• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PE Executable Debugger/Disassembler (i386/amd64)?

Maelstorm

Well-Known Member

Thanks: 106
Messages: 282

#1
I am looking for a debugger or disassembler for Windows PE format executables, something similar to objdump. I'm taking a class in computer forensics and the research project that my team is working on is reverse engineering malware. We have the malware (it's not hard to find). For obvious reasons, I do not want to do this on a Windows machine.

Any suggestions?
 

tingo

Daemon

Thanks: 320
Messages: 1,815

#3
I haven't used it, but semblance is a dissassembler that also supports PE files. If you search for "portable executable" on Github there are lots of tools to extract information from PE files.
 

kpedersen

Daemon

Thanks: 299
Messages: 1,112

#4
Check out OllyDbg (http://www.ollydbg.de/). It is not open-source but other than IDA Pro (which is expensive and far too complex for me :p) is the defacto standard for security analysis of binaries. Not to mention that it has a built in patching tool making it extremely convenient to crack software.

I do a few guest lectures in the cyber-security department at Bournemouth University about patching out DRM and OllyDbg is so nice to use that it actually enables me to do live demos.

Other than that, check out radare2 (https://rada.re/r/) (I used to be the FreeBSD port maintainer but I kinda got too busy if you would perhaps like to take it over? :)). This works on Windows and is particularly good at scripting (perhaps not great for live demos) and creating automated workflows and repetitive tasks.

(as an aside: this book is fantastic (though a little bit dated now I guess).
https://www.amazon.co.uk/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817). It uses OllyDbg for many of the examples so might be a very good tutorial on how to use the tool.
 
Top