|Practical Binary Analysis|
Author: Dennis Andriesse
What is binary analysis? Dividing things into two parts? No.
Binary analysis is what might have been called disassembly or reverse engineering. It is basically about taking a machine binary and finding out how it works with a eye to discovering hidden malware but there are plenty of other reasons for doing it.
However, there are also some good reasons not to read this book. Don't think that is going to teach you assembler or basic principles of hardware. It is fairly easy to read and well-written, but it does expect you to understand the hardware and most definitely the software at a low level. The book is also mostly about Linux ELF format binaries and it uses x86 assembler throughout. You already need to know x86 assembly language and the way in which the assembler converts it to binary. You also need to be familiar with the general idea of how the binary file becomes an executable program and is loaded into the machine and obeyed. There is a crash course in x86 assembler in appendix A, but this isn't really enough - it's a good refresher and will help if you already know another assembly language.
Notice also that this is about "binary" analysis, not byte code analysis or anything more sophisticated. This means it won't help if you are looking to reverse engineer Java or a similar interpreted or compiled to a VM language.
This is not for the beginner, which is fine are as there are lots of books for the beginner, but very few for the more advanced reader.
The book starts off with a general overview of binary analysis and it explains its conventions using Intel assembly syntax, which is good and my preferred option. After this short introduction we encounter the first of three major parts and some appendices.
Part I - Binary Formats Chapter 1 goes over the basics of compiling a C program and how the binary file is constructed. It explains that binary files aren't all binary because they often included symbol information for debuggers etc. Chapter 2 continues this with a detailed look a the ELF format used for binaries by Linux. Chapter 3 does the same for the PE format used by Windows - although from this point on PE format files aren't mentioned much. Both of these chapters are detailed, very detailed. The final chapter in this part is about building a binary loader with the help of libbfd. This isn't an essential part of binary analysis, but it does give you hands-on experience of what it means to load a binary.
Part II - Binary Analysis Fundamentals introduces the key ideas and techniques - mostly different approaches to disassembly followed up by techniques for making dissasembly difficult. Chapter 5 is about examining Linux binaries to find dependencies and using gbd the GCC debugger. Chapter 6 tells you everything you could possibly need to know about disassembly including what can go wrong. Chapter 7 explains code injection techniques for ELP - basically exploiting the usual list of vulnerabilities, off by one, overflow, entry point hacking and so on.
Part III - Advanced Binary Analysis is even more advanced. It covers custom disassembly using Capstone, binary instrumentation and so on. Chapters 10 and 11 are about taint analysis which I have to admit I'd heard of but knew nothing about beforehand. If you are into this sort of advanced analysis these two chapters are invaluable. The final two chapters are about symbolic execution an area where there is still much research to do. The idea is that the code is run not by a machine but by a symbolic interpreter which attempts to extract much more information about the code. It is still a practical account and you get to use Triton to analyze some code.
This book isn't for everyone but if you want to reverse engineer some code, learn to be a white hat hacker or a black hat hacker then it's well worth reading. It isn't an easy read, you will have to study the examples and do at least some of the practicals, but it is written in an easy-to-read and friendly style. I can't imagine it would be possible to make the material any more user-friendly - don't wait for a "dummies guide to binary analysis" because there never is going to be one. This subject isn't for dummies but this book does try to make it all seem reasonable.
If this is your area and you understand the technology enough, then just go and buy a copy. You might not read it all in one sitting but whatever you do read will help.
|Last Updated ( Tuesday, 28 May 2019 )|