A set for hacking programs. Choosing reverse tools

[Демитрий]

A set for hacking programs. Choosing reverse tools


Each reverse engineer, viral analyst, and simply researcher eventually has an established set of utilities that he constantly uses for analysis, unpacking, or cracking. In this review, I will share my version. This will be useful to everyone who has not yet acquired their kit and is just starting to study this topic. However, an experienced reverser should be curious what colleagues in the shop use.

WARNING
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the materials in this article.

Debuggers
Debugging an application is an integral part of the research process, a tool that is always at your fingertips. In the modern world, the debugger must support both Intel architectures - x64 and x86, from which we will proceed.

We should also be able to debug code that runs in kernel mode. Such a need arises periodically, especially if you intend to look for zeroday vulnerabilities in the OS kernel or reverse virus drivers. There are two main applicants: x64dbg and WinDbg. The first debugger works in user mode, the second can debug code in kernel mode.

x64dbg
x64dbg.com

This modern debugger with a very nice interface is a worthy successor to OllyDbg. It supports both architectures - x64 and x86, has a lot of useful plugins.

Yes, of course, it is not without flaws - it still has some unpleasant bugs. However, it is actively supported and developed. Of course, because the debugger works in user mode, it remains vulnerable to many debugging detection techniques. But this minus is partially offset by a variety of plugins to hide the debugger.

X64dbg has a built-in decompiler, it supports the display of code in the form of a graph, you can make breakpoints for reading, writing, executing and accessing, there is a built-in utility for import reconstruction (both x64 and x86). In general, what to say - this debugger was used in narrow circles in order to defeat the notorious Denuvo game defense, and successfully copes with this task!

Why not OllyDbg
OllyDbg debugger didn’t get into the selection - for the reason that it is already seriously outdated. It does not support modern OSes or x64 architecture. The official website of the application announced a 64-bit version and even reported progress in its development, but the site itself was updated for the last time in 2014. Of course, a whole era is associated with OllyDbg, but, apparently, it has passed. And kernel mode debuggers were also reduced - the developers abandoned Syser Kernel Debugger, and he was once the successor to SoftICE.

Windbg
Official page

If you need to debug the kernel or driver, then WinDbg is second to none. This debugger is supported by Microsoft itself, and it is part of the Windows Driver Kit (WDK). At the moment, this is the most relevant and powerful tool for debugging kernel code. There is no such pleasant interface as in x64dbg, but we also have a little choice - other debuggers do not work in kernel mode.

WinDbg supports remote debugging and can download debugging symbols directly from Microsoft servers. To quickly configure it to debug the OS kernel inside virtual machines, there is a VirtualKD add-in. Of course, starting a reverse path with WinDbg is strictly contraindicated, but when you gain experience and start trying various interesting things, it becomes a necessity.

It is in WinDbg that you can easily see how one or another system structure looks, and it is easy to disassemble NTAPI functions. Of course, they can debug "normal" applications, but personally, I prefer to unpack such a powerful tool only when absolutely necessary!

Disassemblers
It is difficult to imagine a reverse without static code analysis tools. To date, things are a little better with disassemblers than with debuggers, but you can still pick out the favorites in this area. The recognized standard for antivirus labs is the IDA Pro disassembler. The second place in demand is taken by the Radare2 reverse engineering framework (although many believe that Radare2 is not inferior to IDA).

IDA Disassembler
hex-rays.com/products/ida

There are two versions of IDA - paid (Pro) and free (Starter). The free version is truncated by the number of supported architectures - it understands only x86, in addition, it does not support plugins. The paid version has no such restrictions: it supports an impressive number of processor architectures and allows you to connect extensions.

The IDA has a built-in debugger, very simple in terms of its set of functions, but you will have to adapt to its original interface. Also, the IDA can be equipped with the Hex-Rays add-on - a decompiler of the application source code into C code. This is a very useful add-on that significantly speeds up the analysis of the program.

In general, the IDA is a powerful and beautifully polished tool that has been developing for many years. It is only a pity that the professional version costs around 500-1000 dollars, depending on the type of license and is not sold to anyone. Anyone who gets as a result gets out as best he can.

Radare2
rada.re

Radare2 was originally conceived as a regular hex editor, but today it is a whole framework that will help debug and disassemble a wide variety of code, including device firmware, viruses and crack.

Radare2 is a set of console utilities that include a debugger, a disassembler, a decompiler, a hex editor, a custom compiler, a binary comparison tool, and much more. To work in the GUI, there is a separate add-in called Cutter. It greatly improves the look and feel of the Radare framework and usability.

The framework supports a large number of processors and platforms, so it can compete even with products such as IDA Pro. A huge plus is that the source code is open, the product is completely free and supported by the community.

Utility Utilities
We examined the basic tools, but it is difficult to imagine a reverse without packer analyzers, network monitors, hex editors, and even a host of auxiliary utilities. Let's look at the main ones in more detail.

Detect it Easy (DiE)
ntinfo.biz

This is an excellent program for identifying packers, which has a very wide range of useful functions. For example, it allows you to view the entropy of file sections, which helps to visually determine the presence of encryption.

It also has a resource viewer with the ability to dump to disk. You can easily view the import table; there is support for extensions and scripts. There are also settings for signature scanning methods, a file header viewer, and full support for the PE and PE + formats.

There is only one minus - the program is rarely updated, but it cannot be said that it was abandoned - a new version has just been released!

Exeinfope
exeinfo-pe.en.uptodown.com

This is another detector for packers and protectors. It has a rather peculiar interface that not everyone will like. But the program is often updated, it is full of interesting functions and there are friendly tips for unpacking.

All in all, I would recommend ExeInfoPE to newbies. It has a database of automatic unpackers, and the program itself will tell you which tool to remove the hinged protection.

And of course, there is a whole standard set of features: a file header viewer, section viewer, a hex viewer, and even a number of small built-in utilities such as TerminateProcess and more. Plus there is support for plugins.

Hxd
Often there is a need to access a hard drive, memory or application in binary mode. Hexadecimal editors come to the rescue, the bright representative of which is the HxD program. It is free, constantly updated, supports popular formats, is well-searched and has a nice interface. There are other successful features, for example, the ability to reliably delete files (i.e., overwriting with zeros). HxD also has a portable version to make it convenient to keep on a flash drive.

Hew
hiew.ru

Hex editor with a long history, but still supported by developers. He has a paid and free version ($ 20 without the possibility of updates, $ 200 with lifelong updates). The interface in the style of Norton Commander can scare young people a little, but you quickly get used to it. Separately pleased with the ability to work only with the keyboard, calling all the functions of the hot keys.

Pestudio
winitor.com

This is a useful program tailored for the analysis of malvari. It automatically scans the downloaded sample file for VirusTotal, interestingly displays the functions of the import table used in the experimental application, shows the virus signs of the application, the libraries used, and the header information of the PE file. Here you can work with resources. In other words, it is a multifunctional antivirus processor for initial sample analysis.

Pe bear
PE-bear developer blog page

Another interesting viewer and editor for PE and PE + files. It contains an analyzer for packers and protectors, displays information about file headers, resources and sections. If desired, you can look at the hex representation of these sections and disassemble them into regular assembler mnemonics.

PE-bear has a nice interface and a nice utility for comparing files. The only drawback is that the program is rarely updated, although it is open source. So, if you find a bug in it, you can always fix it yourself.

Fakenet-ng
GitHub repository

This program is necessary in order to emulate working with a network. When studying malvari samples, you often need to look at all network accesses: monitor DNS and HTTP requests, sniff traffic and determine the IP addresses of control servers (if it is, for example, a ransomware bot). For obvious reasons, the virtual machine should be disconnected from the network, and if the virus notices this, it will not do everything that it usually does.

Fakenet-NG is constantly updated and maintained, so this utility can be used on the most modern OS.

Processexplorer
Official page

Sysinternals programs that monitor file system and process access would be difficult to do without. ProcessExplorer will show all processes in the system in the form of a hierarchical tree so that you can easily see in which order they are generated. In addition, you can find out which dynamic libraries are loaded into processes, priorities, digital signatures, processor usage, and much more.

Regshot
SourceForge Repository

A convenient program for monitoring changes in the registry. RegShot takes pictures before and after the application you are interested in, and then shows where the changes were.

TCPView
Official page

A small program for monitoring network activity of applications. You can see which ports the application opens (local and remote), as well as protocols, process identifiers, and packet forwarding counters. In general, one of the most useful tools in any hacker kit!

Resource hacker
angusj.com/resourcehacker

A popular resource editing program. Allows you to edit the manifest, icons, text dialog lines, cursor information, and more. Editing application resources is not necessary so often, but if you nevertheless have such a need, it is nice to have the right tool on hand.

Total
We examined the basic set of utilities that are used to solve most problems associated with reverse. I think that at the beginning these applications will be enough for a novice reverser. And with your experience, your own list will grow.

Many reversers gradually come to the point that they create the necessary highly specialized programs, plugins and scripts themselves. Not all tasks have ready-made tools that make life easier. If you know about such developments or want to share links to other useful programs - write in the comments!

Source: hackep.ru

 

[Матушкин Андрей Николаевич]