Reverse Engineering
Binary analysis and Reverse Engineering is taking our malware/file analysis to the next level. When we have a suspicious executable where we need to know not only is it malicious, but what exactly it does, we attempt to disassemble and/or reverse engineer the file to better understand its functions. There are different types of tools that can be used for this. While you can use a whole slew of coding support tools, most of the below tools have a specific context to reverse engineering and analyzing malware.

Radare2

​Radare2 is a considerable open-source reverse engineering framework with a hex editor and debugger at its core, multiple supporting tools to assist in analysis, and even plugins for enhancing your reversing tasks.

Components

  • R2agent – Remote managing engine within Radare2
  • Rabin2 – Binary information retrieval engine; used to find out basic information about a file
  • Radare2 – Full reverse engineering framework
  • Radiff2 – Comparing engine within Radare2; used to compare different files
  • Rafind2 – The search engine used within Radare2; allows searching for strings and sequences of bytes
  • Rahash2 – Hashing engine within radare2; used for computing checksums
  • Rarun2 – Specified execution environment engine within Radare2; allows changing of environment variables and other boundary conditions
  • Rasm2 – Assembler and disassembler engine within Radare2
  • Rax2 – The expression evaluator engine within Radare2; used to make base conversions to execute
  • ​radare2-cutter - Cutter is a Qt based GUI for reverse engineering binaries, which makes use of the radare2 framework. Advanced users are expected to use the radare2 CLI tools instead, which are much more powerful.

Basic Use

  • #radare2 <filename> - This launches the Radare engine with the specified file
  • To check what commands are available to you at any time, simply enter β€˜?’
    • This will show you various available tools and each letter corresponds to a tooling engine; for example, to use the rabin2 engine inside Radare2, simply enter β€˜i’. Enter β€˜i?’ to see further functionality.
  • $rabin2 -I <binary name> - pull important overview info about the binary
  • $rabin2 -z <binary name> - List all strings from the data section of the binary
  • $rabin2 -zz <binary name> - List all strings in the binary
  • $r2 <binary> - launch radare2 to view assembly code

Resources

Other Reverse Engineering Frameworks

  • ​IDA - IDA Pro as a disassembler is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language).
  • ​Rizin - Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
  • ​Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Can be used offesively for injecting code into running processes.
  • ​BARF - An open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline.
  • ​ODA - A lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative. Explore executables by dissecting its sections, strings, symbols, raw hex and machine level instructions.
  • ​retoolkit - Reverse Engineer's Toolkit
  • ​alexey-kleymenov/reverse_engineering_tools - Various code samples and useful tips and tricks from reverse engineering and malware analysis fields.

Hex Editors

  • ​HexEdit.js – Browser-based hex editing.
  • ​Hexinator – World’s finest (proprietary, commercial) Hex Editor.
  • ​Frhed – Binary file editor for Windows.

Binary Analysis and Parsing Tools

  • ​capstone - a lightweight multi-platform, multi-architecture disassembly framework.
    • This package contains cstool, a command-line tool to disassemble hexadecimal strings.
  • ​Kaitai Struct – File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • ​Veles – Binary data visualization and analysis tool.
  • ​Hachoir – Python library to view and edit a binary stream as the tree of fields and tools for metadata extraction.

Resources