Note: *Check out these useful books! As an Amazon Associate I earn from qualifying purchases.
Binary analysis is the process of examining compiled executable files to understand their behavior, functionality, and potential security vulnerabilities without requiring access to the original source code.
The two main types are: Static Binary Analysis (examining binaries without execution) and Dynamic Binary Analysis (observing binaries during execution).
Common tools include IDA Pro, Ghidra, Radare2, Binary Ninja, objdump, strace, and ltrace.
Disassemblers convert machine code back into assembly language, helping analysts understand the executable’s control flow and logic.
Reverse engineering involves reconstructing a program’s structure, logic, and behavior from compiled binaries to study its functionality or identify vulnerabilities.
Static analysis examines binaries without running them, focusing on code structure and control flow, while dynamic analysis monitors execution behavior in real time.
A symbol table stores function names, variable names, and addresses, assisting debuggers and disassemblers in mapping code references.
ELF (Executable and Linkable Format) is used in Unix/Linux systems, while PE (Portable Executable) is used in Windows. Both define how code, data, and resources are structured in a binary.
Debuggers like GDB or WinDbg allow step-by-step execution of a binary, monitoring registers, memory, and variable changes during runtime.
Goals include vulnerability discovery, malware analysis, software verification, performance optimization, and intellectual property protection.
Analysts inspect suspicious binaries using disassemblers and sandbox tools to detect malicious patterns like network callbacks, system modifications, or obfuscated code.
Code obfuscation intentionally makes binaries difficult to analyze by hiding control flow, encrypting strings, or renaming symbols to prevent reverse engineering.
Ghidra is a free open-source reverse engineering suite developed by the NSA. It provides disassembly, decompilation, and scripting capabilities for binary analysis.
Function signature analysis helps identify known library functions in binaries by comparing them against signature databases like FLIRT or Lumina.
Dynamic instrumentation injects code into a running process to collect data such as memory usage, function calls, or branch coverage for runtime analysis.
Symbolic execution uses symbolic inputs instead of concrete data to explore all possible execution paths, helping identify logic flaws and vulnerabilities automatically.
Firmware analysis involves examining embedded software binaries from devices like routers or IoT gadgets to find backdoors or insecure configurations.
By analyzing memory access patterns, stack structures, and unsafe functions like strcpy() or gets() during static or dynamic analysis.
strcpy()
gets()
Relocation adjusts addresses when loading a binary into memory, and linking combines multiple object files into a single executable during compilation.
Both tools are professional disassemblers and decompilers used for in-depth binary analysis, vulnerability discovery, and malware reverse engineering.