Scribd Logo
Upload

Welcome to Scribd!

  • Malware Analysis CIS-672: Lecture 05: Static Code Analysis

    Uploaded by

    sarim imran
    23 views12 pages
    Malware

    Original Title

    5. Static code analysis

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Malware

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    23 views12 pages

    Malware Analysis CIS-672: Lecture 05: Static Code Analysis

    Uploaded by

    sarim imran
    Malware

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Malware Analysis CIS-672

    Lecture 05: Static code analysis


    Dr. Muhammad Abid,
    DCIS, PIEAS

    Malware Analysis, PIEAS


    The What of Disassembly

    A disassembler is a program that translates


    machine code back to assembly code; it
    allows you to perform static code analysis
    A debugger is a program which also
    disassembles the code; apart from that, it
    allows you to execute the compiled binary in
    a controlled manner.
    A decompiler is a program that translates the
    machine code into the code in a high-level
    language (pseudocode).

    Malware Analysis, PIEAS


    The What of Disassembly

    The compilation process is lossy


    At the machine language level there are no
    variable or function names,and variable type
    information can be determined only by how the
    data is used
    Compilation is a many-to-many operation.
    source program can be translated to assembly
    language in many different ways, and machine
    language can be translated back to source in
    many different ways.

    Malware Analysis, PIEAS


    The What of Disassembly

    Decompilers are very language and


    library dependent.
    Processing a binary produced by a Delphi
    compiler with a decompiler designed to generate
    C code can yield very strange results.
    Similarly, feeding a compiled Windows binary
    through a decompiler that has no knowledge of
    the Windows programming API may not yield
    anything useful.
    A nearly perfect disassembly
    capability is needed in order to
    accurately decompile a binary.
    Malware Analysis, PIEAS
    The Why of Disassembly

    Analysis of malware
    Analysis of closed-source software for
    vulnerabilities
    Analysis of closed-source software for
    interoperability
    Analysis of compiler-generated code to
    validate compiler performance/ correctness
    Display of program instructions while
    debugging

    Malware Analysis, PIEAS


    Launching IDA Pro

    Malware Analysis, PIEAS


    IDA File Loading

    Malware Analysis, PIEAS


    Using the Binary File Loader

    When:
    analysis of ROM images
    exploit payloads that may have been extracted
    from network packet captures or log files

    Malware Analysis, PIEAS


    IDA Database Files

    Malware Analysis, PIEAS


    Introduction to the IDA Desktop

    Toolbar
    Nav. band

    Data displays
    Function
    window
    Disassembly view

    Output window

    Malware Analysis, PIEAS


    The Disassembly Window

    primary tool for manipulating and analyzing


    binaries
    graph-based view
    text-oriented listing view.
    In graph mode, IDA displays one function at
    a time.

    Malware Analysis, PIEAS


    Malware Analysis, PIEAS

    You might also like