Assembly Analysis¶

Delving into the depths of application security often requires analyzing the application at the binary level through decompilation and examination. This process allows us to uncover potential vulnerabilities and assess the overall security posture of the application. Here's a systematic approach to conducting assembly analysis for security assessment:

Decompilation and Code Readability¶

When decompiling the application, the readability of the code serves as an initial indicator of whether the code is obfuscated or not. Obfuscated code can pose significant security risks as it makes it harder to understand and analyze the application's behavior.

Sensitive Information Extraction¶

Upon obtaining the source code from memory pages, it's crucial to search for sensitive hardcoded information that could lead to security breaches. This includes passwords, encryption keys, API secrets, or any other critical information embedded within the code.

Binary Protection Assessment¶

Using `Get-PESecurity`¶

The Get-PESecurity tool is invaluable for checking the binary's protection mechanisms. Below are key elements to evaluate:

ASLR (Address Space Layout Randomization): Prevents memory corruption vulnerabilities by randomizing the memory layout.
DEP (Data Execution Prevention): Marks certain memory pages as non-executable, preventing code execution from these regions.
SafeSEH (Safe Structured Exception Handlers): Enhances exception handling in Windows binaries to prevent exploitation.
StrongNaming: Signing the assembly with a key to ensure its integrity and prevent conflicts.
Authenticode: Verifies the authenticity and integrity of signed software, preventing tampering.
ControlFlowGuard (CFG): Mitigates memory corruption vulnerabilities by validating the integrity of the control flow.
HighEntropyVA: Supports high-entropy 64-bit ASLR for enhanced security.

Additional Checks¶

Code Signing: Use signcheck.exe from Sysinternals tools to verify if the application is signed, ensuring authenticity and integrity.