| Legal Information |
|
Task, program, process, executable; what's the difference? Microsoft use these specific terms to refer to the individual parts of an application.
Every Windows executable must follow a very strict file structure, known as the PE Format (Portable Executable Format). This format tells Windows about the size of the file, which resources it contains (for example, icons, bitmaps, or cursors), and most importantly from the point of view of reverse engineering, something called the import table . The import table is a list of all the operating system functions the executable uses; for example, to put a message box on screen, the import table includes the Windows function
MessageBoxA .By analysing the functions listed in the import table, it can be quickly determined whether a program communicates over the Internet, writes files to the hard disk, or monitors Web pages as they load and maybe spyware.
Next, strings can be extracted from the executable to search for interesting text. If the spyware target writes URLs to the hosts file, the URLs will usually be clearly visible inside the executable file. An excellent string extraction tool is AnalogX TextScan, shown below.
After all of the background information has been gathered, reverse engineering and disassembling the spyware target can be accomplished by using tools such as Neuron PE Disassembler or Proview Disassembler, the executable target can be converted into assembly language source code. Using a live debugger such as OllyDebug and the assembly source code, known as the dead listing , the logic of the program can be followed and an understanding of exactly how it works developed
Antivirus companies such as Symantec and Network Associates use these same techniques to reverse engineer viruses and produce antivirus software.
| Search Knowledge Base | Feedback |