x86 Disassembly/Analysis Tools

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Debuggers[edit | edit source]

Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.

Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.

A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution.

Windows Debuggers[edit | edit source]

SoftICE
A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006.
WinDbg
WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
IDA Pro
The multi-processor, multi-OS, interactive disassembler by DataRescue.
http://www.hex-rays.com/idapro/
OllyDbg
OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging.
http://www.ollydbg.de/
x64dbg
A set of 32 and 64 bit x86 debuggers. x64dbg is the spiritual successor to the discontinued OllyDbg.
Immunity Debugger
Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
http://immunityinc.com/products/debugger/index.html

Linux Debuggers[edit | edit source]

Many of the open source debuggers on Linux, again, are cross-platform. They may be available on some other Unix(-like) systems, or even Windows. Some of the debuggers may give you better experience than the old and native ones on your system.

gdb
The GNU debugger, comes with any normal Linux install. It is quite powerful and even somewhat programmable, though the raw user interface is harsh.
lldb
LLVM's debugger.
emacs
The GNU editor, can be used as a front-end to gdb. This provides a powerful hex editor and allows full scripting in a LISP-like language.
ddd
The Data Display Debugger. It's another front-end to gdb. This provides graphical representations of data structures. For example, a linked list will look just like a textbook illustration.
strace, ltrace, and xtrace
Lets you run a program while watching the actions it performs. With strace, you get a log of all the system calls being made. With ltrace, you get a log of all the library calls being made. With xtrace, you get a log of some of the funtion calls being made.
valgrind
Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired. Newer versions of valgrind also support OS X.
NLKD
A kernel debugger.
http://forge.novell.com/modules/xfmod/project/?nlkd
edb
A fully featured plugin-based debugger inspired by the famous OllyDbg. Project page
KDbg
A gdb front-end for KDE. http://kdbg.org
RR0D
A Ring-0 Debugger for Linux. RR0D Project Page
Radare2
A debugger and reversing framework.
Winedbg
Wine's debugger. Debugs Windows executables using wine.

Debuggers for Other Systems[edit | edit source]

dbx
The standard Unix debugger on systems derived from AT&T Unix. It is often part of an optional development toolkit package which comes at an extra price. It uses an interactive command line interface.
ladebug
An enhanced debugger on Tru64 Unix systems from HP (originally Digital Equipment Corporation) that handles advanced functionality like threads better than dbx.
DTrace
An advanced tool on Solaris that provides functions like profiling and many others on the entire system, including the kernel.
mdb
The Modular Debugger (MDB) is a new general purpose debugging tool for the Solaris Operating Environment. Its primary feature is its extensibility. The Solaris Modular Debugger Guide describes how to use MDB to debug complex software systems, with a particular emphasis on the facilities available for debugging the Solaris kernel and associated device drivers and modules. It also includes a complete reference for and discussion of the MDB language syntax, debugger features, and MDB Module Programming API.

Debugger Techniques[edit | edit source]

Setting Breakpoints[edit | edit source]

As previously mentioned in the section on disassemblers, a 6-line C program doing something as simple as outputting "Hello, World!" turns into massive amounts of assembly code. Most people don't want to sift through the entire mess to find out the information they want. It can be time consuming just to find the information one desires by just looking through the code. As an alternative, one can choose to set breakpoints to halt the program once it has reached a given point within the program's code.

For instance, let's say that in your program you consistantly experience crashes after one particular event: immediately after closing a message box. You set breakpoints on all calls to MessageBoxA. You run your program with the breakpoints set, and it stops, ready to call MessageBoxA. Executing each line one-by-one thereafter (referred to as stepping) through the code, and watching the program stack, you see that a buffer overflow occurs soon after the call.

Hex Editors[edit | edit source]

Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.

HxD (Freeware)
For Windows. A fast and powerful free hex, disk and RAM editor
http://mh-nexus.de/hxd/
Freeware Hex Editor XVI32
For Windows. A freeware hex editor.
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm
wxHexEditor (Beta, For Windows and Linux, Free & Open Source)
A fast hex editor specially for HUGE files and disk devices, allows up to hexabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thrug XOR encryption.
http://wxhexeditor.sourceforge.net/
HHD Software Hex Editor Neo
For Windows. A fast file, disk, and memory editor with built-in disassembler and file structure viewer.
http://www.hhdsoftware.com/Family/hex-editor.html
Catch22 HexEdit
For Windows. his is a powerful hex editor with a slew of features. Has an excellent data structure viewer.
http://www.catch22.net/software/hexedit.asp
BreakPoint Hex Workshop
For Windows. An excellent and powerful hex-editor, its usefulness is restricted by the fact that it is not free like some of the other options.
http://www.bpsoft.com/
Tiny Hexer
Free and does statistics. For Windows.
http://www.mirkes.de/files/
frhed - free hex editor
For Windows. Free and opensource.
http://www.kibria.de/frhed.html
Cygnus Hex Editor
For Windows. A very fast and easy-to-use hex editor, available in a 'Free Edition'.
http://www.softcircuits.com/cygnus/fe/
Hexprobe Hex Editor
For Windows. A professional hex editor designed to include all the power to deal with hex data, particularly helpful in the areas of hex-byte editing and byte-pattern analysis.
http://www.hexprobe.com/hexprobe/index.htm
UltraEdit32
For Windows. A hex editor/text editor, won "Application of the Year" at 2005 Shareware Industry Awards Conference.
http://www.ultraedit.com/
Hexinator (For Windows and Linux)
lets you edit files of unlimited size (overwrite, insert, delete), displays text with dozens of text encodings, shows variables in little and big endian byte order.
https://hexinator.com
ICY Hexplorer
For Windows. A lightweight free and open source hex file editor with some nifty features, such as pixel view, structures, and disassembling.
http://hexplorer.sourceforge.net/
WinHex
For Windows. A powerful hex file and disk editor with advanced abilities for computer forensics and data recovery (used by governments and military).
http://www.x-ways.net/index-m.html
010 Editor
For Windows. A very powerful and fast hex editor with extensive support for data structures and scripting. Can be used to edit drives and processes.
http://www.sweetscape.com/010editor/
A view of a small binary file in a 1Fh hex editor.
1Fh
For Windows. A free binary/hex editor which is very fast, even while working with large files. It's the only Windows hex editor that allows you to view files in byte code (all 256-characters).
http://www.4neurons.com/1Fh/
HexEdit
For Windows (Open source) and shareware versions. Powerful and easy to use binary file and disk editor.
http://www.hexedit.com/
HexToolkit
For Windows. A free hex viewer specifically designed for reverse engineering file formats. Allows data to be viewed in various formats and includes an expression evaluator as well as a binary file comparison tool.
http://www.binaryearth.net/HexToolkit
FlexHex
For Windows. It Provides full support for NTFS files which are based on a more complex model than FAT32 files. Specifically, FlexHex supports Sparse files and Alternate data streams of files on any NTFS volume. Can be used to edit OLE compound files, flash cards, and other types of physical drives.
http://www.heaventools.com/flexhex-hex-editor.htm
HT Editor
For Windows. A file editor/viewer/analyzer for executables. Its goal is to combine the low-level functionality of a debugger and the usability of IDEs.
http://hte.sourceforge.net/
HexEdit
For MacOS. A simple but reliable hex editor wher you to change highlight colours. There is also a port for Apple Classic users.
http://hexedit.sourceforge.net/
Hex Fiend
For MacOS. A very simple hex editor, but incredibly powerful nonetheless. It's only 346 KB to download and takes files as big as 116 GB.
http://ridiculousfish.com/hexfiend/
ImHex
For Windows, MacOS and Linux. Displays, decodes and analyzes binary data (+ printable ASCII chars) and allow edition of bytes. Includes data inspector with various decoding (integers, floats, char/wchar, Unicode, dates, RGBA/RGB565 color...), search by hex bytes and string, hex diff, pattern matching, yara rules (for malware pattern detection), hash computations, graphical data statistics, disassemblers, and various extra tools from a "content store". Free and open-source, licensed under GPLv2.
https://imhex.werwolv.net/

Linux Hex Editors only[edit | edit source]

bvi
A typical three-pane hex editor, with a vi-like interface.
emacs
Along with everything else, emacs also includes a hex editor.
joe
Joe's own editor now also supports hex editing.
bless
A very capable gtk based hex editor.
xxd and any text editor
Produce a hex dump with xxd, freely edit it in your favorite text editor, and then convert it back to a binary file with your changes included.
GHex
Hex editor for GNOME.
http://directory.fsf.org/All_Packages_in_Directory/ghex.html
Okteta
The well-integrated hexeditor from KDE since 4.1. Offers the traditional two-columns layout, one with numeric values (binary, octal, decicmal, hexdecimal) and one with characters (lots of charsets supported). Editing can be done in both columns, with unlimited undo/redo. Small set of tools (searching/replacing, strings, binary filter, and more).
http://utils.kde.org/projects/okteta
BEYE
A viewer of binary files with built-in editor in binary, hexadecimal and disassembler modes. It uses native Intel syntax for disassembly. Highlight AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview of formats - MZ, NE, PE, NLM, coff32, elf partial - a.out, LE, LX, PharLap; code navigator and more over. (
http://beye.sourceforge.net/en/beye.html
BIEW
A viewer of binary files with built-in editor in binary, hexadecimal and disassembler modes. It uses native Intel syntax for disassembly. Highlight AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview of formats - MZ, NE, PE, NLM, coff32, elf partial - a.out, LE, LX, PharLap; code navigator and more over. (PROJECT RENAMED, see BEYE)
http://biew.sourceforge.net/en/biew.html
hview
A curses based hex editor designed to work with large (600+MB) files with as quickly, and with little overhead, as possible.
http://web.archive.org/web/20010306001713/http://tdistortion.esmartdesign.com/Zips/hview.tgz
HexCurse
An ncurses-based hex editor written in C that currently supports hex and decimal address output, jumping to specified file locations, searching, ASCII and EBCDIC output, bolded modifications, an undo command, quick keyboard shortcuts, etc.
http://www.jewfish.net/description.php?title=HexCurse
hexedit
View and edit files in hexadecimal or in ASCII.
http://rigaux.org/hexedit.html
Data Workshop
An editor to view and modify binary data; provides different views which can be used to edit, analyze and export the binary data.
http://www.dataworkshop.de/
VCHE
A hex editor which lets you see all 256 characters as found in video ROM, even control and extended ASCII, it uses the /dev/vcsa* devices to do it. It also could edit non-regular files, like hard disks, floppies, CDROMs, ZIPs, RAM, and almost any device. It comes with a ncurses and a raw version for people who work under X or remotely.
http://www.grigna.com/diego/linux/vche/
DHEX
DHEX is just another Hexeditor with a Diff-mode for ncurses. It makes heavy use of colors and is themeable.
http://www.dettus.net/dhex/


Other Tools for Windows[edit | edit source]

Resource Monitors[edit | edit source]

SysInternals Freeware
This page has a large number of excellent utilities, many of which are very useful to security experts, network administrators, and (most importantly to us) reversers. Specifically, check out Process Monitor, FileMon, RegMon, TCPView, and Process Explorer.
https://docs.microsoft.com/en-us/sysinternals/

API Monitors[edit | edit source]

SpyStudio Freeware
The Spy Studio software is a tool to hook into windows processes, log windows API call to DLLs, insert breakpoints and change parameters.
http://www.nektra.com/products/spystudio/
rohitab.com API Monitor
API Monitor is a free software that lets you monitor and control API calls made by applications and services. Features include detailed parameter information, structures, unions, enumerated/flag data types, call stack, call tree, breakpoints, custom DLLs, memory editor, call filtering, COM monitoring, 64-bit. Includes definitions for over 13,000 APIs and 1,300+ COM interfaces.
http://www.rohitab.com/apimonitor

PE File Header dumpers[edit | edit source]

Dumpbin
Dumpbin is a program that previously used to be shipped with MS Visual Studio, but recently the functionality of Dumpbin has been incorporated into the Microsoft Linker, link.exe. to access dumpbin, pass /dump as the first parameter to link.exe:
link.exe /dump [options]
It is frequently useful to simply create a batch file that handles this conversion:
::dumpbin.bat
link.exe /dump %*

All examples in this wikibook that use dumpbin will call it in this manner.

Here is a list of useful features of dumpbin [1]:
dumpbin /EXPORTS         displays a list of functions exported from a library
dumpbin /IMPORTS         displays a list of functions imported from other libraries
dumpbin /HEADERS         displays PE header information for the executable
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/_core_dumpbin_reference.asp
Depends
Dependency Walker is a GUI tool which will allow you to see exports and imports of binaries. It ships with many Microsoft tools including MS Visual Studio.

GNU Tools[edit | edit source]

The GNU packages have been ported to many platforms including Windows.

GNU BinUtils
The GNU BinUtils package contains several small utilities that are very useful in dealing with binary files. The most important programs in the list are the GNU objdump, readelf, GAS assembler, and the GNU linker, although the reverser might find more use in addr2line, c++filt, nm, and readelf.
http://www.gnu.org/software/binutils/
objdump
Dumps out information about an executable including symbols and assembly. It comes standard. It can be made to support non-native binary formats.
objdump -p               displays a list of functions imported from other libraries, exported to and miscellaneous file header information

It's useful to check dll dependencies from command line

readelf
Like objdump but more specialized for ELF executables.
size
Lists the sizes of the segments.
nm
Lists the symbols in an ELF file.
strings
Prints the strings from a file.
file
Tells you what type of file it is.
fold
Folds the results of strings into something pageable.
kill
Can be used to halt a program with the sig_stop signal.
strace
Trace system calls and signals.

Other Tools for Linux[edit | edit source]

oprofile
Can be used the find out what functions and data segments are used
subterfugue
A tool for playing odd tricks on an executable as it runs. The tool is scriptable in python. The user can write scripts to take action on events that occur, such as changing the arguments to system calls.
http://subterfugue.org/
lizard
Lets you run a program backwards.
http://lizard.sourceforge.net/
dprobes
Lets you work with both kernel and user code.
biew
Both a hex editor and a disassembler.
ltrace
Displays runtime library call information for dynamically linked executables.
asmDIFF
Searches for functions, instructions and memory pointers in different versions of same binary by using code metrics. Supports x86, x86_64 code in PE and ELF files.
http://duschkumpane.org/index.php/asmdiff

XCode Tools[edit | edit source]

XCode contains some extra tools to be used under OS X with the Mach-O format. You can see more of them under /Applications/Xcode.app/Contents/Developer/usr/bin/.

lipo
Manages fat binaries with multiple architectures.
otool
Object file displaying tool, works somehow like objdump and readelf.

XCode also packs a lot of Unix tools, with many of them sharing the names (and functions) of the GNU tools. Other tools like nasm/ndisasm, lldb and GNU as can also be found.