Malware/Required knowledge

From CSRRT-LU

Table of contents
1 Introduction
2 Programming languages

2.1 Assembler
2.2 C
2.3 Malware/Some notes for perl

3 Getting started with examining software
4 Malware/Debugging with gdb
[edit]

Introduction

Analyzing software is heavily related with reverse engineering. An open book can be found at http://en.wikibooks.org/wiki/Reverse_Engineering/Introduction [1] (http://en.wikibooks.org/wiki/Reverse_Engineering/Introduction)

Before analyzing unknown software I propose to write some easy software and analyze the binary. This approach has the advantage that I know before the reverse engineering process what the software is doing.

[edit]

Programming languages

Nowadays a bunch of programming languages can be found. My goal is to examine win32 binaries. A win32 binary contains the code the developer wrote as machine instructions and other code added by the linker and other information. After having extracted the binaries’ author’s machine instructions they can be disassembled so knowledge of assembly language is required. Today only a few programmers are writing their programs in assembler language but in more high-level programming language like C or C++. In order examine data a bunch of script languages exist which are quite high-level.

During my work I focus on following programming languages

  • Assembler to understand a binary.
  • C [2] (http://www.mingw.org) to write some test examples to be examined
  • Perl [3] (http://www.perl.org), java [4] (http://java.sun.com) to process the results from disassemblers
[edit]

Assembler

For writing some assembler programs I use nasm [5] (http://nasm.sf.net). As debugger I used the gnu debugger [6] (http://www.gnu.org/software/gdb/). My first steps of assembler are shown in section Malware/Assembler. An open book about assembler can be found at http://en.wikibooks.org/wiki/X86_Assembly .

[edit]

C

For writing C programs I use gcc for win32 which is published under the mingw http://mingw.org project. How I proceed is shown in section Malware/c

[edit]

Malware/Some notes for perl

[edit]

Getting started with examining software

At first I start to write some simple assembly programs. After having linked them I start to disassemble them again and try to find my code in the linked executable or in a debugger. The complexity of the programs is slowly incremented. The first program modifies only a few registers; the next program does a loop and so on. After a while I become familiar with the assembly language. Next I passed to the language c and I started again to write easy programs and disassembled them. I can see how the language C is mapped on assembler.

[edit]

Malware/Debugging with gdb

Retrieved from "http://www.csrrt.org/wiki/index.php/Malware/Required_knowledge"