- In general, you are unlikely to have source code to a relatively unknown malware, and will need to resort to using three types of tools to reverse engineer the executable: a string extractor such as strings for Unix or BinText for Windows, a disassembler such as IDA Pro, and a debugger such as OllyDbg.
- Take a look at embedded strings (BinText or strings)
- Examine program code using a disassembler (IDA Pro)
- Step through complicated code using a debugger (OllyDbg)
Tools or Tactics:
- Embedded strings offer a snapshot shorter than assembly code
- IDA Pro is a Powerful Disassembler
- Disassembles compiled executables into assembly instructions
- Allows review of program code
- Also includes a debugger
- Debuggers let you execute malware under highly controlled conditions, with the ability to step through the program as slowly as one instruction at a time.
- Step through the code as it executes
- Use breakpoints to interrupt program to examine specific workflow branches
- Examine and manipulate runtime environment
- OllyDbg is an excellent debugger that happens to be free