Tuesday, August 4, 2020

Recent Reverse Engineering open source tools for Windows exe and dlls for malware/virus analysis

Let's back up a bit, what is a exe? 

.Exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows. The Portable Executable (PE) format is a file format for executables (exe), object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems.

How is exe created? 

Compilers take C/C++/C#/Python code and compile it into the PE format, which is not very human friendly to read. 

Why infect it? 

A computer virus is software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data). An example of this is a PE infection, a technique, usually used to spread malware, that inserts extra data or executable code into PE files. 

The PE Format Specification

Portable Executable (PE) format is a specification describes the structure of executable (exe) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively. 

























Source : http://dandylife.net/blog/archives/date/2015/02/page/2


An Exe opened in a Hex Editor














How to reverse engineer exe? 

Some recent PE Reverse Engineering Tools of note; 

  • PE-bear is a freeware reversing tool for PE files.  Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files. The PE-bear’s  parser is open  source: https://github.com/hasherezade/bearparser (works for windows and linux). It comes with a command-line tool (bearcommander).  For windows requires Microsoft Visual C++ 2010 Redistributable Package. 

  • BlackBerry, PE Tree's https://github.com/blackberry/pe_tree , but requires Python to run.







No comments:

Post a Comment