Info
Tactic: Reconnaissance
Parent Technique: Reverse Engineering
Binary Disassembly
Binary disassembly is a crucial reconnaissance technique in which attackers convert compiled machine code back into readable assembly language to understand program functionality without access to the original source code. During the reconnaissance phase, adversaries employ tools like IDA Pro, Ghidra, or Radare2 to analyze binary files (executables, libraries, firmware) to identify security vulnerabilities, authentication mechanisms, cryptographic implementations, and proprietary algorithms.
Through static analysis of the disassembled code, attackers can map program control flow, locate input validation routines, identify memory management weaknesses, and discover undocumented functionality that might be leveraged in subsequent attack phases. This technique enables threat actors to develop targeted exploits by discovering memory corruption vulnerabilities, hardcoded credentials, and other implementation flaws that would remain hidden without examining the application's low-level implementation details.
Mitigation
-
Implement Code Obfuscation: Without the code mappings, reverse engineering techniques cannot reliably recover human-readable logic as variable names, logic structure, and relationships are lost during compilation. This will increase the time and effort needed to reverse engineer the code, making analysis significantly more difficult and time-consuming for attackers.
-
Implement a Client-Side RASP Solution: Commercial or in-house RASP solutions should provide anti-tampering and dynamic instrumentation by monitoring and blocking suspicious behaviors at runtime, preventing attackers from injecting or modifying code during execution. These solutions offer real-time protection against reverse engineering attempts and code manipulation.
Examples in the Wild
Notable Binary Disassembly Attacks:
SolarWinds SUNBURST (C0024) The SolarWinds Compromise involved extensive binary analysis of the Orion platform components. Attackers performed disassembly of the SolarWinds.Orion.Core.BusinessLayer.dll to understand its integration points and identify how to inject malicious code that would be distributed through the trusted update mechanism. This required detailed understanding of the binary's internal structure and execution flow.
Attack Mechanism
Binary Analysis Process:
- Binary Acquisition
- Obtaining target executables, libraries, or firmware
- Extracting binaries from container images or packages
-
Accessing publicly available software distributions
-
Disassembly Execution
- Converting machine code to assembly language
- Analyzing program structure and control flow
-
Identifying function boundaries and call relationships
-
Vulnerability Discovery
- Locating memory management flaws
- Finding hardcoded credentials or secrets
- Identifying input validation weaknesses
-
Discovering cryptographic implementation errors
-
Exploit Development
- Creating targeted exploits based on discovered flaws
- Developing proof-of-concept attacks
- Planning subsequent attack phases
Common Tools & Techniques
Professional Disassemblers:
IDA Pro - Features: Advanced analysis, debugging, scripting capabilities - Platforms: Windows, Linux, macOS - Target formats: PE, ELF, Mach-O binaries
Ghidra
- Features: Free NSA tool, built-in decompiler, collaboration support
- Platforms: Cross-platform Java application
- Languages: C/C++, Java, Python scripting support
Radare2 - Features: Command-line interface, extensive scripting, forensics tools - Platforms: Unix-like systems - Output: Assembly code, control flow graphs, hex dumps
Common Analysis Targets:
- Executables: Applications, system binaries
- Libraries: .dll, .so, .dylib files
- Firmware: Embedded systems, IoT devices
- Mobile Apps: APK, IPA files