Skip to content

Static Analysis

Static analysis examines the binary without running it
This is where you gather initial intelligence about the sample to understand its capabilities , structure , and potential behaviors before ever executing it

Initial Triage

# File type identification
file suspicious.exe              # PE32, ELF, Mach-O
file firmware.bin                # Often raw binary

# Hash and lookup
md5sum suspicious.exe
sha256sum suspicious.exe
# Search hash on VirusTotal

# String extraction
strings suspicious.exe
strings -el suspicious.exe       # Unicode strings (Windows)
strings -n 8 suspicious.exe     # Only strings 8+ chars

# Entropy analysis (packing detection)
ent suspicious.exe
# Packed files typically have entropy > 7.5

PE File Analysis (Windows)

# PEInfo/Binary info
readpe suspicious.exe             # Read PE header
pecheck suspicious.exe            # Comprehensive PE analysis

# Exports and imports
pe -e suspicious.exe              # Exported functions
pe -i suspicious.exe              # Imported DLLs and functions

# Section analysis
pe -s suspicious.exe              # Section headers (.text, .data, .rdata, .rsrc)

ELF File Analysis (Linux)

# ELF Header
readelf -h suspicious.elf         # Header information
readelf -S suspicious.elf         # Section headers
readelf -l suspicious.elf         # Program headers (segments)

# Symbols
nm suspicious.elf                 # Symbol table
objdump -t suspicious.elf         # All symbols

# Dependencies
ldd suspicious.elf                # Dynamic libraries
readelf -d suspicious.elf         # Dynamic section

Disassembly

# objdump
objdump -d suspicious.elf         # Disassemble all sections
objdump -M intel -d binary        # Intel syntax (preferred)

# radare2
r2 -A suspicious.elf              # Analyze all
aaa                                # Auto-analysis
afl                                # List functions
pdf @main                          # Print disassembly of function
VV                                 # Control flow graph

# Ghidra (GUI required)
# Headless:
./ghidraProject /path/to/binary

Decompilation

# Ghidra - Best-in-class decompiler
ghidraSwing                       # GUI mode
# Headless analysis:
analyzeHeadless /path ghidraProject -import binary.exe

# IDA Pro (commercial)
idat64 binary                      # Text-only IDA
ida64 binary                       # GUI IDA

# Snowman decompiler (radare2 plugin)
# Integrated into r2 with `e asm.decompiler = snow`

Signature Detection

# YARA rules
yara -s rule.yara suspicious.exe

# Find common patterns
r2 -q -c "/x 5589e5" binary       # Search for function prologue
r2 -q -c "/v 90909090" binary     # Search for NOP sleds

Structure Analysis

  • Identify function boundaries (prologues/epilogues)
  • Recover local variable allocation
  • Detect switch statements (jump tables)
  • Find string references to code
  • Map control flow graphs