Reverse Engineering

Use multiple tools for comparison when decompiling! Every tool creates different results. Always use multiple decompilers if you encounter weird results.

Generic Binaries

  • Ghidra
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Made by NSA
  • Binary Ninja
    • ⚠ Pricing: Paid ($149 USD/$4,500 NTD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Cheap alternative to IDA Pro
      • Supports plugin development
      • Support native psuedo-code decompiler on the latest dev branch
  • IDA Pro
    • ⚠ Pricing: Paid ($1,879 USD/$57,000 NTD)
      • For base application; this does not include any necessary decompilers
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Industry standard
      • Supports 50+ CPU instruction types

.NET Binaries

  • dnSpy
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Cross-platform
      • Has a built-in debugger and anti-anti-debug features
        • By default spoofs IsDebuggerPresent, CheckRemoteDebuggerPresent, and System.Diagnostics.Debugger
  • dotPeek
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
  • .NET Reflector
    • ⚠ Pricing: Paid ($205 USD/$6,200 NTD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Can decompile to async state machine level
      • Students can apply for the .NET Developer Bundle for free

Dynamic Analysis

Sandbox

  • Cape Sandbox
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Useful for a quick dynamic/static analysis
      • Provides the following
        • PCAP
        • Memory dump
        • Handles used
        • W32API called
        • DNS requests
        • Files dropped
        • Sandbox screenshots
      • Highly configurable
      • Hosts
  • any.run
    • ⚠ Pricing: Freemium
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Multiple tiers
      • Free tier
        • ⚠ 16 MB Maximum
        • ⚠ 32-bit Windows 7 only
        • List important/suspicious processes only
        • List DNS requests
        • Highlight MITRE ATT&CKβ„’ matrix
        • Sandbox screenshots
        • Files dropped
        • The following features are registered members only
          • Sample download
          • PCAP download
          • Export process graph (SVG)
      • β€œSearcher” tier ($89 USD/mo)
        • 32 MB Maximum
        • 64-bit Windows 7
        • Video record
        • MITM Proxy for HTTPs requests
        • Show all processes
        • Advanced threat analysis
      • Russia-based service
        • Privacy Policy states that any information will only be used by ANY.RUN unless required by law
        Registrar: Regional Network Information Center, JSC dba RU-CENTER
        Registrar IANA ID: 463
        Registrar Abuse Contact Email: tld-ncc@nic.ru
        Registrar Abuse Contact Phone: +7.4957370601
        Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
        Registry Registrant ID: df98cdacb0e74fbd8a6ad39efd7cf1b8-DONUTS
        Registrant Name: Privacy protection service - whoisproxy.ru
        Registrant Organization: Privacy protection service - whoisproxy.ru
        Registrant Street: PO box 99, whoisproxy.ru
        Registrant City: Moscow
        Registrant State/Province: Moscow
        

Network

  • Fiddler
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • HTTP(s) debugger
  • Burp Suite
    • ⚠ Pricing: Free limited shareware; paid ($399 USD/$12,000 TWD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Cross-platform
      • HTTP(s) debugger
      • Popular among web pentesters
  • FakeNet-NG
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Cross-platform
      • ⚠ Based on Python 2.x
      • Listens for DNS/HTTP(s)/SSL requests
      • Attempts to serve legitimate files
        • e.g. if the malware requests an JPG file, it will return the user-specific JPG file
      • Ability to create capture file (*.pcap)

Binary

  • Process Hacker
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Based on Process Explorer
      • View process tree, network ports, disk activity
      • Manage services
      • Flag malicious executable
      • Inject DLL
      • Manage per-app thread(s)
      • Show if the process is…
        • Packed by a packer
        • Digitally signed
        • A .NET process
      • Too many to list
  • Process Explorer
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Created by Microsoft

Static Analysis

  • strings
    • scoop install strings
  • trid
    • scoop install trid
  • pestudio
    • Performs strings and VirusTotal analysis
    • Shows referenced API calls
    • Checks for signature validity

PowerShell

Red Team

Blue Team

Useful Notes

  • Starting from Windows 10 v1803, curl is included with the OS.
    • PowerShell users may need to invoke curl.exe instead of curl to avoid the Invoke-WebRequest alias.
    • Alternatively, remove the alias by using Remove-Alias curl.
  • Winbindex
    • An index of Windows binaries, including download links for executables such as *.exe, *.DLL and *.sys files.
    • Useful for testing or analyzing specific binaries from various Windows versions

Leave a comment