Reverse Engineering Tools on Linux - Security & Cryptography
Users browsing this thread: 7 Guest(s)
|
|||
This is a completely rewritten version of my original post now that I have more experience. I'm still a novice, but I've done some real malware analysis and some exercises and generally feel like the post should reflect my updated feelings.
Introduction Reverse engineering is seen as a primarily Windows-based activity. Basically all malware samples you reverse will be Windows-based, and some of the best tools such as OllyDbg are Windows exclusive. This post aims to look at what tools and resources are available for Linux and to evaluate them. Before that, however, I'd like to quickly mention you can get Windows virtual machine images for all manner of hypervisors free from Microsoft here. They're meant for testing your web apps on IE, but just boot it up, install all your tools and save a snapshot - what are they going to do. With that out the way, let's look at some native tools. IDA IDA (the Interactive Disassembler) from Hex-Rays has it's reputation as the best static analysis tool available, and for good reason, it's very good. It provides a very useful disassembly, graphing functions, comprehensive searching, imports and references to these imports, and much more. With this brings a ridiculous price tag which I'm sure puts it out of range of anyone here. Thankfully, Hex-Rays offer a free demo version. It is a tad limited in what it can disassemble, and you can't save. You can get around the latter issue with virtual machine snapshots if you're so inclined. Documentation-wise, IDA's reputation means it has a strong user base and thus plenty of resources are available, including entire books. I found I didn't have a clue what to do, but on reading the dedicated chapter in Practical Malware Analysis, I picked it up no problem and now find it very intuitive. That said, Hex-Ray's own website seems a bit sparse, a lot of the pages seem out of date. I haven't ever had to go there for technical help though. angr angr is a Python symbolic execution engine framework. Symbolic execution is a very interesting field and not one that any of the other tools here provide to my knowledge. The Wikipedia page likely explains it better than I can, but in essence it involves traversing a program and storing values as expressions of of other values. This allows the user to perform constraint solving to obtain possible values for unknown variables. As an example, say you're doing a CrackMe. Instead of reversing the entire algorithm, you could work out how the stack is setup and replicate this in angr. You could then point angr at a start address and tell it to reach a certain end address - the 'success' one. Once it gets there, you have the state of the program stored as a Python object and can tell angr to solve for what the input that lead to this state - the key - was. There are plenty of examples of exactly this. This is a very powerful tool when used correctly. That's the catch though - learning angr is no simple task outside of the most basic of examples such as what I provided, and the angr documentation is very lacking at the moment. It is being worked on, however, and in my 5 week period I spent with it, the documentation was actively updated and improved. Definitely worth a look at. gdb Chances are you already have the GNU debugger installed, especially if you've ever written some C. It's quite a bare-bones debugger and contains everything you'd expect - breakpoints, memory dumps and register views etc, but the reversing experience is very clunky and annoying to navigate in my opinion - you simply need to keep your eyes on more things than gdb is willing to give in a nice view at once. It's age does mean that any information is pretty quick and easy to find, which is pretty good. gdb-peda gdb can be extended with scripts, and peda is a Python script that aims to add more on top of the gdb base. I think it's got popular enough to come as default on Kali. This adds a few commands which prove useful in reverse engineering and exploit development, and it provides extra information such as register views and a printout of the stack by default. It also has colours. That said, I don't really like gdb-peda. I personally feel as though it suffers many of the same problems as gdb, while also making the output cluttered without it being that useful (the stack printout doesn't show the entire stack of a function, for example). That said I have a couple of coworkers who swear by it, so give it a try. radare2 radare2 is a terminal-based tool that allows for both static and dynamic analysis (use the -d switch for the debugger! I've had to point this out to a couple of people). I personally really like it, and it's the best terminal option in my opinion. When used statically, the 'analyse all' command (aa) can be used to give a text output not dissimilar to that of IDA's. From there on you can rename variables and functions to your hearts content. It even has ASCII graphs, though I personally found them a bit too awkward to use in the same manner as I would with a GUI. The debugger provides pretty much all the options you could require, with a sensible syntax. Every function is documented within the program, and this help is easy to access as well. There's also the radare2 book in terms of documentation. Together these resources are very useful and have answered pretty much any question I have eventually, but this comes at the expense of it being basically the only documentation I can find. Googling questions rarely got me results. edb edb is a Qt4 (5?) app that very clearly takes a lot of inspiration from OllyDbg, right down to the keyboard shortcuts. Having used Olly all week I was going to write how edb didn't have as many features, but honestly after giving it a quick look the two seem incredibly similar. edb also comes with some decent plugins by default, such as a ROP tool. The creator himself says it is not a full release as the documentation is lacking, so keep that in mind. Otherwise this looks pretty good. Additional Tools Reverse engineering isn't just about reading assembly, and there are a few more tools available to Linux users that can be of use. * 'strings' will dump all the strings in a program, which is useful for finding constants. * 'strace' provides all the system calls a binary makes. * 'xxd' can be used for hexdumps * Any good scripting language such as Python or Perl can be made to good use for printing binary constants, going quick hex calculations in the terminal, etc. Practice Reverse engineering is a hard, long and very thought-intensive process a lot of the time, so practice is always good. The RPISEC Modern Binary Exploitation course materials are free online, and provide a Linux VM with gdb-peda and radare2 to try out the challenges on. You could also get the files from GitHub and run them locally if you prefer other tools. Further Reading * RE Wiki * Reverse Engineering for Beginners * /r/ReverseEngineering * /r/malware Thanks for reading! Feel free to PM any questions, and give any suggestions. |
|||