是否可能“反编译”一个Windows .exe?还是至少看大会? [英] Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?
问题描述
我的一个朋友从Facebook下载了一些恶意软件,我很好奇地看到它没有感染自己的功能。我知道你不能真正反编译一个.exe,但是我至少可以在Assembly中查看它,或者附加一个调试器?
A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach a debugger?
编辑说它不是.NET可执行文件,没有CLI标题。
Edit to say it is not a .NET executable, no CLI header.
推荐答案
使用调试器,您可以交互地逐步完成程序汇编。
使用反汇编器可以查看程序汇编更详细的说明。
使用反编译器,您可以将程序重新转换为部分源代码,假设您知道写入的内容(可以使用免费工具查找)例如 PEiD - 如果程序包装,您必须先打开包装。
With a debugger you can step through the program assembly interactively.
With a disassembler, you can view the program assembly in more detail.
With a decompiler, you can turn a program back into partial source code, assuming you know what it was written in (which you can find out with free tools such as PEiD - if the program is packed, you'll have to unpack it first).
- OllyDbg ,免费,一个很好的调试器,您可以找到许多用户自制的插件和脚本,使其更有用。
- WinDbg ,免费,一个相当有力的调试器由微软。 WinDbg对于查看Windows内部函数特别有用,因为它比其他调试器更了解数据结构。
- SoftICE ,SICE给朋友。商业和发展在2006年停止。SoftICE是一种运行在操作系统下的硬核工具(当调用时停止整个系统)。 SoftICE仍然被许多专业人士使用,尽管可能难以获得,也可能无法在某些硬件(或软件 - 即它不能在Vista或NVIDIA gfx卡上工作)。
- OllyDbg, free, a fine debugger, for which you can find numerous user-made plugins and scripts to make it all the more useful.
- WinDbg, free, a quite capable debugger by Microsoft. WinDbg is especially useful for looking at the Windows internals, since it knows more about the data structures than other debuggers.
- SoftICE, SICE to friends. Commercial and development stopped in 2006. SoftICE is kind of a hardcore tool that runs beneath the operating system (and halts the whole system when invoked). SoftICE is still used by many professionals, although might be hard to obtain and might not work on some hardware (or software - namely, it will not work on Vista or NVIDIA gfx cards).
- IDA Pro (commercial) - 行拆解器/调试器的顶部。大多数专业人士使用,如恶意软件分析师等。虽然价格相当不错,但存在 免费版 ,但相当有限)
- W32Dasm (免费) - 有点过时,但完成工作。我相信W32Dasm现在是放弃使用,并且有许多用户创建的黑客添加了一些非常有用的功能。你必须环顾四周才能找到最好的版本。
- IDA Pro(commercial) - top of the line disassembler/debugger. Used by most professionals, like malware analysts etc. Costs quite a few bucks though (there exists free version, but it is quite quite limited)
- W32Dasm(free) - a bit dated but gets the job done. I believe W32Dasm is abandonware these days, and there are numerous user-created hacks to add some very useful functionality. You'll have to look around to find the best version.
- Visual Basic: VB Decompiler ,商业,产生有些可识别字节码。
- Delphi: DeDe ,免费,生成优质的源代码。
- C: HexRays ,商业广告,是同一家公司的IDA Pro插件。 (/)>
- .NET(C#): dotPeek ,免费,将.NET 1.0-4.5程序集反编译为C#。支持.dll,.exe,.zip,.vsix,.nupkg和.winmd文件。
- Visual Basic: VB Decompiler, commercial, produces somewhat identifiable bytecode.
- Delphi: DeDe, free, produces good quality source code.
- C: HexRays, commercial, a plugin for IDA Pro by the same company. Produces great results but costs a big buck, and won't be sold to just anyone (or so I hear).
- .NET(C#): dotPeek, free, decompiles .NET 1.0-4.5 assemblies to C#. Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files.
无论你在做什么,都是资源编辑器,例如 ResourceHacker (免费)和一个很好的十六进制编辑器如 Hex Workshop (commercial)。
Some related tools that might come handy in whatever it is you're doing are resource editors such as ResourceHacker (free) and a good hex editor such as Hex Workshop (commercial).
此外,如果您正在进行恶意软件分析(或使用SICE),我完全建议运行虚拟机内的所有内容,即 VMware Workstation 。在SICE的情况下,它将保护您的实际系统免受BSOD,而在恶意软件的情况下,它将保护您的实际系统免受目标程序的影响。您可以阅读有关VMware 此处的恶意软件分析。
Additionally, if you are doing malware analysis (or use SICE), I wholeheartedly suggest running everything inside a virtual machine, namely VMware Workstation. In the case of SICE, it will protect your actual system from BSODs, and in the case of malware, it will protect your actual system from the target program. You can read about malware analysis with VMware here.
个人来说,我和Olly,WinDbg& W32Dasm和一些较小的实用工具。
Personally, I roll with Olly, WinDbg & W32Dasm, and some smaller utility tools.
此外,请记住,拆解甚至调试其他人的软件通常与EULA至关重要:)
Also, remember that disassembling or even debugging other people's software is usually against the EULA in the very least :)
这篇关于是否可能“反编译”一个Windows .exe?还是至少看大会?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
