There are a couple of useful tools that are already built into the operating system we are working on. These come in handy when third party tools are not available:
strings: This is a Linux command used to list the strings found in a given file.
md5sum: This is a Linux command used to calculate the MD5 hash of a given file.
file: This is a command line in Linux used to identify files. It uses the libmagic library.
Disassemblers
Disassemblers are tools used to look at the low-level code of a program compiled from either a high-level language, or of the same low-level language. As part of analysis, deadlisting and recognizing the blocks of code help to build up the behavior of the program. It is then be easier to identify only code blocks that need to be thoroughly debugged, without running through the whole program code:
IDA Pro: A popular tool used in the software security industry to disassemble various low-level language built on the x86 and ARM architectures. It has a wide list of features. It can generate a graphical flow of code, showing code blocks and branching. It also has scripting that can be used to parse through the code and disassemble it into more meaningful information. IDA Pro has an extended plugin, called Hex-Rays, that is capable of identifying assembly codes to its equivalent C source or syntax. The free version of IDA Pro can be downloaded from https://www.hex-rays.com/products/ida/support/download_freeware.
shtml.
Radare: Available on Windows, Linux, and macOS, this open source tool shows the disassembled equivalent of a given program. It has a command-line interface view, but there are existing plugins that can show it using the computer's
browser. Radare's source can be downloaded and built from https://github.
com/radare/radare2. Information on how to install binaries can be found at its website, available at https://rada.re.
Capstone: This is an open source disassembly and decompiler engine. The engine is used by many disassembly and decompiler tools, such as Snowman.
Information about this tool can be found at https://www.capstone-engine.org/. Hopper: A disassembly tool for Linux and macOS operating systems. It has a similar interface as IDA Pro and is capable of debugging using GDB.
BEYE: Also known as Binary EYE, this is a hex viewer and editing tool with the addition of a disassembly view mode. BEYE is available for Windows and Linux.
It can be downloaded from https://sourceforge.net/projects/beye/. HIEW: Also known as Hacker's View, is similar to BEYE, but has better information output for PE files. The paid version of HIEW has more features supporting a lot of file types and machine architectures.
Debuggers
When debugging tools are used, this would mean that we are in the code-tracing phase of our analysis. Debuggers are used to step in every instruction the program is supposed to do. In the process of debugging, actual interaction and changes in memory, disk, network, and devices can be identified:
x86dbg: This is a Windows user-mode debugger. It is open source and can debug 32- and 64-bit programs. It is capable of accepting plugins written by users. The source code can be downloaded from https://github.com/x64dbg. The builds can be downloaded from https://x64dbg.com.
IDA Pro: Paid versions of IDA Pro are capable of debugging using the same disassembly interface. It is very useful when you want to see a graphical view of decrypted code.
OllyDebug: A popular Windows debugger, due to its portability and rich features. It can accommodate plugins written by its users, adding capabilities such as unpacking a loaded executable compressed file (by reaching the original entry point) and memory dumping. Ollydebug can be downloaded from http://
www.ollydbg.de/.
Immunity Debugger: The interface of this program looks like a highly improved version of OllyDebug. It has plugin support for Python and other tools.
Immunity Debugger can be downloaded from Immunity, Inc.'s site at https://
www.immunityinc.com/products/debugger/. Older versions can be found at https://github.com/kbandla/ImmunityDebugger/.
Windbg: A debugger developed by Microsoft. The interface is quite plain, but can be configured to show every kind of information needed by a reverser. It is capable of being set up to remotely debug device drivers, software in the kernel levels, and even a whole Microsoft operating system.
GDB: Also known as GNU Debugger, GDB is originally a debugger developed for Linux and a couple of other operating systems. It is capable of debugging not only low-level languages but also used for debugging high-level languages such as C, C++, and Java. GDB can also be used in Windows. GDB uses a command- line interface, but there are existing GUI programs that use GDB for a more informative look.
Radare: Radare also has a debugger packaged along with it. It can also do remote debugging by using GDB remotely. Its interface is command line-based but has an integrated visual view. Its developers also made a better visual view using the browser. Basically, compared with GDB, Radare would be much preferred. It is also primarily built for Linux, but has compiled binaries on offer for Windows and macOS.
Decompilers
Disassemblers are used to show the low-level code of a compiled high-level program.
Decompilers, on the other hand, attempt to show the high-level source code of the program.
These tools work by identifying blocks of low-level code that match with corresponding syntax in the high-level program. It is expected that these tools won't be able to show what the original program's source code looks like, but nonetheless, they help speed up analysis
Snowman: This is a C and C++ decompiler. It can run as a standalone tool, or as an IDA Pro plugin. The source can be found at https://github.com/yegord/
snowman, while its compiled binaries can be downloaded from https://
derevenets.com/. It is available for Windows and Linux.
Hex-Rays: This is also a C and C++ decompiler and runs as a plugin for IDA Pro.
It is sold commercially as part of IDA Pro. Users should expect this to have a better decompiled output than Snowman.
dotPeek: This is a free .NET decompiler by Jetbrains. It can be downloaded from https://www.jetbrains.com/decompiler/.
iLSpy: This is an open source .NET decompiler. The source and pre-compiled binaries can be found at https://github.com/icsharpcode/ILSpy.