Chapter 4. A Crash Course in x86 Disassembly

As discussed in previous chapters, basic static and dynamic malware analysis methods are good for initial triage, but they do not provide enough information to analyze malware completely.

Basic static techniques are like looking at the outside of a body during an autopsy. You can use static analysis to draw some preliminary conclusions, but more in-depth analysis is required to get the whole story. For example, you might find that a particular function is imported, but you won’t know how it’s used or whether it’s used at all.

Basic dynamic techniques also have shortcomings. For example, basic dynamic analysis can tell you how your subject malware responds when it receives a specially designed packet, but you can learn the format of that packet only by digging deeper. That’s where disassembly comes in, as you’ll learn in this chapter.

Disassembly is a specialized skill that can be daunting to those new to programming. But don’t be discouraged; this chapter will give you a basic understanding of disassembly to get you off on the right foot.