Skip navigation.

Q about reverse engineering tools people use


I'm curious about what sorts of tools people use to automate the proces of reverse engineer malware binaries. I'm reasonably familiar with disassemblers (for static analysis), and emulators/VMs and debuggers (for dynamic analysis). The obvious problem is that static analyses are susceptible to various sorts of binary obfuscations, while dynamic analyses would seem to be susceptible to various sorts of anti-monitoring defenses, time bombs, logic bombs, etc.

Do people go and manually work around these defenses, e.g., manually identify and eliminate anti-VM defenses, time bombs, logic bombs, etc. and then run the code again? Are there any existing tools that could automate some or all of this process?

Once a disassembly is obtained, are there any tools to map that back to something approaching C, or is that done by hand as well?

[I've looked in the literature but found very little mention of any sort of tools beyond disassemblers (IDA Pro + plugins) and debuggers (Ollydebug), but am wondering whether maybe I missed anything.]