Reverse Engineering Malware on Linux with IDA Pro
July 31st, 2008 by Kristian Erik Hermansen
The brief method. If I get good response to this post, I will put up a more detailed and in-depth look at malware reversing on Linux.
Steps:
* Download IDA Pro (freeware)
* Install wine
* Install IDA Pro
* Start reversing
Download IDA Pro (freeware):
$ cd /tmp
$ wget http://85.17.201.4/files/idafree49.exe
Install wine:
$ sudo aptitude install wine
Install IDA Pro:
$ wine /tmp/idafree49.exe
Start reversing:
$ wine "~/.wine/drive_c/Program Files/IDA Free/idag.exe"
-> Now open the malware binary and select the option for ELF executables
This post is a stub for a future longer version if anyone shows interest. I don't even know how many Linux Journal readers actually reverse malware on Linux...
__________________________
Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
December 2009, #188
If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.
+1
On August 9th, 2008 slowpoison (not verified) says:
I need to see more!
I need it too!
On August 7th, 2008 Kamal Wickramanayake (not verified) says:
Count me in.
I want to see a more
On July 31st, 2008 Gullit (not verified) says:
I want to see a more detailed and in-depth look at malware reversing on Linux too!
Thanks in advance!
Count me in(terested)
On July 31st, 2008 EdT. (not verified) says:
I am definitely interested in the in-depth version!
~EdT.
the linux part is irrelevant
On July 31st, 2008 b0ne (not verified) says:
Reverse engineering malware with IDA is the same regardless of which platform you use, especially if you are using WINE and IDA v4.9 free. There is a linux native version of IDA, except that it is commercial only.
Either way, you are still going to need a virtualbox/vmware/etc virtualization image of Windows XP SP2 or newer in order to effectively unpack most malware using a debugger.
I dont see why you think a
On July 31st, 2008 Kristian Erik Hermansen says:
I dont see why you think a windows installation is necessary to unpack linux ELF obfuscated binaries :-)
__________________________Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.
Post new comment