introduces the specific tools that will be used throughout this book. Let’s take
a brief look at the different types of tools you will be dealing with.
System-Monitoring Tools
System-level reversing requires a variety of tools that sniff, monitor, explore,
and otherwise expose the program being reversed. Most of these tools display
information gathered by the operating system about the application and its
environment. Because almost all communications between a program and the
outside world go through the operating system, the operating system can usu-
ally be leveraged to extract such information. System-monitoring tools can
monitor networking activity, file accesses, registry access, and so on. There are
also tools that expose a program’s use of operating system objects such as
mutexes, pipes, events, and so forth. Many of these tools will be discussed in
Chapter 4 and throughout this book.
Disassemblers
As I described earlier, disassemblers are programs that take a program’s exe-
cutable binary as input and generate textual files that contain the assembly
language code for the entire program or parts of it. This is a relatively simple
process considering that assembly language code is simply the textual map-
ping of the object code. Disassembly is a processor-specific process, but some
disassemblers support multiple CPU architectures. A high-quality disassem-
bler is a key component in a reverser’s toolkit, yet some reversers prefer to just
use the built-in disassemblers that are embedded in certain low-level debug-
gers (described next).
Debuggers
If you’ve ever attempted even the simplest software development, you’ve
most likely used a debugger. The basic idea behind a debugger is that pro-
grammers can’t really envision everything their program can do. Programs are
usually just too complex for a human to really predict every single potential
outcome. A debugger is a program that allows software developers to observe
their program while it is running. The two most basic features in a debugger
are the ability to set breakpoints and the ability to trace through code.
Breakpoints allow users to select a certain function or code line anywhere in
the program and instruct the debugger to pause program execution once that
line is reached. When the program reaches the breakpoint, the debugger stops
(breaks) and displays the current state of the program. At that point, it is pos-
sible to either release the debugger and the program will continue running or
to start tracing through the program.
Foundations 15