是否可以“反编译"?一个 Windows .exe?或者至少查看大会? [英] Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

问题描述

我的一个朋友从 Facebook 下载了一些恶意软件，我很想知道它在不感染自己的情况下会做什么.我知道您无法真正反编译 .exe，但我至少可以在 Assembly 中查看它或附加调试器吗?

A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach a debugger?

编辑说它不是 .NET 可执行文件，没有 CLI 标头.

Edit to say it is not a .NET executable, no CLI header.

推荐答案

使用调试器，您可以交互式地单步调试程序集.
使用反汇编器，您可以更详细地查看程序汇编.
使用反编译器，您可以将程序转回部分源代码，假设您知道它是用什么编写的(您可以使用诸如 PEiD - 如果程序已打包，您必须先将其解压缩或 Detect-it-Easy 如果您在任何地方都找不到 PEiD.DIE 在 github 目前).

With a debugger you can step through the program assembly interactively.
With a disassembler, you can view the program assembly in more detail.
With a decompiler, you can turn a program back into partial source code, assuming you know what it was written in (which you can find out with free tools such as PEiD - if the program is packed, you'll have to unpack it first OR Detect-it-Easy if you can't find PEiD anywhere. DIE has a strong developer community on github currently).

• OllyDbg，免费的，优秀的 32 位调试器，您可以找到许多用户制作的插件和脚本以使其更有用.
• WinDbg，免费，微软的一个非常有能力的调试器.WinDbg 对于查看 Windows 内部结构特别有用，因为它比其他调试器更了解数据结构.
• SoftICE，SICE 给朋友们.商业和开发在 2006 年停止.SoftICE 是一种在操作系统下运行的核心工具(并在调用时停止整个系统).许多专业人士仍在使用 SoftICE，尽管可能很难获得并且可能无法在某些硬件(或软件 - 即它无法在 Vista 或 NVIDIA gfx 卡上运行).

• OllyDbg, free, a fine 32-bit debugger, for which you can find numerous user-made plugins and scripts to make it all the more useful.
• WinDbg, free, a quite capable debugger by Microsoft. WinDbg is especially useful for looking at the Windows internals, since it knows more about the data structures than other debuggers.
• SoftICE, SICE to friends. Commercial and development stopped in 2006. SoftICE is kind of a hardcore tool that runs beneath the operating system (and halts the whole system when invoked). SoftICE is still used by many professionals, although might be hard to obtain and might not work on some hardware (or software - namely, it will not work on Vista or NVIDIA gfx cards).

• IDA Pro(商业) - 顶级反汇编器/调试器.大多数专业人士使用，如恶意软件分析师等.虽然成本相当高(存在 免费版，但非常有限)
• W32Dasm(免费) - 有点过时但可以完成工作.我相信 W32Dasm 是当今的废弃软件，并且有许多用户创建的 hack 来添加一些非常有用的功能.您必须环顾四周才能找到最佳版本.

• IDA Pro(commercial) - top of the line disassembler/debugger. Used by most professionals, like malware analysts etc. Costs quite a few bucks though (there exists free version, but it is quite quite limited)
• W32Dasm(free) - a bit dated but gets the job done. I believe W32Dasm is abandonware these days, and there are numerous user-created hacks to add some very useful functionality. You'll have to look around to find the best version.

• Visual Basic:VB Decompiler，商业版，可生成可识别的字节码.
• Delphi:DeDe，免费，生产良好高质量的源代码.
• C:HexRays，商用，同一家公司的 IDA Pro 插件.产生了很好的结果，但成本很高，并且不会出售给任何人(或者我听说).
• .NET(C#):dotPeek，免费，将 .NET 1.0-4.5 程序集反编译为 C#.支持 .dll、.exe、.zip、.vsix、.nupkg 和 .winmd 文件.

• Visual Basic: VB Decompiler, commercial, produces somewhat identifiable bytecode.
• Delphi: DeDe, free, produces good quality source code.
• C: HexRays, commercial, a plugin for IDA Pro by the same company. Produces great results but costs a big buck, and won't be sold to just anyone (or so I hear).
• .NET(C#): dotPeek, free, decompiles .NET 1.0-4.5 assemblies to C#. Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files.

一些可能在您正在做的事情中派上用场的相关工具是资源编辑器，例如 ResourceHacker(免费)和良好的十六进制编辑器，例如 Hex Workshop(商业).

Some related tools that might come handy in whatever it is you're doing are resource editors such as ResourceHacker (free) and a good hex editor such as Hex Workshop (commercial).

此外，如果您正在做恶意软件分析(或使用 SICE)，我衷心建议在虚拟机中运行所有内容，即 VMware 工作站.在 SICE 的情况下，它将保护您的实际系统免受 BSOD 的影响，而在恶意软件的情况下，它将保护您的实际系统免受目标程序的影响.您可以在此处阅读有关使用 VMware 进行恶意软件分析的信息.

Additionally, if you are doing malware analysis (or use SICE), I wholeheartedly suggest running everything inside a virtual machine, namely VMware Workstation. In the case of SICE, it will protect your actual system from BSODs, and in the case of malware, it will protect your actual system from the target program. You can read about malware analysis with VMware here.

就我个人而言，我与 Olly、WinDbg 和W32Dasm，以及一些较小的实用工具.

Personally, I roll with Olly, WinDbg & W32Dasm, and some smaller utility tools.

另外，请记住，反汇编甚至调试其他人的软件通常至少是违反 EULA 的 :)

Also, remember that disassembling or even debugging other people's software is usually against the EULA in the very least :)

这篇关于是否可以“反编译"?一个 Windows .exe?或者至少查看大会?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！