Reverse Engineering
Binary analysis and Reverse Engineering is taking our malware/file analysis to the next level. When we have a suspicious executable where we need to know not only is it malicious, but what exactly it does, we attempt to disassemble and/or reverse engineer the file to better understand its functions. There are different types of tools that can be used for this. While you can use a whole slew of coding support tools, most of the below tools have a specific context to reverse engineering and analyzing malware.
Radare2
Radare2 is a considerable open-source reverse engineering framework with a hex editor and debugger at its core, multiple supporting tools to assist in analysis, and even plugins for enhancing your reversing tasks.
Components
R2agent – Remote managing engine within Radare2
Rabin2 – Binary information retrieval engine; used to find out basic information about a file
Radare2 – Full reverse engineering framework
Radiff2 – Comparing engine within Radare2; used to compare different files
Rafind2 – The search engine used within Radare2; allows searching for strings and sequences of bytes
Rahash2 – Hashing engine within radare2; used for computing checksums
Rarun2 – Specified execution environment engine within Radare2; allows changing of environment variables and other boundary conditions
Rasm2 – Assembler and disassembler engine within Radare2
Rax2 – The expression evaluator engine within Radare2; used to make base conversions to execute
radare2-cutter - Cutter is a Qt based GUI for reverse engineering binaries, which makes use of the radare2 framework. Advanced users are expected to use the radare2 CLI tools instead, which are much more powerful.
Basic Use
#radare2 <filename> - This launches the Radare engine with the specified file
To check what commands are available to you at any time, simply enter ‘?’
This will show you various available tools and each letter corresponds to a tooling engine; for example, to use the rabin2 engine inside Radare2, simply enter ‘i’. Enter ‘i?’ to see further functionality.
$rabin2 -I <binary name> - pull important overview info about the binary
$rabin2 -z <binary name> - List all strings from the data section of the binary
$rabin2 -zz <binary name> - List all strings in the binary
$r2 <binary> - launch radare2 to view assembly code
Resources
https://artik.blue/reversing - Reverse engineering with radare2 course.
Other Reverse Engineering Frameworks
Ghidra - Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux.
Operator Handbook: Ghidra - pg. 76
IDA - IDA Pro as a disassembler is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language).
Gepetto - IDA plugin which queries OpenAI's gpt-3.5-turbo language model to speed up reverse-engineering
bincat - Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
Rizin - Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Can be used offesively for injecting code into running processes.
BARF - An open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline.
ODA - A lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative. Explore executables by dissecting its sections, strings, symbols, raw hex and machine level instructions.
retoolkit - Reverse Engineer's Toolkit
alexey-kleymenov/reverse_engineering_tools - Various code samples and useful tips and tricks from reverse engineering and malware analysis fields.
Hex Editors
HexEdit.js – Browser-based hex editing.
Hexinator – World’s finest (proprietary, commercial) Hex Editor.
Frhed – Binary file editor for Windows.
Binary Analysis and Parsing Tools
capstone - a lightweight multi-platform, multi-architecture disassembly framework.
This package contains cstool, a command-line tool to disassemble hexadecimal strings.
Kaitai Struct – File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
Veles – Binary data visualization and analysis tool.
Hachoir – Python library to view and edit a binary stream as the tree of fields and tools for metadata extraction.
Resources
Resource and Tool Collections
MalwareUnicorn's tool collection - Tools used by one of the best malware analysts in the field.
https://malwareunicorn.org/#/ - Malware Blog, tools, and training
Reference Material
https://strontic.github.io/xcyclopedia/ - Encyclopedia that attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system.
Attacking Network Protocols: Application Reverse Engineering - pg. 111
RE Guides
Reverse Engineering for Beginners - Dennis Yurichev (PDF)
Hacking the Xbox: An Introduction to Reverse Engineering - Andrew "bunnie" Huang
BIOS Disassembly Ninjutsu Uncovered 1st Edition - Darmawan Salihun (PDF)
RE Training Courses
https://www.begin.re/ - Reverse Engineering for Beginners
https://beginners.re/main.html - Understanding Assembly Language
https://github.com/mytechnotalent/Reverse-Engineering - A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
Last updated