Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - Printable Version

+- 0Day Forums (https://0day.red)
+-- Forum: Coding (https://0day.red/Forum-Coding)
+--- Forum: Assembly (https://0day.red/Forum-Assembly)
+--- Thread: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? (/Thread-Is-it-possible-to-quot-decompile-quot-a-Windows-exe-Or-at-least-view-the-Assembly)

Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - catlinlsx - 07-24-2023

A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach a debugger?

Edit to say it is not a .NET executable, no CLI header.

RE: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - ahis60976 - 07-24-2023

You may get some information viewing it in assembly, but I think the easiest thing to do is fire up a virtual machine and see what it does. Make sure you have no open shares or anything like that that it can jump through though ;)

RE: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - unblenchinglyeceklfcan - 07-24-2023

Sure, have a look at [IDA Pro][1]. They offer an eval version so you can try it out.

[1]:

[To see links please register here]

RE: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - wesleywlozxtrg - 07-24-2023

Any decent debugger can do this. Try [OllyDbg][1]. (edit: which has a great disassembler that even decodes the parameters to WinAPI calls!)

[1]:

[To see links please register here]

RE: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - frigga583330 - 07-24-2023

If you are just trying to figure out what a malware does, it might be much easier to run it under something like the free tool [Process Monitor][1] which will report whenever it tries to access the filesystem, registry, ports, etc...

Also, using a virtual machine like the free [VMWare server][2] is very helpful for this kind of work. You can make a "clean" image, and then just go back to that every time you run the malware.

[1]:

[To see links please register here]

"Process Monitor"
[2]:

[To see links please register here]

RE: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - landrum449 - 07-24-2023

Good news. IDA Pro is actually free for its older versions now:

[To see links please register here]