x86 Disassembly/Analysis Tools

From Wikibooks, the open-content textbooks collection

< X86 Disassembly(Redirected from Reverse Engineering/Debuggers)

x86 Disassembly

1 Debuggers
2 Windows Debuggers
3 Linux Debuggers
4 Debuggers for Other Systems
5 Debugger Techniques
- 5.1 Setting Breakpoints
6 Hex Editors
7 Windows Hex Editors
8 Linux Hex Editors
9 Hex Editors for Mac
10 Other Tools for Windows
11 GNU Tools
- 11.1 GNU Tools for dynamic reverse engineering
12 Other Tools for Linux

[edit] Debuggers

Wikipedia has related information at
debugger

Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.

Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set "breakpoints" on instructions, function calls, and even memory locations.

A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. for instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution.

[edit] Windows Debuggers

OllyDbg: OllyDbg is a powerful Windows debugger with a built-in disassembly and assembly engine. Has numerous other features including a 0$ price-tag. Very useful for patching, disassembling, and debugging.; http://www.ollydbg.de/

Wikipedia has related information at
SoftICE

SoftICE: A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006.

Wikipedia has related information at
Windbg

WinDBG: WinDBG is a free piece of software from microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDBG is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Comes in 32 and 64 bit versions.; http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

IDA Pro: The multi-processor, multi-OS, interactive disassembler, by DataRescue.; http://www.hex-rays.com/idapro/

[edit] Linux Debuggers

gdb: the GNU debugger, comes with any normal Linux install. It is quite powerful and even somewhat programmable, though the raw user interface is harsh.

emacs: the GNU editor, can be used as a front-end to gdb. This provides a powerful hex editor and allows full scripting in a LISP-like language.

ddd: the Data Display Debugger. It's another front-end to gdb. This provides graphical representations of data structures. For example, a linked list will look just like a textbook illustration.

strace, ltrace, and xtrace: let you run a program while watching the actions it performs. With strace, you get a log of all the system calls being made. With ltrace, you get a log of all the library calls being made. With xtrace, you get a log of some of the funtion calls being made.

valgrind: executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired. Newer versions of valgrind also support OS X.

NLKD: A kernel debugger.; http://forge.novell.com/modules/xfmod/project/?nlkd

edb: A fully featured plugin-based debugger inspired by the famous OllyDbg. Project page

KDbg: A gdb front-end for KDE. http://kdbg.org

RR0D: A Ring-0 Debugger for Linux. RR0D Project Page

[edit] Debuggers for Other Systems

dbx: the standard Unix debugger on systems derived from AT&T Unix. It is often part of an optional development toolkit package which comes at an extra price. It uses an interactive command line interface.

ladebug: an enhanced debugger on Tru64 Unix systems from HP (originally Digital Equipment Corporation) that handles advanced functionality like threads better than dbx.

DTrace: an advanced tool on Solaris that provides functions like profiling and many others on the entire system, including the kernel.

mdb: The Modular Debugger (MDB) is a new general purpose debugging tool for the Solaris™ Operating Environment. Its primary feature is its extensibility. The Solaris Modular Debugger Guide describes how to use MDB to debug complex software systems, with a particular emphasis on the facilities available for debugging the Solaris kernel and associated device drivers and modules. It also includes a complete reference for and discussion of the MDB language syntax, debugger features, and MDB Module Programming API.

[edit] Debugger Techniques

[edit] Setting Breakpoints

As previously mentioned in the section on disassemblers, a 6-line C program doing something as simple as outputting "Hello, World!" turns into massive amounts of assembly code. Most people don't want to sift through the entire mess to find out the information they want. It can even be time consuming just to FIND the information one desires by just looking through. As an alternative, one can choose to set breakpoints to halt the program once it has reached a given point within the program.

For instance, let's say that in your program, you consistantly experience crashes at one particular section, immediately after closing a message box. You set a breakpoint on all calls to MessageBoxA. You run your program with the breakpoints, and it stops, ready to call MessageBoxA. Stepping line by line through the program and watching the stack, you see that a buffer overflow occurs shortly after.

[edit] Hex Editors

Wikipedia has related information at
hex editor

Hex editors, while not a very popular tool for reversing, are useful in that they can directly view and edit the binary of a source file. Also, hex editors are very useful when examining the structure of proprietary closed-format data files.

There are many many Hex Editors in existence, so this page will attempt to weed out some of the best, some of the most popular, or some of the most powerful.

[edit] Windows Hex Editors

HxD (Freeware): fast and powerful free hex, disk and RAM editor; http://mh-nexus.de/hxd/

Freeware Hex Editor XVI32: A freeware hex editor for windows.; http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

HHD Software Hex Editor Neo: Fast file, disk and memory editor with built-in disassembler and file structure viewer.; http://www.hhdsoftware.com/Family/hex-editor.html

Catch22 HexEdit: This is a powerful hex editor with a slew of features. Has an excellent data structure viewer.; http://www.catch22.net/software/hexedit.asp

BreakPoint Hex Workshop: An excellent and powerful hex-editor, its usefulness is restricted by the fact that it is not free like some of the other options.; http://www.bpsoft.com/

Tiny Hexer: free, does statistics.; http://www.mirkes.de/en/freeware/tinyhex.php

frhed - free hex editor: free, open source for Windows.; http://www.kibria.de/frhed.html

Cygnus Hex Editor FREE EDITION: A very fast and easy-to-use hex editor.; http://www.softcircuits.com/cygnus/fe/

Hexprobe Hex Editor: A professional hex editor designed to include all the power to deal with hex data, particularly helpful in the areas of hex-byte editing, byte-pattern analysis.; http://www.hexprobe.com/hexprobe/index.htm

UltraEdit32: A hex editor/text editor, won "Application of the Year" at 2005 Shareware Industry Awards Conference.; http://www.ultraedit.com/

ICY Hexplorer: A small, lightweight free hex file editor with some nifty features, such as pixel view, structures, and disassembling.; http://www.elektroda.net/download/file1000.html

WinHex: A powerful hex file and disk editor with advanced abilities for computer forensics and data recovery (also used by governments and military); http://www.x-ways.net/index-m.html

010 Editor: A very powerful and fast hex editor with extensive support for data structures and scripting. Can be used to edit drives and processes.; http://www.sweetscape.com/010editor/

A view of a small binary file in a 1Fh hex editor.

1Fh: A free binary/hex editor which is very fast even while working with large files. It's the only Windows hex editor that allows you to view files in byte code (all 256-characters).; http://www.4neurons.com/1Fh/

HexEdit: Powerful and easy to use binary file and disk editor. Free (source available) and shareware versions.; http://www.hexedit.com/

HexToolkit: A free hex viewer specifically designed for reverse engineering file formats. Allows data to be viewed in various formats and includes an expression evaluator as well as a binary file comparison tool.; http://adunk.ozehosting.com/software/HexView.html

FlexHex: Provides full support for NTFS files which are based on a more complex model than FAT32 files. Specifically, FlexHex supports Sparse files and Alternate data streams of files on any NTFS volume. Can be used to edit OLE compound files, flash cards, and other types of physical drives.; http://www.heaventools.com/flexhex-hex-editor.htm

[edit] Linux Hex Editors

bvi: a typical three-pane hex editor, with a vi-like interface.

emacs: along with everything else, emacs obviously includes a hex editor.

joe: joe's own editor now also supports hex editing

bless: a very capable gtk based hex editor

xxd and any text editor: produce a hex dump with xxd, freely edit it in your favorite text editor, and then convert it back to a binary file with your changes included

GHex: Hex editor for GNOME.; http://directory.fsf.org/All_Packages_in_Directory/ghex.html

Okteta: The well-integrated hexeditor from KDE since 4.1. Offers the traditional two-columns layout, one with numeric values (binary, octal, decicmal, hexdecimal) and one with characters (lots of charsets supported). Editing can be done in both columns, with unlimited undo/redo. Small set of tools (searching/replacing, strings, binary filter, and more).; http://utils.kde.org/projects/okteta

BIEW: a viewer of binary files with built-in editor in binary, hexadecimal and disassembler modes. It uses native Intel syntax for disassembly. Highlight AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview of formats - MZ, NE, PE, NLM, coff32, elf partial - a.out, LE, LX, PharLap; code navigator and more over.; http://biew.sourceforge.net/en/biew.html

hview: a curses based hex editor designed to work with large (600+MB) files with as quickly, and with little overhead, as possible.; http://tdistortion.esmartdesign.com/Zips/hview.tgz

HT Editor: A file editor/viewer/analyzer for executables. Its goal is to combine the low-level functionality of a debugger and the usability of IDEs.; http://hte.sourceforge.net/

HexCurse: An ncurses-based hex editor written in C that currently supports hex and decimal address output, jumping to specified file locations, searching, ASCII and EBCDIC output, bolded modifications, an undo command, quick keyboard shortcuts etc.; http://www.jewfish.net/description.php?title=HexCurse

hexedit: view and edit files in hexadecimal or in ASCII.; http://www.geocities.com/SiliconValley/Horizon/8726/hexedit.html

Data Workshop: an editor to view and modify binary data; provides different views which can be used to edit, analyze and export the binary data.; http://www.dataworkshop.de/index.html

VCHE: A hex editor which lets you see all 256 characters as found in video ROM, even control and extended ASCII, it uses the /dev/vcsa* devices to do it. It also could edit non-regular files, like hard disks, floppies, CDROMs, ZIPs, RAM, and almost any device. It comes with a ncurses and a raw version for people who work under X or remotely.; http://www.grigna.com/diego/linux/vche/

DHEX: DHEX is just another Hexeditor with a Diff-mode for ncurses. It makes heavy use of colors and is themeable.; http://www.dettus.net/dhex/

[edit] Hex Editors for Mac

HexEdit: A simple but reliable hex editor wher you to change highlight colours. There is also a port for Apple Classic users.; http://hexedit.sourceforge.net/

Hex Fiend: A very simple hex editor, but incredibly powerful nonetheless. It's only 346 KB to download and takes files as big as 116 GB.; http://ridiculousfish.com/hexfiend/

[edit] Other Tools for Windows

[edit] Resource Monitors

SysInternals Freeware: This page has a large number of excellent utilities, many of which are very useful to security experts, network administrators, and (most importantly to us) reversers. Specifically, check out Process Monitor, FileMon, TCPView, RegMon, and Process explorer.; http://www.microsoft.com/technet/sysinternals/default.mspx

[edit] API Monitors

SpyStudio Freeware: The Spy Studio software is a tool to hook into windows processes, log windows API call to DLLs, insert breakpoints and change parameters.; http://www.nektra.com/products/spystudio/

[edit] PE File Header dumpers

Dumpbin: Dumpbin is a program that previously used to be shipped with MS Visual Studio, but recently the functionality of Dumpbin has been incorporated into the Microsoft Linker, link.exe. to access dumpbin, pass /dump as the first parameter to link.exe:

link.exe /dump [options]

It is frequently useful to simply create a batch file that handles this conversion:

::dumpbin.bat
link.exe /dump %*

All examples in this wikibook that use dumpbin will call it in this manner.

Here is a list of usefull features of dumpbin [1]:

dumpbin /EXPORTS         displays a list of functions exported from a library
dumpbin /IMPORTS         displays a list of functions imported from other libraries
dumpbin /HEADERS         displays PE header information for the executable

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/_core_dumpbin_reference.asp

Depends: Dependency Walker is a GUI tool which will allow you to see exports and imports of binaries. It ships with many Microsoft tools including MS Visual Studio.

[edit] GNU Tools

The GNU packages have been ported to many platforms including Windows.

GNU BinUtils: The GNU BinUtils package contains several small utilities that are very useful in dealing with binary files. The most important programs in the list are the GNU objdump, readelf, GAS assembler, and the GNU linker, although the reverser might find more use in addr2line, c++filt, nm, and readelf.; http://www.gnu.org/software/binutils/
objdump: dumps out information about an executable including symbols and assembly. It comes standard. It can be made to support non-native binary formats.
readelf: like objdump, but more specialized for ELF executables.
size: lists the sizes of the segments
nm: lists the symbols in elf file

Other gnu tools

strings: lists the strings from
file: tells you what type of file it is
fold: folds the results of strings into something pageable

[edit] GNU Tools for dynamic reverse engineering

kill: can be used to halt a program - with the sig_stop signal
gdb: can be used to attach to a program
strace: trace system calls and signals

[edit] Other Tools for Linux

oprofile: can be used the find out what functions and data segments are used

subterfugue: is a tool for playing odd tricks on an executable as it runs. The tool is scriptable in python. The user can write scripts to take action on events that occur, such as changing the arguments to system calls.; http://subterfugue.org/

lizard: lets you run a program backwards.; http://lizard.sourceforge.net/index.html

dprobes: lets you work with both kernel and user code

biew: both hex editor and disassembler

ltrace: shows runtime library call information for dynamically linked executables