Reverse Engineering Tools on Linux - Security & Cryptography
kirby
This is a completely rewritten version of my original post now that I have more experience. I'm still a novice, but I've done some real malware analysis and some exercises and generally feel like the post should reflect my updated feelings.

Introduction

Reverse engineering is seen as a primarily Windows-based activity. Basically all malware samples you reverse will be Windows-based, and some of the best tools such as OllyDbg are Windows exclusive. This post aims to look at what tools and resources are available for Linux and to evaluate them.

Before that, however, I'd like to quickly mention you can get Windows virtual machine images for all manner of hypervisors free from Microsoft here. They're meant for testing your web apps on IE, but just boot it up, install all your tools and save a snapshot - what are they going to do. With that out the way, let's look at some native tools.

IDA

[Image: linux.gif]

IDA (the Interactive Disassembler) from Hex-Rays has it's reputation as the best static analysis tool available, and for good reason, it's very good. It provides a very useful disassembly, graphing functions, comprehensive searching, imports and references to these imports, and much more. With this brings a ridiculous price tag which I'm sure puts it out of range of anyone here. Thankfully, Hex-Rays offer a free demo version. It is a tad limited in what it can disassemble, and you can't save. You can get around the latter issue with virtual machine snapshots if you're so inclined.

Documentation-wise, IDA's reputation means it has a strong user base and thus plenty of resources are available, including entire books. I found I didn't have a clue what to do, but on reading the dedicated chapter in Practical Malware Analysis, I picked it up no problem and now find it very intuitive. That said, Hex-Ray's own website seems a bit sparse, a lot of the pages seem out of date. I haven't ever had to go there for technical help though.

angr

angr is a Python symbolic execution engine framework. Symbolic execution is a very interesting field and not one that any of the other tools here provide to my knowledge. The Wikipedia page likely explains it better than I can, but in essence it involves traversing a program and storing values as expressions of of other values. This allows the user to perform constraint solving to obtain possible values for unknown variables.

As an example, say you're doing a CrackMe. Instead of reversing the entire algorithm, you could work out how the stack is setup and replicate this in angr. You could then point angr at a start address and tell it to reach a certain end address - the 'success' one. Once it gets there, you have the state of the program stored as a Python object and can tell angr to solve for what the input that lead to this state - the key - was. There are plenty of examples of exactly this.

This is a very powerful tool when used correctly. That's the catch though - learning angr is no simple task outside of the most basic of examples such as what I provided, and the angr documentation is very lacking at the moment. It is being worked on, however, and in my 5 week period I spent with it, the documentation was actively updated and improved. Definitely worth a look at.

gdb

Chances are you already have the GNU debugger installed, especially if you've ever written some C. It's quite a bare-bones debugger and contains everything you'd expect - breakpoints, memory dumps and register views etc, but the reversing experience is very clunky and annoying to navigate in my opinion - you simply need to keep your eyes on more things than gdb is willing to give in a nice view at once. It's age does mean that any information is pretty quick and easy to find, which is pretty good.

gdb-peda

gdb can be extended with scripts, and peda is a Python script that aims to add more on top of the gdb base. I think it's got popular enough to come as default on Kali. This adds a few commands which prove useful in reverse engineering and exploit development, and it provides extra information such as register views and a printout of the stack by default. It also has colours.

That said, I don't really like gdb-peda. I personally feel as though it suffers many of the same problems as gdb, while also making the output cluttered without it being that useful (the stack printout doesn't show the entire stack of a function, for example). That said I have a couple of coworkers who swear by it, so give it a try.

radare2

[Image: reverse-engineering-with-radare2-quick-i...80x600.jpg]

radare2 is a terminal-based tool that allows for both static and dynamic analysis (use the -d switch for the debugger! I've had to point this out to a couple of people). I personally really like it, and it's the best terminal option in my opinion.

When used statically, the 'analyse all' command (aa) can be used to give a text output not dissimilar to that of IDA's. From there on you can rename variables and functions to your hearts content. It even has ASCII graphs, though I personally found them a bit too awkward to use in the same manner as I would with a GUI.

The debugger provides pretty much all the options you could require, with a sensible syntax. Every function is documented within the program, and this help is easy to access as well. There's also the radare2 book in terms of documentation. Together these resources are very useful and have answered pretty much any question I have eventually, but this comes at the expense of it being basically the only documentation I can find. Googling questions rarely got me results.

edb

[Image: edb_interface-2016.png]

edb is a Qt4 (5?) app that very clearly takes a lot of inspiration from OllyDbg, right down to the keyboard shortcuts. Having used Olly all week I was going to write how edb didn't have as many features, but honestly after giving it a quick look the two seem incredibly similar. edb also comes with some decent plugins by default, such as a ROP tool. The creator himself says it is not a full release as the documentation is lacking, so keep that in mind. Otherwise this looks pretty good.

Additional Tools

Reverse engineering isn't just about reading assembly, and there are a few more tools available to Linux users that can be of use.

* 'strings' will dump all the strings in a program, which is useful for finding constants.
* 'strace' provides all the system calls a binary makes.
* 'xxd' can be used for hexdumps
* Any good scripting language such as Python or Perl can be made to good use for printing binary constants, going quick hex calculations in the terminal, etc.

Practice

Reverse engineering is a hard, long and very thought-intensive process a lot of the time, so practice is always good. The RPISEC Modern Binary Exploitation course materials are free online, and provide a Linux VM with gdb-peda and radare2 to try out the challenges on. You could also get the files from GitHub and run them locally if you prefer other tools.

Further Reading

* RE Wiki
* Reverse Engineering for Beginners
* /r/ReverseEngineering
* /r/malware

Thanks for reading! Feel free to PM any questions, and give any suggestions.
venam
Wonderful and complete post.

You are obviously giving the overview as a newcomer into the reverse engineering field and that's totally fine (as in you are not looking for very complex situations like memory injections and the likes).

I only tried two in the list you gave: GDB and OllyDBG.

GDB is a pain to learn, I keep forgetting the commands and I rage because I'm not able to express myself correctly with it.
However GDB has very powerful features as shown in the nullprogram blog

Sadly I love OllyDBG and I keep running it on Linux to debug windows binaries.
There are no equivalent on Unix.
xero
so much good info here. thanx kirby! i have a look of new tools to look into now!
acg
I've used edb and radare2, radare2 being pretty interesting.

Thanks for posting these tools, I'll check the others.
io86
Very nice post, kirby.

Gdb comes always handy, Olly is a must have on Windows, I guess. I like r2 more and more each day. As for edb, I have it installed, but I never really used it.

There is also the almighty IDA for Linux too. Qira looks nice, but I haven't tried it yet. For quickly visualizing a file I like Vix.

Some learning resources that might come handy with these tools: RE Wiki, Malware Analysis - CSCI 4976 and of course the legendary Lena.
kirby
(07-04-2016, 12:36 AM)venam Wrote: You are obviously giving the overview as a newcomer into the reverse engineering field and that's totally fine (as in you are not looking for very complex situations like memory injections and the likes).

Yeah, it's early days for me. Hopefully I can update this post in the near future with some more complex features.

(07-04-2016, 12:36 AM)venam Wrote: Sadly I love OllyDBG and I keep running it on Linux to debug windows binaries.
There are no equivalent on Unix.

(08-04-2016, 10:06 AM)io86 Wrote: Olly is a must have on Windows, I guess.

Yeah, I've been using more and more of it and it's a very nice tool. Massive shame Linux doesn't have it.

(08-04-2016, 10:06 AM)io86 Wrote: There is also the almighty IDA for Linux too.

Am I correct in thinking you have to pay for the Linux version? That's what it seemed like at a first glance to me. I installed the demo version on Windows last night and it's a great tool, very important to have and produced the 'nicest' assembly output of anything I tried.

EDIT: Didn't see that page and thought they'd specifically ported the IDA interface to Linux exactly as it appears in Windows. I can see why they went for console but it's a little disappointing.

EDIT EDIT: Looks like I'm wrong again, as of 6.0 IDA Linux does have a proper interface.

(08-04-2016, 10:06 AM)io86 Wrote: Some learning resources that might come handy with these tools: RE Wiki, Malware Analysis - CSCI 4976 and of course the legendary Lena.

These look great, thanks a lot!
rain1
Yeah I love the idea behind qira: each instruction run is like a git commit. It uses qemu to record all the information and then you can search through it.
The rr debugger works on the same sort of idea: http://rr-project.org/
The qira presentation he gave was great fun: https://www.youtube.com/watch?v=eGl6kpSajag

For a while I had been frustrated with gdb (crashing and/or the UI mangling itself) and starting thinking about a scriptable debugger - it turns out plan9 has one http://plan9.bell-labs.com/sys/doc/acidpaper.html
I still think this idea could be really profitable (especially compared to piping your commands into gdb..) but it's a lot of effort working with ptrace to actually implement one.
venam
Just bumping this thread with this tool:

https://panopticon.re/
kirby
(10-05-2016, 02:22 AM)venam Wrote: Just bumping this thread with this tool:

https://panopticon.re/

That looks pretty good. Never dealt with Rust before so I'll have to see how easy it is to build. Their webpage isn't hugely descriptive mind.

If anyone is looking for OllyDBG and anything else Windows offers, I've found you can just download one of these IE test VMs, set up an environment, and snapshot it. Seems to work pretty well so far for me? I'll update in the future if this backfires on me.
josuah
It is a nice collection you have there! I'm adding one, but I do not know if it can works well: I never did reverse engineering.

http://rr-project.org/




Members  |  Stats  |  Night Mode