, included with most *NIX-style operating systems and with the Cygwin1 or MinGW2 tools for Windows. ī€Ē File attempts to identify a file’s type by examining specific fields within the file. ī€Ē PE Tools ī€Ē PE Tools4 is a collection of tools useful for analyzing both running processes and executable files on Windows systems.
  • 25. Reversing and Disassembly tools ī€Ē Classification Tools ī€Ē PEiD ī€Ē PEiD6 is another Windows tool whose primary purposes are to identify the compiler used to build a particular Windows PE binary and to identify any tools used to obfuscate a Windows PE binary.
  • 26. Reversing and Disassembly tools ī€Ē Summary Tools ī€Ē nm ī€Ē When nm is used to examine an intermediate object file (a .o file rather than an executable), the default output yields the names of any functions and global variables declared in the file ī€Ē Idd ī€Ē The ldd (list dynamic dependencies) utility is a tool used to list the dynamic libraries required by any executable. ī€Ē Objdump ī€Ē The purpose of objdump is to “display information from object files. ī€Ē otool ī€Ē otool is most easily described as an objdump-like utility for OS X, and it is useful for parsing information about OS X Mach-O binaries.
  • 27. Reversing and Disassembly tools ī€Ē Deep Inspection Tools ī€Ē strings ī€Ē The strings utility is designed specifically to extract string content from files, often without regard for the format of those files. ī€Ē When using strings on executable files, it is important to remember that, by default, only the loadable, initialized sections of the file will be scanned. Use the -a command-line argument to force strings to scan the entire input file. ī€Ē strings gives no indication of where, within a file, a string is located. Use the -t command-line argument to have strings print file offset information for each string found. ī€Ē Many files utilize alternate character sets. Utilize the -e command-line argument to cause strings to search for wide characters such as 16-bit Unicode.