Reverse Engineering Malware on Linux with IDA Pro
July 31st, 2008 by Kristian Erik Hermansen
The brief method. If I get good response to this post, I will put up a more detailed and in-depth look at malware reversing on Linux.
Steps:
* Download IDA Pro (freeware)
* Install wine
* Install IDA Pro
* Start reversing
Download IDA Pro (freeware):
$ cd /tmp
$ wget http://85.17.201.4/files/idafree49.exe
Install wine:
$ sudo aptitude install wine
Install IDA Pro:
$ wine /tmp/idafree49.exe
Start reversing:
$ wine "~/.wine/drive_c/Program Files/IDA Free/idag.exe"
-> Now open the malware binary and select the option for ELF executables
This post is a stub for a future longer version if anyone shows interest. I don't even know how many Linux Journal readers actually reverse malware on Linux...
__________________________
Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
July 2009, #183
News Flash: Linux Kernel 3.0 to include an on-the-go Expresso machine interface! Ok, maybe not, but Linux is definitely going mobile, from phones to e-readers. Find out more inside about Android, the Kindle 2, the Western Digital MyBook II, The Bug, and Indamixx (a portable recording studio). And if you've gone mobile and you been wanting more Emacs in your life then check out Conkeror.
To compliment the mobile we've got the stationary: parsing command line options with getopt, checking your Ruby code with metric_fu, and building a secure Squid proxy. How is this stationary you ask? What can we say? It's not. We just wanted to see if anybody actually read this part of the page :) .
All this and more, and all you have to do is get your hot sweaty hands on the latest copy of Linux Journal.
+1
On August 9th, 2008 slowpoison (not verified) says:
I need to see more!
I need it too!
On August 7th, 2008 Kamal Wickramanayake (not verified) says:
Count me in.
I want to see a more
On July 31st, 2008 Gullit (not verified) says:
I want to see a more detailed and in-depth look at malware reversing on Linux too!
Thanks in advance!
Count me in(terested)
On July 31st, 2008 EdT. (not verified) says:
I am definitely interested in the in-depth version!
~EdT.
the linux part is irrelevant
On July 31st, 2008 b0ne (not verified) says:
Reverse engineering malware with IDA is the same regardless of which platform you use, especially if you are using WINE and IDA v4.9 free. There is a linux native version of IDA, except that it is commercial only.
Either way, you are still going to need a virtualbox/vmware/etc virtualization image of Windows XP SP2 or newer in order to effectively unpack most malware using a debugger.
I dont see why you think a
On July 31st, 2008 Kristian Erik Hermansen says:
I dont see why you think a windows installation is necessary to unpack linux ELF obfuscated binaries :-)
__________________________Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.
Post new comment