Tools and Frameworks for Binary Analysis
There are several tools and frameworks designed for binary analysis, which are key for cyber-security work (e.g, malware analysis).
And, lend themselves to a whole host of areas such as reverse engineering, vulnerability discovery and and exploitation.
The following are some of the most popular ones and worth investigating further.
- IDA (Interactive Disassembler) which is a disassembler and debugger and considered the gold standard for binary analysis. There is both a free and commercial version.
- Ghidra which is a software reverse engineering (SRE) suite of tools developed by the NSA’s Research Directorate. It’s open-source and offers similar functionality to IDA.
- Binary Ninja which is quite new compared to the others, but it also includes a decompiler, supports scripting and is more affordable than IDA.
- Radare2 which is an open-source framework that provides a set of tools for reverse engineering, binary analysis and exploitation; and, known for its command-line interface and ability to analyze binaries of various processor architectures.
- Hopper which is a binary disassembler, decompiler, and debugger for macOS and Linux; and, popular for working on Mac and iOS applications.
You can also integrate binary analysis into your own code, and develop your own tools. The best way to do this is via an existing framework. The following are some libraries and frameworks worth investigating.
- Capstone which is an open-source, multi-architecture, multi-platform disassembly framework. It supports a variety of instruction sets and can be used from Python through its bindings.
- angr is a powerful Python framework for analyzing binaries. It includes capabilities for binary loading, disassembly, symbolic execution, and various forms of static and dynamic analysis.
- Keystone is a lightweight multi-platform, multi-architecture assembler framework; and, can be used from Python and is useful for generating machine code.
Besides using dedicated software and frameworks for binary analysis, there are several other approaches that you can use – depending on your specific goals.
- Manual Analysis which involves directly examining the binary in a disassembler or a hex editor. It requires a strong understanding of assembly language and the architecture of the processor.
- Dynamic Analysis which involves running the binary in a controlled environment (like a sandbox or a virtual machine) and observing its behavior.
- Static Analysis which is examining the binary without executing it.
- Machine Learning which applies machine learning algorithms to binary analysis; and helpful for pattern recognition and anomaly detection.
- Reverse Engineering Protocols or File Formats which is important if the binary interacts with specific protocols or file formats. This will involve network traffic analysis or examining how a binary reads or writes specific file types.
- Fuzzing where you provide random or malformed data as input to the binary and observing its behavior for crashes or other anomalies.