Tags

, , , , , , , , , , , ,

The source code for a lot of malware is available from various repositories, but what happens if we have a dodgy-looking .exe on the system with no idea what it does? Fortunately there are several Linux tools we can use to derive useful information about it, and this might be valuable in identifying malicious programs so the analyst can search other sources.

Using strings
Below is a SysInternals executable called Diskmon.exe opened in a text editor. As we can see, opening a binary file in a text editor gives us something unintelligble:

Raw output in a text editor

There is still a way of extracting text and other information from the file using GNU Binutils, which should already be present on default Linux installations.

The strings command will output whatever text from a binary file, and we can derive things like the malware’s real name, the addresses of servers it might be contacting, the author, variable names, functions and other stuff. e.g.

strings Diskmon.exe

strings output

It’s also possible to search for specific keywords within the strings output by combining it with grep, e.g. To search Diskmon.exe for keyword ‘Registry’:

strings Diskmon.exe | grep Registry

Retrieving Functions and Data Structures
Two other programs included with binutils – nm and objdump – can also be used for digging up information about a compiled program.
The nm command searches the executable/binary for important data structures and functions it might call when run, and this can reveal a lot about what the program does. However some programmers remove this data when compiling, as the programmers who created Diskmon.exe did.

nm

The objdump command comes with several options available, which we specify when running it against an executable. This reads the object code within the program and translates it into something resembling assembler instructions. With this, we have a much better chance of successfully analysing the executable.

objdump Diskmon.exe –s

Outputs the hexadecimal object code along with the contents at each memory address used by the executable. Some of this data will be displayed as plain text, which is certainly useful if malware’s being traded by naughty people who embed their contact details:

objdump -s output

The objump -d command translates the executable into assembler code:

objdump Diskmon.exe -d

objdump -d output

Decompiling
When looking at the assembler code, we’re basically seeing a limited set of instructions that shift data around in memory and manipulate the stack pointer. Obviously, it’ll take a lot of time and skill to determine what the program does. Fortunately it’s also possible to convert the executable into high-level code (of sorts), making it easier to follow.

Some free decompilers are available. The Reverse Engineering Compiler (REC) is useful, and there are versions for both Microsoft Windows and Linux. Although the assembler code is again displayed in the screenshot below, users can switch between several other windows that reveal the program’s structure, function calls and DLLs it uses.

Reverse Engineering Compiler

Advertisements