Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

debugging winapi assembly decompiling

A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach a debugger?

Edit to say it is not a .NET executable, no CLI header.

malware from facebook?? could you explain that

Sorry for the super late reply... but the way I think it happened was: she ran a piece of malware, which at some point spammed all of her contacts on FB (me) with a link to a "video" that requested you download a "new codec". I'm assuming it behaved like a worm in this sense.

13 revs, 5 users 47%

With a debugger you can step through the program assembly interactively.
With a disassembler, you can view the program assembly in more detail.
With a decompiler, you can turn a program back into partial source code, assuming you know what it was written in (which you can find out with free tools such as PEiD - if the program is packed, you'll have to unpack it first OR Detect-it-Easy if you can't find PEiD anywhere. DIE has a strong developer community on github currently).

Debuggers:

OllyDbg, free, a fine 32-bit debugger, for which you can find numerous user-made plugins and scripts to make it all the more useful.

WinDbg, free, a quite capable debugger by Microsoft. WinDbg is especially useful for looking at the Windows internals, since it knows more about the data structures than other debuggers.

SoftICE, SICE to friends. Commercial and development stopped in 2006. SoftICE is kind of a hardcore tool that runs beneath the operating system (and halts the whole system when invoked). SoftICE is still used by many professionals, although might be hard to obtain and might not work on some hardware (or software - namely, it will not work on Vista or NVIDIA gfx cards).

Disassemblers:

IDA Pro(commercial) - top of the line disassembler/debugger. Used by most professionals, like malware analysts etc. Costs quite a few bucks though (there exists free version, but it is quite quite limited)

W32Dasm(free) - a bit dated but gets the job done. I believe W32Dasm is abandonware these days, and there are numerous user-created hacks to add some very useful functionality. You'll have to look around to find the best version.

Decompilers:

Visual Basic: VB Decompiler, commercial, produces somewhat identifiable bytecode.

Delphi: DeDe, free, produces good quality source code.

C: HexRays, commercial, a plugin for IDA Pro by the same company. Produces great results but costs a big buck, and won't be sold to just anyone (or so I hear).

.NET(C#): dotPeek, free, decompiles .NET 1.0-4.5 assemblies to C#. Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files.

Some related tools that might come handy in whatever it is you're doing are resource editors such as ResourceHacker (free) and a good hex editor such as Hex Workshop (commercial).

Additionally, if you are doing malware analysis (or use SICE), I wholeheartedly suggest running everything inside a virtual machine, namely VMware Workstation. In the case of SICE, it will protect your actual system from BSODs, and in the case of malware, it will protect your actual system from the target program. You can read about malware analysis with VMware here.

Personally, I roll with Olly, WinDbg & W32Dasm, and some smaller utility tools.

Also, remember that disassembling or even debugging other people's software is usually against the EULA in the very least :)

I appreciate the last paragraph in its generality, good advice, but it is amusing in the context of the question: I doubt a virus comes with an EULA! ;-)

Actually, some malware and even trojans of late have had EULAs in them (oh, those russians..) Of course, they can be (and are) ignored by researches, because it can be assumed that nobody will come forward to sue them... Also, they're usually too badly written to mean anything in court in any case.

Note that IDA Pro's previous version is free for non-commercial use.

Note that most malware these days (at least compiled malware) can easily detect if it is running in VMWare, Virtual PC, WINE, VirtualBox, etc.

All I can see is X86 type of coding like push mov. I want to decompile the exe but don't know the source code language. At loading I have selected portable executable and meta pc.I see the start function but it is in assembly language type. Can some one help me to view actual code like C or C++?

Jason L

psoul's excellent post answers to your question so I won't replicate his good work, but I feel it'd help to explain why this is at once a perfectly valid but also terribly silly question. After all, this is a place to learn, right?

Modern computer programs are produced through a series of conversions, starting with the input of a human-readable body of text instructions (called "source code") and ending with a computer-readable body of instructions (called alternatively "binary" or "machine code").

The way that a computer runs a set of machine code instructions is ultimately very simple. Each action a processor can take (e.g., read from memory, add two values) is represented by a numeric code. If I told you that the number 1 meant scream and the number 2 meant giggle, and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly, I would be using what is essentially the same system a computer uses to operate.

A binary file is just a set of those codes (usually call "op codes") and the information ("arguments") that the op codes act on.

Now, assembly language is a computer language where each command word in the language represents exactly one op-code on the processor. There is a direct 1:1 translation between an assembly language command and a processor op-code. This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor.

Disassembly is simply this: a program reads through the binary (the machine code), replacing the op-codes with their equivalent assembly language commands, and outputs the result as a text file. It's important to understand this; if your computer can read the binary, then you can read the binary too, either manually with an op-code table in your hand (ick) or through a disassembler.

Disassemblers have some new tricks and all, but it's important to understand that a disassembler is ultimately a search and replace mechanism. Which is why any EULA which forbids it is ultimately blowing hot air. You can't at once permit the computer reading the program data and also forbid the computer reading the program data.

(Don't get me wrong, there have been attempts to do so. They work as well as DRM on song files.)

However, there are caveats to the disassembly approach. Variable names are non-existent; such a thing doesn't exist to your CPU. Library calls are confusing as hell and often require disassembling further binaries. And assembly is hard as hell to read in the best of conditions.

Most professional programmers can't sit and read assembly language without getting a headache. For an amateur it's just not going to happen.

Anyway, this is a somewhat glossed-over explanation, but I hope it helps. Everyone can feel free to correct any misstatements on my part; it's been a while. ;)

This elaborates on disassembly, but I'd love to hear an elaboration on decompiling. Is it likely to be just as fruitless? What are the caveats of it?

@has: Decompiling native code is a pretty tough challenge, often right-out impossible. Optimizers are exceedingly aggressive, frequently translating source code into nothing at all. You cannot decompile nothing.

And assembly is hard as hell to read in the best of conditions. - well, I wouldn't go that far. The best of conditions is well-commented hand-written assembly, when the reader knows asm as well as they know C. Then it's no bad at all. e.g. codereview.SE Checking if a number is prime in NASM Win64 Assembly, or with more complexity glibc's AVX2 strlen (code.woboq.org/userspace/glibc/sysdeps/x86_64/multiarch/…). Of course you're talking about uncommented disassembly, but "the best of times" is simple C compiler ouput.

Matthew

Good news. IDA Pro is actually free for its older versions now: http://www.hex-rays.com/idapro/idadownfreeware.htm

BullyWiiPlaza

x64dbg is a good and open source debugger that is actively maintained.

utku_karatas

Any decent debugger can do this. Try OllyDbg. (edit: which has a great disassembler that even decodes the parameters to WinAPI calls!)

joeld

If you are just trying to figure out what a malware does, it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem, registry, ports, etc...

Also, using a virtual machine like the free VMWare server is very helpful for this kind of work. You can make a "clean" image, and then just go back to that every time you run the malware.

Dylan McNamee

I'd say in 2019 (and even more so in 2022), Ghidra (https://ghidra-sre.org/) is worth checking out. It's open source (and free), and has phenomenal code analysis capabilities, including the ability to decompile all the way back to fairly readable C code.

Douglas Mayle

Sure, have a look at IDA Pro. They offer an eval version so you can try it out.

Rob Prouse

You may get some information viewing it in assembly, but I think the easiest thing to do is fire up a virtual machine and see what it does. Make sure you have no open shares or anything like that that it can jump through though ;)

Yeah, I thought about that, but I'd rather not go through the hassle of setting up a VM just to kill it :)

True, it is a hassle for this one case, but I always find it is useful to keep a VM around for testing new software or stuff like this. I can then do what I please and just choose not to save state at the end and go back to the clean VM for the next run.

Andru Luvisi

Boomerang may also be worth checking out.

Not really. it crashes and burns for anything more complicated than the most trivial executables.

jyz

I can't believe nobody said nothing about Immunity Debugger, yet.

Immunity Debugger is a powerful tool to write exploits, analyze malware, and reverse engineer binary files. It was initially based on Ollydbg 1.0 source code, but with names resoution bug fixed. It has a well supported Python API for easy extensibility, so you can write your python scripts to help you out on the analysis.

Also, there's a good one Peter from Corelan team wrote called mona.py, excelent tool btw.

Joel Lucsy

If you want to run the program to see what it does without infecting your computer, use with a virtual machine like VMWare or Microsoft VPC, or a program that can sandbox the program like SandboxIE

James Graham

You can use dotPeek, very good for decompile exe file. It is free.

https://www.jetbrains.com/decompiler/

Why dotpeek giving my exe not supported?

@Sarveshwar probably not a .Net exe?

Alexander Schmidt

What you want is a type of software called a "Disassembler".

Quick google yields this: Link

You didn't explain this

plan9assembler

If you have no time, submit the malware to cwsandbox:

http://www.cwsandbox.org/

http://jon.oberheide.org/blog/2008/01/15/detecting-and-evading-cwsandbox/

HTH

3 revs, 3 users 40%

The explorer suite can do what you want.

Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US