Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Forensics
Investigating Hacker Tools
Program Analysis
Program Compilation
Compiler
Assembler
Linker
Program Compilation
upx.sourceforge.net
Compresses source code (achieves ratios of
20% - 40%)
Program Compilation
Static
compilation
needs more
memory
Program Analysis
Static Analysis:
Symbol Extraction:
Program Analysis
Disassembler:
IDA-Pro
ILDasm (Microsoft .Net IL disassembler)
Debuggers
Kernel-mode:
Component that sits alongside the systems kernel
Allows for stopping and observing the entire system.
User-mode:
Attach to a process.
Take full control of process.
Tools:
OllyDbg
WinDbg (MS tool)
IDA-Pro
Numega-SoftIce (no longer available in isolation)
Decompilers
Filemon
TCPView
RegMon
PortMon
WinObj
Process Explorer
Executable-Dumping
Dumpbin (MS)
PEView
PEBrowse Professional
Program Analysis
Using disassembly:
Program Analysis
Names of functions
Data strings
Program Analysis
Function Calls:
Dedicated machine.
Not connected to the internet.
Or: Virtual machine.
Strace, systrace:
open
read
write
Unlink
lstat
socket
close
Use regmon
Use ListDlls
Use psList
Intercept communication of
program.
IDA-Pro
OllyDbg
SoftIce
Program Analysis
Antidebugger Methods: