Tuesday, 6 September 2016

Software Development Company

This list is not even close to the list of all available tools for reversing, but you have a chance to discover the ones that you need and that fit your task.
software development company reverse engineering example from life

Now we’ll see how to reverse engineer a software using a small example. Let’s say that you have an executable file and it is suspicious. You want to find out what this program does and if it is safe for users.

Considering the original task, it would be a good idea not to run it on you work computer and use the virtual machine instead. Let’s start the application.

Process creates a service

As we may see, this process creates a Windows service named TestDriver. This service has the kernel type, so we know it is a driver. But where does it take the driver-file in order to run it? We can use FileMon from Sysinternals to find it out. We open FileMon, set up the filters so it’ll show us only the needed process, and look at its log information.

FileMon information

Now we have the information that this file is being created by the process, which we are reversing, and this process puts this file in the temp directory for its user. There’s no need to go to the temp folder trying to find the file since we see that the process deletes it right after using. So where does the process take it? If it unpacks the file, we may try to find it in the process’s resource section since software development company a common place to store such data. Let’s try it. We will use another tool - Resource Hacker to examine the resources. Let’s run it.

Examine resources with Resource Hacker

Bingo! As we may see from the found resource content, this is probably the Windows executable file since it has the string “This program cannot be run in DOS mode.” Let’s check if it is our driver file. For that purpose, we extract the resource using Resource Hacker and open it in the disassembler.

Disassembler screen

As we know - DriverEntry is an entry point for the kernel-mode drivers in Windows systems. We can continue our research since it looks like that we found the right driver.
How to reverse engineer driver
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)