Skip to content

Info

Tactic: Reconnaissance
Parent Technique: Reverse Engineering

Binary Disassembly

Binary disassembly is a crucial reconnaissance technique in which attackers convert compiled machine code back into readable assembly language to understand program functionality without access to the original source code. During the reconnaissance phase, adversaries employ tools like IDA Pro, Ghidra, or Radare2 to analyze binary files (executables, libraries, firmware) to identify security vulnerabilities, authentication mechanisms, cryptographic implementations, and proprietary algorithms.

Through static analysis of the disassembled code, attackers can map program control flow, locate input validation routines, identify memory management weaknesses, and discover undocumented functionality that might be leveraged in subsequent attack phases. This technique enables threat actors to develop targeted exploits by discovering memory corruption vulnerabilities, hardcoded credentials, and other implementation flaws that would remain hidden without examining the application's low-level implementation details.

Mitigation

  1. Implement Code Obfuscation: Without the code mappings, reverse engineering techniques cannot reliably recover human-readable logic as variable names, logic structure, and relationships are lost during compilation. This will increase the time and effort needed to reverse engineer the code, making analysis significantly more difficult and time-consuming for attackers.

  2. Implement a Client-Side RASP Solution: Commercial or in-house RASP solutions should provide anti-tampering and dynamic instrumentation by monitoring and blocking suspicious behaviors at runtime, preventing attackers from injecting or modifying code during execution. These solutions offer real-time protection against reverse engineering attempts and code manipulation.

Examples in the Wild

Notable Binary Disassembly Attacks:

SolarWinds SUNBURST (C0024) The SolarWinds Compromise involved extensive binary analysis of the Orion platform components. Attackers performed disassembly of the SolarWinds.Orion.Core.BusinessLayer.dll to understand its integration points and identify how to inject malicious code that would be distributed through the trusted update mechanism. This required detailed understanding of the binary's internal structure and execution flow.

Attack Mechanism

Binary Analysis Process:

  1. Binary Acquisition
  2. Obtaining target executables, libraries, or firmware
  3. Extracting binaries from container images or packages

  4. Accessing publicly available software distributions

  5. Disassembly Execution

  6. Converting machine code to assembly language
  7. Analyzing program structure and control flow

  8. Identifying function boundaries and call relationships

  9. Vulnerability Discovery

  10. Locating memory management flaws
  11. Finding hardcoded credentials or secrets
  12. Identifying input validation weaknesses

  13. Discovering cryptographic implementation errors

  14. Exploit Development

  15. Creating targeted exploits based on discovered flaws
  16. Developing proof-of-concept attacks
  17. Planning subsequent attack phases
Common Tools & Techniques

Professional Disassemblers:

IDA Pro - Features: Advanced analysis, debugging, scripting capabilities - Platforms: Windows, Linux, macOS - Target formats: PE, ELF, Mach-O binaries

Ghidra
- Features: Free NSA tool, built-in decompiler, collaboration support - Platforms: Cross-platform Java application - Languages: C/C++, Java, Python scripting support

Radare2 - Features: Command-line interface, extensive scripting, forensics tools - Platforms: Unix-like systems - Output: Assembly code, control flow graphs, hex dumps

Common Analysis Targets:

  • Executables: Applications, system binaries
  • Libraries: .dll, .so, .dylib files
  • Firmware: Embedded systems, IoT devices
  • Mobile Apps: APK, IPA files