New to CAPEC? Start Here
Home > CAPEC List > CAPEC-190: Reverse Engineer an Executable to Expose Assumed Hidden Functionality (Version 3.9)  

CAPEC-190: Reverse Engineer an Executable to Expose Assumed Hidden Functionality

Attack Pattern ID: 190
Abstraction: Detailed
View customized information:
+ Description
An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications.
+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.167White Box Reverse Engineering
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Resources Required
Access to the target file such that it can be analyzed with the appropriate tools. A range of tools suitable for analyzing an executable or its operations
+ Notes


White box analysis techniques include file or binary analysis, debugging, disassembly, and decompilation, and generally fall into categories referred to as 'static' and 'dynamic' analysis. Static analysis encompasses methods which analyze the binary, or extract its source code or object code without executing the program. Dynamic analysis involves analyzing the program during execution.

Some forms of file analysis tools allow the executable itself to be analyzed, the most basic of which can analyze features of the binary. More sophisticated forms of static analysis analyze the binary file and extract assembly code, and possibly source code representations, from analyzing the structure of the file itself. Dynamic analysis tools execute the binary file and monitor its in memory footprint, revealing its execution flow, memory usage, register values, and machine instructions. This type of analysis is most effective for analyzing the execution of binary files whose content has been obfuscated or encrypted in its native executable form.

Debuggers allow the program's execution to be monitored, and depending upon the debugger's sophistication may show relevant source code for each step in execution, or may display and allow interactions with memory, variables, or values generated by the program during run-time operations. Disassemblers operate in reverse of assemblers, allowing assembly code to be extracted from a program as it executes machine code instructions. Disassemblers allow low-level interactions with the program as it executes, such as manipulating the program's run time operations. Decompilers can be utilized to analyze a binary file and extract source code from the compiled executable. Collectively, the tools and methods described are those commonly applied to a binary executable file and provide means for reverse engineering the file by revealing the hidden functions of its operation or composition.

+ References
[REF-51] "Wikipedia". Decompiler. The Wikimedia Foundation, Inc. <>.
[REF-52] "Wikipedia". Debugger. The Wikimedia Foundation, Inc. <>.
[REF-53] "Wikipedia". Disassembler. The Wikimedia Foundation, Inc. <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Other_Notes, Related_Attack_Patterns
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Notes, Related_Weaknesses
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
(Version 3.1)
Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content
More information is available — Please select a different filter.
Page Last Updated or Reviewed: April 04, 2019