Reverse Engineering Simple Windows Executable Files

1. Overview of the Session:

  • Objective: Demonstrate how to reverse engineer simple Windows executable files.

  • Files to Analyze: (say)

    • C-Sharp Compiled Program: re_test_Desktopapp1.exe

    • Native Executable File: re_lotsastuff.exe

  • Tools and Setup:

    • Restored Windows VM image.

    • FakeNet tool running to intercept outgoing network traffic.

    • Course files copied into the VM.

2. Analysis of C-Sharp Compiled Program:

  • File Identification:

    • Used Detect It Easy to identify the file type.

    • re_test_Desktopapp1.exe identified as a PE32 file compiled from a .NET source.

  • Decompilation with dnSpy:

    • dnSpy: A .NET decompiler tool used to show the equivalent source in C#.

    • Process:

      1. Drag and drop the sample into the dnSpy console to begin decompilation.

      2. Navigate to the function or method indicated at the entry point.

  • Code Analysis:

    • The code performs the following:

      1. Displays a message box with the text "for educational purposes only".

      2. Attempts to open a webpage from phishing.website.com.

      3. Runs CMD, which opens a command prompt.

  • Using MSDN References: Helpful in understanding the behavior of the code, particularly the functions and methods used.

3. Debugging the Program:

  • Setting Breakpoints:

    • Set a breakpoint at the first line of code where the text variable is set ("for educational purposes only").

    • Use F9 to set the breakpoint.

  • Starting Debugging:

    • Press F5 to start debugging.

    • Use F10 to step over or F11 to step into the code.

  • Observations During Debugging:

    • The program displays the message box as expected.

    • Encountered an issue with the open read function that attempts to read contents from phishing.website.com/dotnet.

    • The function fails, possibly due to coding issues. It's advisable to note this behavior and revisit it later with more information.

    • The final observed behavior is the execution of CMD.

4. Key Takeaways:

  • C-Sharp Language Knowledge: Understanding C# syntax is beneficial when analyzing .NET programs to grasp malware behavior better.

  • Breakpoint Usage: Setting breakpoints at crucial points (e.g., entry points) helps in observing program behavior systematically.

  • Documentation Practice: It's good practice to document all behaviors and potential issues encountered during analysis for further investigation.

5. Transition to Native Executable Analysis:

  • After analyzing the C-Sharp compiled program, the next step is to move on to analyzing the native executable file re_lotsastuff.exe.

PreviousManual Code ReversingNextReverse Engineering re_lotsastuff.exe

Last updated