Manual Code Reversing

1. Context of Malware Analysis:

• Dynamic Analysis Challenges: Encountered a situation where dynamic analysis yielded no useful information. The malware appeared inactive during analysis.

• Static Analysis Observations: Identified the file as a Windows PE executable with obfuscated code and data, characterized by the absence of text strings.

2. Manual Code Reversing Process:

• Debugging with X86 Debugger:

  • Used an X86 debugger to reverse engineer the code.

  • Discovered that the malware required a specific command line argument to activate its behavior, which was not evident through dynamic analysis alone.

3. Importance of Understanding Low-Level Language:

• X86 Assembly Language: Essential for debugging Windows executable files, particularly in Windows 10 environments using X86 or X64 architecture.

• Windows APIs & C Syntax: Knowledge of these is crucial for effective debugging and understanding the malware's behavior at a deeper level.

4. Recommended Tools for Code Reversing:

• IDA Pro with Hex-Rays Decompiler:

  • A commercial tool for disassembly and decompilation.

  • Converts binary executables into human-readable code, often in C language syntax.

• Other Useful Tools:

  • dnSpy: For decompiling .NET compiled executables.

  • Ghidra: An alternative tool with decompilation features, suitable for various binary formats.

5. Decompilers Overview:

• Purpose: Convert binary executables into readable code, often showing C language syntax.

• Types of Executables:

  • Some executables are compiled into byte code or pseudo code, which can be decompiled back to source code.

• Examples:

  • dnSpy for .NET executables.

  • Java Archive Decompilers for Java executables.

  • Hex-Rays for general binary-to-C decompilation.

6. Practical Application:

• Debugging Demonstration: The importance of using both a debugger (e.g., X64 debugger) and a decompiler on compiled executables, especially for deeper analysis when traditional methods fall short.