Reverse Engineering Simple Windows Executable Files

1. Overview of the Session:

Objective: Demonstrate how to reverse engineer simple Windows executable files.
Files to Analyze: (say)
- C-Sharp Compiled Program: re_test_Desktopapp1.exe
- Native Executable File: re_lotsastuff.exe
Tools and Setup:
- Restored Windows VM image.
- FakeNet tool running to intercept outgoing network traffic.
- Course files copied into the VM.

2. Analysis of C-Sharp Compiled Program:

File Identification:
- Used Detect It Easy to identify the file type.
- re_test_Desktopapp1.exe identified as a PE32 file compiled from a .NET source.
Decompilation with dnSpy:
- dnSpy: A .NET decompiler tool used to show the equivalent source in C#.
- Process:
  1. Drag and drop the sample into the dnSpy console to begin decompilation.
  2. Navigate to the function or method indicated at the entry point.
Code Analysis:
- The code performs the following:
  1. Displays a message box with the text "for educational purposes only".
  2. Attempts to open a webpage from phishing.website.com.
  3. Runs CMD, which opens a command prompt.
Using MSDN References: Helpful in understanding the behavior of the code, particularly the functions and methods used.

3. Debugging the Program:

Setting Breakpoints:
- Set a breakpoint at the first line of code where the text variable is set ("for educational purposes only").
- Use F9 to set the breakpoint.
Starting Debugging:
- Press F5 to start debugging.
- Use F10 to step over or F11 to step into the code.
Observations During Debugging:
- The program displays the message box as expected.
- Encountered an issue with the open read function that attempts to read contents from phishing.website.com/dotnet.
- The function fails, possibly due to coding issues. It's advisable to note this behavior and revisit it later with more information.
- The final observed behavior is the execution of CMD.

4. Key Takeaways:

C-Sharp Language Knowledge: Understanding C# syntax is beneficial when analyzing .NET programs to grasp malware behavior better.
Breakpoint Usage: Setting breakpoints at crucial points (e.g., entry points) helps in observing program behavior systematically.
Documentation Practice: It's good practice to document all behaviors and potential issues encountered during analysis for further investigation.

5. Transition to Native Executable Analysis:

After analyzing the C-Sharp compiled program, the next step is to move on to analyzing the native executable file re_lotsastuff.exe.

Last updated 9 months ago

1. Overview of the Session:

Objective: Demonstrate how to reverse engineer simple Windows executable files.
Files to Analyze: (say)
- C-Sharp Compiled Program: re_test_Desktopapp1.exe
- Native Executable File: re_lotsastuff.exe
Tools and Setup:
- Restored Windows VM image.
- FakeNet tool running to intercept outgoing network traffic.
- Course files copied into the VM.

2. Analysis of C-Sharp Compiled Program:

File Identification:
- Used Detect It Easy to identify the file type.
- re_test_Desktopapp1.exe identified as a PE32 file compiled from a .NET source.
Decompilation with dnSpy:
- dnSpy: A .NET decompiler tool used to show the equivalent source in C#.
- Process:
  1. Drag and drop the sample into the dnSpy console to begin decompilation.
  2. Navigate to the function or method indicated at the entry point.
Code Analysis:
- The code performs the following:
  1. Displays a message box with the text "for educational purposes only".
  2. Attempts to open a webpage from phishing.website.com.
  3. Runs CMD, which opens a command prompt.
Using MSDN References: Helpful in understanding the behavior of the code, particularly the functions and methods used.

3. Debugging the Program:

Setting Breakpoints:
- Set a breakpoint at the first line of code where the text variable is set ("for educational purposes only").
- Use F9 to set the breakpoint.
Starting Debugging:
- Press F5 to start debugging.
- Use F10 to step over or F11 to step into the code.
Observations During Debugging:
- The program displays the message box as expected.
- Encountered an issue with the open read function that attempts to read contents from phishing.website.com/dotnet.
- The function fails, possibly due to coding issues. It's advisable to note this behavior and revisit it later with more information.
- The final observed behavior is the execution of CMD.

4. Key Takeaways:

C-Sharp Language Knowledge: Understanding C# syntax is beneficial when analyzing .NET programs to grasp malware behavior better.
Breakpoint Usage: Setting breakpoints at crucial points (e.g., entry points) helps in observing program behavior systematically.
Documentation Practice: It's good practice to document all behaviors and potential issues encountered during analysis for further investigation.

5. Transition to Native Executable Analysis:

After analyzing the C-Sharp compiled program, the next step is to move on to analyzing the native executable file re_lotsastuff.exe.

Last updated 9 months ago