바이너리 분석을 위한 도구들

Mastering Reverse Engineering 발췌

 

 

Information gathering tools

 

 

File type information
These tools gather primary information about a file. The data gathered includes the filename, file size, file type, and file type-specific properties. The result of these tools enables the analyst to plan how to analyze the file:

PEiD: A tool used to identify the file type, the packer, and compiler. It is built to run in Windows. It is not maintained, but still very useful.

TrID: A command-line tool similar to PEiD. This tool has Windows and Linux versions. It can read a community-driven signature database of various file types.

CFF Explorer: This tool is primarily used to read and make edits in a PE format file. It runs under Windows and has a lot of features, such as listing processes and dumping processes to a file.

It can also be used to rebuild a process dump.

PE Explorer: Another tool used to read and edit the structure of PE files. It can also unpack a number of executable compressed programs, such as UPX, Upack, and NSPack. PE Explorer only runs in Windows.
Detect-it-Easy (DiE): Downloaded from https:/ / github. com/ horsicq/ Detect-It-Easy,

DiE is an open source tool that uses a community-driven set of algorithmic signatures to identify files. The tool has builds for Windows and Linux.

ExifTool: This tool was primarily designed to read and edit the metadata of image files with an EXIF file format. It was further developed to extend features for other file formats, including PE files. ExifTool is available for Windows and Linux and can be downloaded from https://sno.phy. queensu.ca/~phil/exiftool/

 

 

Strings
Text-string gathering tools are mainly used to quickly identify possible functions or messages used by the program. It is not always true that every text string is used by the program. Program flow still depends on conditions set in the program. However, the string locations in the file can be used as markers that the analyst can trace back:

SysInternals Suite's strings: This is a command-line tool for Windows that shows the list of text strings in any type of file.

BinText: This is a GUI-based Windows tool that can display the ASCII and Unicode text strings for any given file.

 

 

 

Monitoring tools

Without manually digging deeper into the program's algorithm, simply running the program can give plenty of information about its behavior. Monitoring tools usually work by placing sensors in common or specific system library functions, then logging the parameters used. Using monitoring tools is a fast way to produce an initial behavior

analysis of a program:

SysInternals Suite's Procmon or Process Monitor: Running only on Windows, this is a real-time monitoring tool that monitors processes, thread, filesystem, and registry events. It can be downloaded from https:/ / docs. microsoft. com/enus/sysinternals/downloads/procmon and is a part of the SysInternals Suite package.

 

API Monitor: This powerful tool helps reverse engineering by monitoring API calls as the program runs. The analyst has to set which API the tool needs to hook. Once an API is hooked, all user-mode processes using the API will be
logged. API Monitor can be downloaded from http:/ / www. rohitab. com/apimonitor.

 

 

 

Editing tools
There may be instances where we need to modify the contents of a program to make it work properly, or validate a code behavior. Modifying data in a file can also change the code flow where conditional instructions may happen. Changing instructions can also work around anti-debugging tricks:

 

HxD Hex Editor: A Windows binary file viewer and editor. You can use this to view the binary contents of a file.

Bless: A Linux binary file viewer and editor.

 

Notepad++: A Windows text editor, but can also read binary files, though reading binary files with hexadecimal digits would require a hex-editing plugin.

Still, this is useful for reading and analyzing scripts, due to its wide range of supported languages, including Visual Basic and JavaScript.

BEYE: A useful tool for viewing and editing any file type. BEYE is available for Windows and Linux.

HIEW: The feature that makes this software worthwhile is its ability to do onthe-fly encryption using assembly language.