Reverse engineering is often used to investigate viruses and find practical solutions to counter them. Experts use many tools to reverse engineer malicious code. Here are some of the most important ones:
- Disassemblers (e.g., IDA Pro). A disassembler analyzes a program to create assembly code. Decompilers can convert binary code to source code, although they are not available for all architectures;
- Debuggers. Debuggers use debuggers to control the execution of a program to get an idea of what actions it performs when it runs. They also allow the engineer to control certain aspects of the program while it is running, such as the program’s memory locations. This allows for a better understanding of the program’s actions and their impact on the system or network;
- PE viewers (CFF Explorer, PE Explorer). For example, PE viewers (for the Windows Portable Executable File format) extract important information from executable files to allow you to view dependencies;
- Network analyzers. Network analyzers show the engineer how a program communicates with other machines, including what connections the program is making and what data it is trying to send.
Applications for reverse engineering:
- IDA is an interactive disassembler that has a built-in command language (IDC) and supports a number of executable file formats for different processors and operating systems;
- CFF Explorer is a set of tools for editing portable executable files (PEs);
- Detect It Easy is designed to identify file types by analyzing their binary signatures. It provides an open architecture for adding your own file type detection algorithms, making it a versatile tool for identifying different file formats.”;
- ImHex is a hex editor that provides a rich set of features and development tools for Windows;
- Scylla can be used to create a dump of the program’s running process and restore the PE import table. With its help, you can get a recovered PE file that can be run by the operating system;
- Relocation Section Editor is a program used to edit relocation tables in PE files. The main purpose of this tool is to change the relocation table in case of fixing relocatable code fragments. However, it is often used to delete the relocation table when recovering a protected file;
- dnSpy is a reverse engineering tool for any .NET binary files in terms of code analysis (decompiler, repairer, editor)
Problems of malware reverse engineering
As malware becomes more complex, the likelihood increases that the disassembler will fail to do its job for some reason, or the decompiler will create confusing code. Thus, reverse engineers need more time to understand the disassembled or decompiled code. During this time, malware can cause damage to the network. Because of this, more attention is being paid to dynamic malware analysis. Dynamic malware analysis involves using a closed system (sandbox) to run malware in a secure environment and observe what it does.
However, aside from the benefits, there are also challenges to using a sandbox for dynamic analysis. For example, many sophisticated malware programs use bypass techniques and can detect that they are in a sandbox. Once such an environment is detected, the malware will not show its true nature. Advanced malware has a set of tools that they can use to outsmart sandboxes and avoid detection: they can pause their malicious actions, acting only when the user is active, thus hiding malicious code where it will not be detected, along with a host of other evasive techniques.
This means that those involved in reverse engineering cannot rely on dynamic methods alone. Instead, reverse engineering every new malware threat is unrealistic.
How to optimize the reverse engineering process?
By using dynamic malware analysis whenever possible. Cybersecurity professionals can fight malware faster and more effectively, freeing up their time for more complex work, such as learning and analyzing new encryption schemes, feedback protocols, or attribution work. The more sophisticated the automated solution, the more likely it is that the reverser will not have to return to the initial (and time-consuming) phase of the process. The latter involves unpacking, deobfuscating, and understanding the basic behavior of the malware.
The best option for cybersecurity teams would be to take a two-pronged approach, where sandboxing technologies are used to automatically analyze the vast majority of threats. In contrast, reverse engineers devote their time to surgically analyzing the guts of the most complex ones when more information about the threat is needed.
Reverse engineering has many legitimate uses in IT. It can be a legal or ethical approach to resolving compatibility issues, recreating outdated components, assessing security, improving an existing product, or making it cheaper. The steps involved can be complex and vary depending on what is being redesigned. For example, QA professionals who want to solve user problems with software products may reverse engineer the object of persistent complaints to find the cause. Identifying the root causes of user problems is difficult, but reverse engineering techniques eliminate some of the guesswork.