x86 Disassembly/Analysis Tools
Debuggers
[edit | edit source]Debuggers are programs that allow the user to execute a compiled program one step at a time. You can see what instructions are executed in which order, and which sections of the program are treated as code and which are treated as data. Debuggers allow you to analyze the program while it is running, to help you get a better picture of what it is doing.
Advanced debuggers often contain at least a rudimentary disassembler, often times hex editing and reassembly features. Debuggers often allow the user to set breakpoints on instructions, function calls, and even memory locations.
A breakpoint is an instruction to the debugger that allows program execution to be halted when a certain condition is met. For instance, when a program accesses a certain variable, or calls a certain API function, the debugger can pause program execution.
Windows Debuggers
[edit | edit source]- SoftICE
- A de facto standard for Windows debugging. SoftICE can be used for local kernel debugging, which is a feature that is very rare, and very valuable. SoftICE was taken off the market in April 2006.
- WinDbg
- WinDbg is a free piece of software from Microsoft that can be used for local user-mode debugging, or even remote kernel-mode debugging. WinDbg is not the same as the better-known Visual Studio Debugger, but comes with a nifty GUI nonetheless. Available in 32 and 64-bit versions.
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
- IDA Pro
- The multi-processor, multi-OS, interactive disassembler by DataRescue.
- http://www.hex-rays.com/idapro/
- OllyDbg
- OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging.
- http://www.ollydbg.de/
- x64dbg
- A set of 32 and 64 bit x86 debuggers. x64dbg is the spiritual successor to the discontinued OllyDbg.
- Immunity Debugger
- Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.
- http://immunityinc.com/products/debugger/index.html
Linux Debuggers
[edit | edit source]Many of the open source debuggers on Linux, again, are cross-platform. They may be available on some other Unix(-like) systems, or even Windows. Some of the debuggers may give you better experience than the old and native ones on your system.
- gdb
- The GNU debugger, comes with any normal Linux install. It is quite powerful and even somewhat programmable, though the raw user interface is harsh.
- lldb
- LLVM's debugger.
- emacs
- The GNU editor, can be used as a front-end to gdb. This provides a powerful hex editor and allows full scripting in a LISP-like language.
- ddd
- The Data Display Debugger. It's another front-end to gdb. This provides graphical representations of data structures. For example, a linked list will look just like a textbook illustration.
- strace, ltrace, and xtrace
- Lets you run a program while watching the actions it performs. With strace, you get a log of all the system calls being made. With ltrace, you get a log of all the library calls being made. With xtrace, you get a log of some of the function calls being made.
- valgrind
- Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired. Newer versions of valgrind also support OS X.
- NLKD
- A kernel debugger.
- http://forge.novell.com/modules/xfmod/project/?nlkd
- edb
- A fully featured plugin-based debugger inspired by the famous OllyDbg. Project page
- KDbg
- A gdb front-end for KDE. http://kdbg.org
- RR0D
- A Ring-0 Debugger for Linux. RR0D Project Page
- Radare2
- A debugger and reversing framework.
- Winedbg
- Wine's debugger. Debugs Windows executables using wine.
Debuggers for Other Systems
[edit | edit source]- dbx
- The standard Unix debugger on systems derived from AT&T Unix. It is often part of an optional development toolkit package which comes at an extra price. It uses an interactive command line interface.
- ladebug
- An enhanced debugger on Tru64 Unix systems from HP (originally Digital Equipment Corporation) that handles advanced functionality like threads better than dbx.
- DTrace
- An advanced tool on Solaris that provides functions like profiling and many others on the entire system, including the kernel.
- mdb
- The Modular Debugger (MDB) is a new general purpose debugging tool for the Solaris Operating Environment. Its primary feature is its extensibility. The Solaris Modular Debugger Guide describes how to use MDB to debug complex software systems, with a particular emphasis on the facilities available for debugging the Solaris kernel and associated device drivers and modules. It also includes a complete reference for and discussion of the MDB language syntax, debugger features, and MDB Module Programming API.
Debugger Techniques
[edit | edit source]Setting Breakpoints
[edit | edit source]As previously mentioned in the section on disassemblers, a 6-line C program doing something as simple as outputting "Hello, World!" turns into massive amounts of assembly code. Most people don't want to sift through the entire mess to find out the information they want. It can be time consuming just to find the information one desires by just looking through the code. As an alternative, one can choose to set breakpoints to halt the program once it has reached a given point within the program's code.
For instance, let's say that in your program you consistantly experience crashes after one particular event: immediately after closing a message box. You set breakpoints on all calls to MessageBoxA. You run your program with the breakpoints set, and it stops, ready to call MessageBoxA. Executing each line one-by-one thereafter (referred to as stepping) through the code, and watching the program stack, you see that a buffer overflow occurs soon after the call.
Hex Editors
[edit | edit source]Hex editors are able to directly view and edit the binary of a source file, and are very useful for investigating the structure of proprietary closed-format data files. There are many hex editors in existence. This section will attempt to list some of the best, some of the most popular, or some of the most powerful.
- HxD (Freeware)
- For Windows. A fast and powerful free hex, disk and RAM editor
- http://mh-nexus.de/hxd/
- Freeware Hex Editor XVI32
- For Windows. A freeware hex editor.
- http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm
- wxHexEditor (Beta, For Windows and Linux, Free & Open Source)
- A fast hex editor specially for HUGE files and disk devices, allows up to hexabyte, allow size changes (inject and deletes) without creating temp file, could view files with multiple panes, has built-in disassembler, supports tags for (reverse) engineering big binaries or file systems, could view files thrug XOR encryption.
- http://wxhexeditor.sourceforge.net/
- HHD Software Hex Editor Neo
- For Windows. A fast file, disk, and memory editor with built-in disassembler and file structure viewer.
- http://www.hhdsoftware.com/Family/hex-editor.html
- Catch22 HexEdit
- For Windows. his is a powerful hex editor with a slew of features. Has an excellent data structure viewer.
- http://www.catch22.net/software/hexedit.asp
- BreakPoint Hex Workshop
- For Windows. An excellent and powerful hex-editor, its usefulness is restricted by the fact that it is not free like some of the other options.
- http://www.bpsoft.com/
- Tiny Hexer
- Free and does statistics. For Windows.
- http://www.mirkes.de/files/
- frhed - free hex editor
- For Windows. Free and opensource.
- http://www.kibria.de/frhed.html
- Cygnus Hex Editor
- For Windows. A very fast and easy-to-use hex editor, available in a 'Free Edition'.
- http://www.softcircuits.com/cygnus/fe/
- Hexprobe Hex Editor
- For Windows. A professional hex editor designed to include all the power to deal with hex data, particularly helpful in the areas of hex-byte editing and byte-pattern analysis.
- http://www.hexprobe.com/hexprobe/index.htm
- UltraEdit32
- For Windows. A hex editor/text editor, won "Application of the Year" at 2005 Shareware Industry Awards Conference.
- http://www.ultraedit.com/
- Hexinator (For Windows and Linux)
- lets you edit files of unlimited size (overwrite, insert, delete), displays text with dozens of text encodings, shows variables in little and big endian byte order.
- https://hexinator.com
- ICY Hexplorer
- For Windows. A lightweight free and open source hex file editor with some nifty features, such as pixel view, structures, and disassembling.
- http://hexplorer.sourceforge.net/
- WinHex
- For Windows. A powerful hex file and disk editor with advanced abilities for computer forensics and data recovery (used by governments and military).
- http://www.x-ways.net/index-m.html
- 010 Editor
- For Windows. A very powerful and fast hex editor with extensive support for data structures and scripting. Can be used to edit drives and processes.
- http://www.sweetscape.com/010editor/
- 1Fh
- For Windows. A free binary/hex editor which is very fast, even while working with large files. It's the only Windows hex editor that allows you to view files in byte code (all 256-characters).
- http://www.4neurons.com/1Fh/
- HexEdit
- For Windows (Open source) and shareware versions. Powerful and easy to use binary file and disk editor.
- http://www.hexedit.com/
- HexToolkit
- For Windows. A free hex viewer specifically designed for reverse engineering file formats. Allows data to be viewed in various formats and includes an expression evaluator as well as a binary file comparison tool.
- http://www.binaryearth.net/HexToolkit
- FlexHex
- For Windows. It Provides full support for NTFS files which are based on a more complex model than FAT32 files. Specifically, FlexHex supports Sparse files and Alternate data streams of files on any NTFS volume. Can be used to edit OLE compound files, flash cards, and other types of physical drives.
- http://www.heaventools.com/flexhex-hex-editor.htm
- HT Editor
- For Windows. A file editor/viewer/analyzer for executables. Its goal is to combine the low-level functionality of a debugger and the usability of IDEs.
- http://hte.sourceforge.net/
- HexEdit
- For MacOS. A simple but reliable hex editor wher you to change highlight colours. There is also a port for Apple Classic users.
- http://hexedit.sourceforge.net/
- Hex Fiend
- For MacOS. A very simple hex editor, but incredibly powerful nonetheless. It's only 346 KB to download and takes files as big as 116 GB.
- http://ridiculousfish.com/hexfiend/
- ImHex
- For Windows, MacOS and Linux. Displays, decodes and analyzes binary data (+ printable ASCII chars) and allow edition of bytes. Includes data inspector with various decoding (integers, floats, char/wchar, Unicode, dates, RGBA/RGB565 color...), search by hex bytes and string, hex diff, pattern matching, yara rules (for malware pattern detection), hash computations, graphical data statistics, disassemblers, and various extra tools from a "content store". Free and open-source, licensed under GPLv2.
- https://imhex.werwolv.net/
Linux Hex Editors only
[edit | edit source]- bvi
- A typical three-pane hex editor, with a vi-like interface.
- emacs
- Along with everything else, emacs also includes a hex editor.
- joe
- Joe's own editor now also supports hex editing.
- bless
- A very capable gtk based hex editor.
- xxd and any text editor
- Produce a hex dump with xxd, freely edit it in your favorite text editor, and then convert it back to a binary file with your changes included.
- GHex
- Hex editor for GNOME.
- http://directory.fsf.org/All_Packages_in_Directory/ghex.html
- Okteta
- The well-integrated hexeditor from KDE since 4.1. Offers the traditional two-columns layout, one with numeric values (binary, octal, decicmal, hexdecimal) and one with characters (lots of charsets supported). Editing can be done in both columns, with unlimited undo/redo. Small set of tools (searching/replacing, strings, binary filter, and more).
- http://utils.kde.org/projects/okteta
- BEYE
- A viewer of binary files with built-in editor in binary, hexadecimal and disassembler modes. It uses native Intel syntax for disassembly. Highlight AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview of formats - MZ, NE, PE, NLM, coff32, elf partial - a.out, LE, LX, PharLap; code navigator and more over. (
- http://beye.sourceforge.net/en/beye.html
- BIEW
- A viewer of binary files with built-in editor in binary, hexadecimal and disassembler modes. It uses native Intel syntax for disassembly. Highlight AVR/Java/Athlon64/Pentium 4/K7-Athlon disassembler, Russian codepages converter, full preview of formats - MZ, NE, PE, NLM, coff32, elf partial - a.out, LE, LX, PharLap; code navigator and more over. (PROJECT RENAMED, see BEYE)
- http://biew.sourceforge.net/en/biew.html
- hview
- A curses based hex editor designed to work with large (600+MB) files with as quickly, and with little overhead, as possible.
- http://web.archive.org/web/20010306001713/http://tdistortion.esmartdesign.com/Zips/hview.tgz
- HexCurse
- An ncurses-based hex editor written in C that currently supports hex and decimal address output, jumping to specified file locations, searching, ASCII and EBCDIC output, bolded modifications, an undo command, quick keyboard shortcuts, etc.
- http://www.jewfish.net/description.php?title=HexCurse
- hexedit
- View and edit files in hexadecimal or in ASCII.
- http://rigaux.org/hexedit.html
- Data Workshop
- An editor to view and modify binary data; provides different views which can be used to edit, analyze and export the binary data.
- http://www.dataworkshop.de/
- VCHE
- A hex editor which lets you see all 256 characters as found in video ROM, even control and extended ASCII, it uses the /dev/vcsa* devices to do it. It also could edit non-regular files, like hard disks, floppies, CDROMs, ZIPs, RAM, and almost any device. It comes with a ncurses and a raw version for people who work under X or remotely.
- http://www.grigna.com/diego/linux/vche/
- DHEX
- DHEX is just another Hexeditor with a Diff-mode for ncurses. It makes heavy use of colors and is themeable.
- http://www.dettus.net/dhex/
Other Tools for Windows
[edit | edit source]Resource Monitors
[edit | edit source]- SysInternals Freeware
- This page has a large number of excellent utilities, many of which are very useful to security experts, network administrators, and (most importantly to us) reversers. Specifically, check out Process Monitor, FileMon, RegMon, TCPView, and Process Explorer.
- https://docs.microsoft.com/en-us/sysinternals/
API Monitors
[edit | edit source]- SpyStudio Freeware
- The Spy Studio software is a tool to hook into windows processes, log windows API call to DLLs, insert breakpoints and change parameters.
- http://www.nektra.com/products/spystudio/
- rohitab.com API Monitor
- API Monitor is a free software that lets you monitor and control API calls made by applications and services. Features include detailed parameter information, structures, unions, enumerated/flag data types, call stack, call tree, breakpoints, custom DLLs, memory editor, call filtering, COM monitoring, 64-bit. Includes definitions for over 13,000 APIs and 1,300+ COM interfaces.
- http://www.rohitab.com/apimonitor
PE File Header dumpers
[edit | edit source]- Dumpbin
- Dumpbin is a program that previously used to be shipped with MS Visual Studio, but recently the functionality of Dumpbin has been incorporated into the Microsoft Linker, link.exe. to access dumpbin, pass /dump as the first parameter to link.exe:
link.exe /dump [options]
- It is frequently useful to simply create a batch file that handles this conversion:
::dumpbin.bat link.exe /dump %*
All examples in this wikibook that use dumpbin will call it in this manner.
- Here is a list of useful features of dumpbin [1]:
dumpbin /EXPORTS displays a list of functions exported from a library dumpbin /IMPORTS displays a list of functions imported from other libraries dumpbin /HEADERS displays PE header information for the executable
- Depends
- Dependency Walker is a GUI tool which will allow you to see exports and imports of binaries. It ships with many Microsoft tools including MS Visual Studio.
GNU Tools
[edit | edit source]The GNU packages have been ported to many platforms including Windows.
- GNU BinUtils
- The GNU BinUtils package contains several small utilities that are very useful in dealing with binary files. The most important programs in the list are the GNU objdump, readelf, GAS assembler, and the GNU linker, although the reverser might find more use in addr2line, c++filt, nm, and readelf.
- http://www.gnu.org/software/binutils/
- objdump
- Dumps out information about an executable including symbols and assembly. It comes standard. It can be made to support non-native binary formats.
objdump -p displays a list of functions imported from other libraries, exported to and miscellaneous file header information
It's useful to check dll dependencies from command line
- readelf
- Like objdump but more specialized for ELF executables.
- size
- Lists the sizes of the segments.
- nm
- Lists the symbols in an ELF file.
- strings
- Prints the strings from a file.
- file
- Tells you what type of file it is.
- fold
- Folds the results of strings into something pageable.
- kill
- Can be used to halt a program with the sig_stop signal.
- strace
- Trace system calls and signals.
Other Tools for Linux
[edit | edit source]- oprofile
- Can be used the find out what functions and data segments are used
- subterfugue
- A tool for playing odd tricks on an executable as it runs. The tool is scriptable in python. The user can write scripts to take action on events that occur, such as changing the arguments to system calls.
- http://subterfugue.org/
- lizard
- Lets you run a program backwards.
- http://lizard.sourceforge.net/
- dprobes
- Lets you work with both kernel and user code.
- biew
- Both a hex editor and a disassembler.
- ltrace
- Displays runtime library call information for dynamically linked executables.
- asmDIFF
- Searches for functions, instructions and memory pointers in different versions of same binary by using code metrics. Supports x86, x86_64 code in PE and ELF files.
- http://duschkumpane.org/index.php/asmdiff
XCode Tools
[edit | edit source]XCode contains some extra tools to be used under OS X with the Mach-O format. You can see more of them under /Applications/Xcode.app/Contents/Developer/usr/bin/
.
- lipo
- Manages fat binaries with multiple architectures.
- otool
- Object file displaying tool, works somehow like objdump and readelf.
XCode also packs a lot of Unix tools, with many of them sharing the names (and functions) of the GNU tools. Other tools like nasm/ndisasm, lldb and GNU as can also be found.