Title : Malware Collecting and Reverse Engineering
The paper need to cover these points in details:
- Introduction to Malware Collecting and Reverse Engineering ( no more than one page )
- implementing malware collecting phases: Malware Sample Gathering Phase, Investigation Phase and Reporting Phase.
- Show in details download link for each tool, how to use each tool and examples of a malware examined by each tool. ( show pictures of the examination if available )
| Name | Type | Description |
| BCEL – Apache Commons | Java bytecode -engineering library | Apache Commons BCEL also known as (the Byte Code Engineering Library) is expected to provide users a reliable way to analyze, develop, and manipulate Java bytecode. |
| ASM | Java bytecode -engineering library | ASM is an all rounded Java bytecode analysis and manipulation model. It can be important in modifying dynamically generate classes, existing classes, or directly in binary form. |
| Boomerang | decompiler – Machine code | The Boomerang project is an attempt to create a free native code decompiler for cases where the source code for an application is lost. |
| CafeBabe | Editor – Java bytecode | CafeBabe works as an editor and graphical disassembler of Java bytecode. Bytecode manual editing is limited to the constant pool section. |
| FernFlower | decompiler – Java bytecode | FernFlower is the very first java analytic decompiler. It will decompile jar files and class files to human readable java code. FernFlower will also deobfuscate the source if requested to do so |
| Frida | Machine code analysis and instrumentation | Frida is a sophisticated and dynamic code instrumentation toolkit. It allows the handler to inject JavaScript snippets into native applications on Mac, Linux, Windows, iOS and Android. |
| FrontEnd Plus | decompiler – Java bytecode | FrontEnd Plus tool is a graphical workbench; it is a front-end interface to the Jad Java decompiler. FrontEnd does not consistently compile Java code, the tool therefore requires manual |
| IDA Pro | Machine code interactive disassembler and debugger | IDA Pro is an interactive disassembler and debugger for applications compiled down to native code, for instance, C/C++ binaries. The application contains numerous complex algorithms for execution maps and generating graphs and for native code—assisting one in recovering pseudo-code and the design of an application. |
| ILSpy | .NET Intermediate Language browser and decompiler | ILSpy is an open-source .NET decompiler and assembly browser |
| Jad | decompiler – Java bytecode | Jad takes the Java class files as input and tries to yield a functionally equivalent Java source code. In the situation where the Java bytecode is not obfuscated to make it difficult in reversing engineering—the produced Java source code does fairly resemble what the original programmer wrote. |
| JclasslibBytecode Viewer | Java bytecode viewer featuring editing library | Jclasslib viewer and bytecode tool all the aspects of the contained bytecode and the compiled Java class files. Additionally, Jclasslibbytecode contains library that allows the developers to read, write and modify the bytecode and the class files. |
| PEBrowse Professional Interactive | Machine code interactive debugger and disassembler | The PEBrowse Professional Interactive tool is an on-line (user mode) interactive Windows application disassembler and debugger that functions at the lowest level possible, say at the Intel x86 instruction level.Browser Professional Interactive tool can be used to do a static analysis off-line for system DLLs , Windows programs or dynamic (on-line) analysis of a of different applications as is it runs. |
| ProGuard | obfuscator – Java bytecode | Pro-Guard tool is a free Java class file shrinker, optimizer, pre-verifier and obfuscator. It detects and gets rid of unused classes, methods, fields and attributes. The tool removes unused instructions and optimizes byte code. It then renames the remaining classes, methods and fields using short meaningless names. Lastly, the tool pre-verifies the processed code for Java Micro Edition or for Java 6. |
| Reverse Engineering Compiler (REC) | Decompiler – Machine code | The REC tool is a portable reverse engineering decompiler or compiler. The tool reads an executable file, and tries to give a C-like code representation and data used to create the executable file. The REC is portable since it has been created to read files produced for multiple and unique targets. REC has been compiled and tried on several host systems. The Rec Studio provides a modern user interface to the interactive mode of the tool. |
| Threat Expert | Threat report generator and Malware scanner | Threat Expert is a dynamic and sophisticated automated threat analysis tool created to analyze and provide the behavior of computer spyware, worms, Trojans, viruses, adware, and other security-related risks. The tool is fully automated |
- What are the advantages and disadvantage of a research department having their own malware database and methods of reverse engineering for research purposes. For example one of the disadvantages is malware sample leak from the database which could damage the current system. To prevent this from happen the research department could use encryption method to prevent malware from accidental activation. ( please give for each disadvantage a solution to solve it or a recommendation
