Malware Reverse Engineering: part 4 Lets pack our bags

Today we are going to talk about the various types of tools that makes our lives easier in reverse engineering , i will also try to guide you to where you can grab them for free , which is not such a hard thing because most of these tools are open source and community developed . you need to understand these tools and what they do to make use of  them right ...

File Analyzers 

they are programs that allow us to inspect the structure of  files , and gives you info about them.

PE (Portable Executable ) Analyzers

they are programs that give you the power to analyze and inspect the structure of a PE giving details on what to expect to happen when this PE is loaded to the memory during execution


1.PE Explorer

Memory Dumpers

they are programs that allows us to dump pieces of all of the memory for later forensics and inspection , they are important for infection identification .



This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
Perfect to deploy the executable on USB keys, for quick incident responses needs.

Memory Analyzers 

they are programs that understand the dumped memory image and allows us to perform analysis  and generate certain reports and extract data from it .

Examples :

1.The Volatility Framework

Hex Editors

A hex editor (or binary file editor or byte editor) is a type of computer program that allows a user to manipulate the fundamental binary (0 / 1, zero / one) data that makes up computer files.

Examples :

1.The Hex Workshop Hex Editor by BreakPoint Software

Process Monitors

An application that monitor a process for and changes that is done on the operating system level.

Examples :

1.Process Monitor

Unpackers / De-obfuscators

A program that transforms a protected or an encrypted binary into its original form .

API Monitoring / Hooking

Techniques used to spy on on application when it calls system APIs

Signature Detectors

it is a program used to match between a certain file , and a givin signature to this file .

Import table reconstructors

when a binary is packed and we try to unpack the binaries , some packers try to makes life hard for us by destroying the import address tables, (IAT) , re constructors tend to fix this problem

Network Sniffer

A Sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor email during investigations, likely employ a sniffer designed to capture very specific traffic. Knowing that sniffers simply grab network data, let's see how they work.

Examples :



In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. [Wikipedia ]
we use honeypots to get hold of Malware Samples for analysis .


A decompiler is the name given to a computer program that performs, as far as possible, the reverse operation to that of a compiler. That is, it translates a file containing information at a relatively low level of abstraction (usually designed to be computer readable rather than human readable) into a form having a higher level of abstraction (usually designed to be human readable). The decompiler does not reconstruct the original source code, and its output is far less intelligible to a human than original source code. [Wikipedia]


Debuggers are used for dynamic analysis, i.e. analyzing a program while it is running.  This is useful for things that static analysis can’t show you, like what’s in memory when a function is called, or what a program’s code is after unpacking or decrypting.  Debuggers can be either user-mode or kernel-mode, reflecting the privilege level in which they operate.  WinDbg is pretty much the only kernel debugger for Windows, while I know of at least two pretty good user-mode debuggers.





Virtual Machines can be great for reverse engineering.  There are tools that record a program’s behavior within a VM.  You can use them for dynamic analysis on potential malware if you don’t have a real machine to throw away (although many malicious programs can detect execution inside a VM).  


1.VMware.  They offer a free version (VMware Server, registration with valid email is required) that should give you all the functionality you need.  However, I like VMware Workstation better.  In my experience it has a better interface, it can capture multiple snapshots, and it runs more smoothly.  You can use the VIX API with either of them for automating VM behavior.

2.VirtualBox.  It’s open-source, and probably has an edge over VMware Workstation.  It’s available as a free download for any platform.  VirtualBox also offers an SDK with which you can control VM behavior.

Observation Tools

You don’t necessarily need a debugger to see a program’s behavior.  These diagnostic tools run independently and can show you what’s going on in your system.


1.Capture BAT

This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.


it allows you to watch directly for changes , so you can for example capture and copy files dropped by the virus before it deletes them.

in the Comming tutorials  i will try to provide tutorials for the important tools on how to use them ..

No comments:

Post a Comment