Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content
Attack Pattern ID: 190 (Standard Attack Pattern Completeness: Complete)Typical Severity: LowStatus: Draft
+ Description


An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable.

Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, interprocess communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications.

White box analysis techniques include file or binary analysis, debugging, disassembly, and decompilation, and generally fall into categories referred to as 'static' and 'dynamic' analysis. Static analysis encompasses methods which analyze the binary, or extract its source code or object code without executing the program. Dynamic analysis involves analyzing the program during execution.

Some forms of file analysis tools allow the executable itself to be analyzed, the most basic of which can analyze features of the binary, such as the strings contained within the file. More sophisticated forms of static analysis analyze the binary file and extract assembly code, and possibly source code representations, from analyzing the structure of the file itself. Dynamic analysis tools execute the binary file and monitor its in memory footprint, revealing its execution flow, memory usage, register values, and machine instructions. This type of analysis is most effective for analyzing the execution of binary files whose content has been obfuscated or encrypted in its native executable form.

Debuggers allow the program's execution to be monitored, and depending upon the debugger's sophistication may show relevant source code for each step in execution, or may display and allow interactions with memory, variables, or values generated by the program during run-time operations. Disassemblers operate in reverse of assemblers, allowing assembly code to be extracted from a program as it executes machine code instructions. Disassemblers allow low-level interactions with the program as it executes, such as manipulating the program's run time operations. Decompilers can be utilized to analyze a binary file and extract source code from the compiled executable. Collectively, the tools and methods described are those commonly applied to a binary executable file and provide means for reverse engineering the file by revealing the hidden functions of its operation or composition.

+ Resources Required

Access to the target file such that it can be analyzed with the appropriate tools. A range of tools suitable for analyzing an executable or its operations

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
798Use of Hard-coded CredentialsTargeted
259Use of Hard-coded PasswordSecondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern175Code Inclusion 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern189Software Reverse Engineering 
Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern191Read Sensitive Stings Within an Executable 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern252PHP Local File Inclusion 
Mechanism of Attack (primary)1000
+ References