Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Reverse Engineering

You're reading from  Mastering Reverse Engineering

Product type Book
Published in Oct 2018
Publisher Packt
ISBN-13 9781788838849
Pages 436 pages
Edition 1st Edition
Languages
Concepts
Author (1):
Reginald Wong Reginald Wong
Profile icon Reginald Wong
LinkedIn
Reginald Wong has been in the software security industry for more than 15 years.Currently, Reggie is a lead anti-malware researcher at Vipre Security, a J2 Global company, covering various security technologies focused on attacks and malware. He previously worked for Trend Micro as the lead for the Heuristics team, dealing with forward-looking malware detection. Aside from his core work, he has also conducted in-house anti-malware training for fresh graduates. He is currently affiliated with CSPCert.ph, Philippines' CERT, and is a reporter for Wildlist.org. He has also been invited to speak at local security events, including Rootcon.
See other products by Reginald Wong

Table of Contents (20) Chapters

Title Page
Copyright and Credits
Packt Upsell
Contributors
Preface
1. Preparing to Reverse 2. Identification and Extraction of Hidden Components 3. The Low-Level Language 4. Static and Dynamic Reversing 5. Tools of the Trade 6. RE in Linux Platforms 7. RE for Windows Platforms 8. Sandboxing - Virtualization as a Component for RE 9. Binary Obfuscation Techniques 10. Packing and Encryption 11. Anti-analysis Tricks 12. Practical Reverse Engineering of a Windows Executable 13. Reversing Various File Types 1. Other Books You May Enjoy Index

Chapter 4. Static and Dynamic Reversing

Like a patient in a hospital, a file needs to undergo some triage to determine the right allocation of resources. The result of the file assessment will tell us what tools need to be used, what kind of reversing steps need to be taken, and what resources will be used. The steps involved in carrying out reversing are categorized into static and dynamic analysis. 

In this chapter, we will introduce the methods and tools used in assessing a file. We will be focusing on a 32-bit Windows operating system for our examples. This will be followed by an examination of tools we can use for static and dynamic analysis. This chapter can help you to generate a checklist that will serve as a guide for you to retrieve all information on a file in the least amount of time.

In this chapter, you will do the following: 

  • Gain an understanding of Target assessment
  • Perform static analysis
  • Perform dynamic analysis

Assessment and static analysis

A file needs to undergo an initial assessment in order for us to determine what tools and analysis methods will be required. This process also helps us to create a strategy for analyzing the file. Doing such an assessment requires carrying out a light static analysis. Here are some ideas for assessment that may serve as our guide:

  • Where did it originate from:
    • One of the purposes of reverse engineering is to help network administrators prevent similar malware from infiltrating the network. Knowing where a file came from would be helpful in securing the channel used to transmit it. For example, if the file being analyzed was determined to have been an email attachment, network administrators should secure the email server.
  • Existing information:
    • Searching the internet for already existing information can be very helpful. There might be existing analyses that has been done on the file. We would be able to determine what behaviors to expect, which will help hasten...

Dynamic analysis

Dynamic analysis is a type of analysis that requires live execution of the code. In static analysis, the farthest we can go is with deadlisting. If, for example, we encounter a code that decrypts or decompresses to a huge amount of data, and if we want to see the contents of the decoded data, then the fastest option would be to do dynamic analysis. We can run a debug session and let that area of code run for us. Both static analysis and dynamic analysis work hand in hand. Static analysis helps us identify points in the code where we need a deeper understanding and some actual interaction with the system. By following static analysis with dynamic analysis, we can also see actual data, such as file handles, randomly generated numbers, network socket and packet data, and API function results.

There are existing tools that can carry out an automated analysis, which runs the program in a sandbox environment. These tools either log the changes during runtime, or in between snapshots...

Try it yourself

To try out the tools we have learned about, let's try doing some static analysis on ch4_2.exe. To help out, here's a list of what we need to find:

  • File information:
    • file type
    • imported DLLs and APIs
    • text strings
    • file hash
  • What the file does

Jumping right into getting file information, we will use TrID (http://mark0.net/soft-trid-e.html) to identify the file type. Execute the following line:

trid cha4_2.exe

 

The TrID result tells us that we have here a Windows 32-bit executable file that is UPX packed:

Knowing that this is a UPX packed file, we can try the UPX (https://upx.github.io/) tool's decompress feature to help us restore the file back to its original form before it was packed. A packed file is a compressed executable file that decompresses and then executes the program during runtime. The primary purpose of a packed file is to reduce the file size of executables while retaining the program's original  behavior. We will be discussing more about packers in Chapter 10, Packing...

Summary

Both approaches to analysis, static and dynamic, have their means to extract information and are required to properly analyze a file. Before doing dynamic analysis, it is recommended to start with static analysis first. We stick to our goal of generating an analysis report from the information we get. The analyst is not limited to using just the tools and resources outlined here to conduct an analysis—any information from the internet is useful, but validating it with your own analysis will stand as proof. Taking all items from the file, such as notable text strings, imported API functions, system changes, code flows, and possible blocks of behaviors are important, as these may be useful when building an overview of the file.

The result of the static analysis draws together the approach and resources that need to be prepared for dynamic analysis. For example, if the static analysis identified the file as a Win32 PE file executable, then tools for analyzing PE files will need to be...

References

The files used in this chapter can be downloaded from https://github.com/PacktPublishing/Mastering-Reverse-Engineering.https://github.com/PacktPublishing/Mastering-Reverse-Engineering

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 20
Next Chapter arrow right
You have been reading a chapter from
Mastering Reverse Engineering
Published in: Oct 2018 Publisher: Packt ISBN-13: 9781788838849
© 2018 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Reginald Wong
LinkedIn
Reginald Wong has been in the software security industry for more than 15 years.Currently, Reggie is a lead anti-malware researcher at Vipre Security, a J2 Global company, covering various security technologies focused on attacks and malware. He previously worked for Trend Micro as the lead for the Heuristics team, dealing with forward-looking malware detection. Aside from his core work, he has also conducted in-house anti-malware training for fresh graduates. He is currently affiliated with CSPCert.ph, Philippines' CERT, and is a reporter for Wildlist.org. He has also been invited to speak at local security events, including Rootcon.
Read more
See other products by Reginald Wong

Other recommended products

Related to this chapter
Left arrow icon
Mastering Assembly Programming
Mastering Assembly Programming
The Assembly language is the lowest level human readable programming language on any platform. Knowing the way things are on the Assembly level will help developers design their code in a much more elegant and efficient way. This book will take readers on a journey to mastering the Assembly language.
Sep 2017 9 hours 40 minutes
Antivirus Bypass Techniques
Antivirus Bypass Techniques
Antivirus Bypass Techniques follows a unique approach that will help you explore the security landscape, understand the fundamentals of antivirus software, and put antivirus bypass techniques to use. This book will enable you to bypass antivirus software solutions in order to develop efficient antivirus software.
Jul 2021 8 hours 4 minutes
Learning Malware Analysis
Learning Malware Analysis
Malware analysis and memory forensics are powerful analysis and investigation techniques used in reverse engineering, digital forensics, and incident response. This book teaches you the concepts, tools, and techniques to determine the behavior and characteristics of malware using malware analysis and memory forensics.
Jun 2018 17 hours 0 minutes
Penetration Testing with Shellcode
Penetration Testing with Shellcode
Security has always been a major concern for your application, your system, or your environment. This book's main goal is to build your skills for low-level security exploits, finding vulnerabilities and covering loopholes with shellcode, assembly, and Metasploit.
Feb 2018 11 hours 32 minutes
Mastering Malware Analysis
Mastering Malware Analysis
Malware analysis is a powerful investigation technique widely used in various security areas including digital forensics and incident response processes. Working through practical examples, you'll be able to analyze any type of malware you may encounter within the modern world.
Jun 2019 18 hours 44 minutes
Malware Analysis Techniques
Malware Analysis Techniques
Comprehensive threat analysis is important for incident responders as it helps them to ensure that a threat has been entirely eliminated. This book shows you how to quickly triage, identify, attribute, and remediate threats with proper analysis techniques, and guides you in implementing your knowledge to prevent further incidents.
Jun 2021 9 hours 24 minutes
Binary Analysis Cookbook
Binary Analysis Cookbook
Binary Analysis is a complex and constantly evolving topic, crossing into several realms of IT and information security. The recipes in this book will serve as a good reference for you to get a better understanding of various aspects related to analyzing malware, identifying vulnerabilities in code, exploit writing and reverse engineering.
Sep 2019 13 hours 12 minutes
Preventing Ransomware
Preventing Ransomware
Ransomware is the most critical threat and its intensity has grown exponentially in recent times. This book provides comprehensive, up-to-the-minute details about different kinds of ransomware attack as well some notable ones from the past. It also talks about different aspects of cyber security that can help you prevent ransomware attacks.
Mar 2018 8 hours 52 minutes
Ghidra Software Reverse Engineering for Beginners
Ghidra Software Reverse Engineering for Beginners
Ghidra is the NSA’s state-of-the-art reverse engineering framework. It is open source, allowing the community to extend it with impressive range of features. This book offers a comprehensive introduction to anyone new to the Ghidra reverse engineering framework and malware reverse engineering.
Jan 2021 10 hours 44 minutes
Modern Computer Architecture and Organization
Modern Computer Architecture and Organization
A no-nonsense, practical guide to help you learn the current and future processor and computer architectures that will enable you to design computer systems and develop better software applications across a variety of domains.
Apr 2020 18 hours 40 minutes
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon