[unisog] Decompiling virus binaries

Andy Polyakov appro at fy.chalmers.se
Tue Jul 22 10:27:54 GMT 2003

> We received what we believed to be a recent/(new to us) virus
> attachment, and short of running `strings` against the binary, what
> other methods/tools have y'all used to determine the contents of a virus
> binary?

There is only one:-) IDA of www.datarescue.com. Note that there is a
freeware version at at www.simtel.com (it's limited to TUI, text user
interface, and apparently fails to load ELF, binary object format used
by Linux), but I can say that the real version was worth every dime we
paid for it. Yes, it's Windows app, but it can manage multiple binary
object formats [yes, including ELF], not to mention multiple CPU
architectures. They used to have academic discounts, do ask for one [if
you'll consider purchasing one that is].

>  I guess what I'm really asking is, do you know of any good
> de-compilers (hopefully for x86 Linux, GCC 3) that would be useful in
> this instance, or can I use an existing compiler to break the virus down
> to its source code?

You can't use compiler to disassemble the binary code, that's what
disassemblers are for. Yet note that disassemblers don't spit out the
original C source code, but assembler mnemonics. So that you still have
to understand the machine code and reconstruct what programmer (intruder
in this case) wanted to achieve yourself. You can get taste of it by
running 'objdump -d' to disassemble Linux binaries and 'dumpbin /disasm'
- Windows binaries. These two we'll leave you a lot of manual work to
do, at the very least to map calls to library functions to their names.
IDA will do this, as well as a lot of other things for you. A.

More information about the unisog mailing list