What I want to know is that is there any similarity or may be difference between a binary instructions and an execution instruction of a binary? In other world, in area of malware analysis a binary can be examined in both static and dynamic analysis. In static it's instruction will be extracted without executing it while in dynamic the instructions will be extracted during execution of a binary. Is there any similarities between these two instructions outputs?
Asked
Active
Viewed 45 times
0
-
I'm not sure if I understand your question, but static analysis output may be different from dynamic analysis output. In fact, for malware it will often be different: malware payload code is frequently "packed" (encoded) and gets decoded and ran on the fly. Malware can also employ tricks to prevent static analysis tools from following jumps, even doing things like jumping into a middle of a multi-byte binary instruction (see http://reverseengineering.stackexchange.com/questions/1531/what-is-overlapping-instructions-obfuscation). Is this what you wanted to know? – PeterK Oct 01 '14 at 05:12
-
Thanks for your answer.. What I want to know for example if I have a binary(not malware and without any packer and encoder. Just a very simple binary) is there any similarities between the trace execution of this binary with the the instructions that a dissembler generate? – Alex Oct 01 '14 at 20:24
-
Sure, assuming the disassembly fully succeeds, the instructions produced by the disassembler will be the very same as those executed runtime. – PeterK Oct 02 '14 at 06:18
-
Thanks for your answer.. so can we compare them together? My general idea is to compare these two output instructions but I do not know how exactly is possible? – Alex Oct 02 '14 at 12:14
-
Frankly, I don't have the answer for that and I'm not really sure even what you'll try to compare with what. There's a StackExchange site http://reverseengineering.stackexchange.com/ which specializes in topics like this, you may have more luck there. – PeterK Oct 02 '14 at 13:25