Updated: Dec 28, 2022
Welcome back, my aspiring malware analysts!
In previous tutorials here, I have demonstrated the power of such reversing and disassembly tools as Ollydbg, IDAPro and Ghidra. In this tutorial I'd like to share and demonstrate a few simpler tools that you are certain to want to have in your malware analysis toolbox. Each of these tools does a specific task and can provide a quick glimpse into the files you are analyzing. Their capabilities are included in such comprehensive tools as Ghidra and IDA Pro but they are be useful as a double check the work of these more comprehensive tools.
Let's take a look at some of the most useful of these tools.
In nearly every *nix (Linux, Unix, BSD, Solaris, etc) operating system, there is exists the file utility. The file command is used to determine the type of file. It does this by examining specific locations and fields within the file. Most files have a unique field for their specific file type.
This output can either be human readable (ASCII) or MIME.
Let's test this utility on multiple file types.
First, I have an .exe file named yourphone.exe
As you can see, the file utility identifies it as a PE32 for a Intel 80386 processor for Windows.
Now let's try a variety of file types.
As you can see above, the file utility successfully identified everything from the graphics files, XML files, RTF files and Powerpoint.
As a caveat, the file utility is not always accurate. Once again, it is looking at specific fields that indicate the file type and a binary or any other file that has those fields filled with similar data, will be mis-identifed . This why is is always important to use multiple tools and correlate their results.
PE Tools is collection of tools for analyzing binaries on Windows. As you can see below, PE Tools has analyzed the executables on my system identifying the architecture, Process ID, Image Base and Image Size. In the lower window, it provides the path to each executable.
PE Tools can also be used to;
Determine the compiler used
Whether Obfuscation techniques were used
View the executables header
PEiD is a Windows program for identifying the compiler used to build the executable (Microsoft Visual C++8).
PEiD has many other capabilities, many which overlap the PE Tool.
ldd (list dynamic dependencies)
ldd is *nix utility used to list the dynamic libraries used by the binary. Below we used ldd to list the dynamic libraries of apache2
Many times embedded strings can be enlightening to the malware analyst. At times, developers leave notes to themselves that can reveal the function and intent of the malware as well as the developers' native language.
Let's look at the help screen for this utility.
Note that the default is to identify strings 4 characters or longer. This can be adjusted by simply adding the --<number> option after the command.
Let's see what strings does when applied to our apache2 binary. Since we expect considerable output, let's pipe the output to more and view the list of strings one page at a time.
kali > strings /usr/sbin/apache2 | more
When scroll down a bit, we can see some more useful and longer strings including reference to some libraries this binary uses.
If we know what we are looking for, we might be able to use the strings utility to find something very specific using the grep filter. If we search the wannacry ransomware and grep for "http", we can immediately locate the Command and Control (C&C) server URL.
ndisasm (Netwide Disassembler)
ndisasm is an x86 binary file disassembler. It is part of the NASM and simply uses the Netwide Assembler to disassemble binary source files.
Let's look at its help file.
Now, let's generate some shellcode with Metasploit's msfvenom and name it chess.exe.
kali > msfvenom -p windows/meterpreter/reverse_tcp -f exe > chess.exe
Now, let's use ndisasm to disassemble chess.exe. Since this shellcode is 32-bit, we need to use the -b option followed by 32 and let's pipe the output to more.
kali > ndisasm -b 32 chess.exe | more
As you can see above, ndism successfully disassembled our msfvenom generated shellcode. Unfortunately, it's hard to work with as stdout, so let's redirect it to a file.
kali> ndiasm -b 32 chess.exe > chess_assembly
Now, let's open it with any text editor, in this case, mousepad.
kali >mousepad /home/kali/chess_assembly
The tools demonstrated in this tutorial are no substitute for Ghidra or IDA Pro but can be used to double check the results of such tools. In addition, as a newcomer to disassembly, these tools demonstrate some of the capabilities of these more comprehensive tools and further our understanding.