Posted by: Dan O'Connor
I have been doing some basic things with ‘atack’, one of the first things I do with samples is run ‘strings’ against it. I find this a great way to try and see what the binary is going to do before you start running it in your test environment. I have a few suspicions about it, one of them is I think it may have the ability to do file system operations like copy.
Another excellent tool you can use is IDA Pro Free. If you like IDA Pro Free the good news is you can but the retail version. The only feature that I think is work mentioning in the non-free version is it has the ability to transform your dump in to sudo-code. But other then that the free version will more then suffice for what we are doing.
The good news is, my initial feeling that ‘atack’ had the ability to copy files seems to be correct.
Now we can check our stings again and see if we what we have mentioned that looks like a file path. There is a few that I think are worth following.
strings atack | egrep "/\S+\/" | less