What are the advantages and disadvantages of static and dynamic disassembly?

Malware analysis is the process of examining malicious software to understand its behavior, origin, and purpose. One of the techniques that malware analysts use is disassembly, which is the conversion of binary code into human-readable assembly language. Disassembly can be performed in two ways: static or dynamic. In this article, we will explore the advantages and disadvantages of both methods, and how they can complement each other in malware analysis.

1 Static disassembly

Static disassembly is the analysis of binary code without executing it, and can be done using tools such as disassemblers or decompilers to extract assembly code or even high-level source code from binary files. This process has several advantages, such as being fast and providing a comprehensive overview of the code structure and logic, as well as being safe and not activating any malicious payloads. Additionally, it can reveal metadata like compiler information, function names, or debugging symbols to help identify the malware family or author. However, static disassembly can also be inaccurate or incomplete if the binary code is obfuscated, encrypted, or packed. It may be misleading or confusing if certain code sections are irrelevant, dead, or conditional depending on input or environment variables. Finally, it can be tedious and time-consuming for an analyst to manually examine and interpret a large amount of assembly code which can be complex and low-level.

Add your perspective

Skyler Curtis

Sr Software Engineer and Security Researcher
Report contribution
Other examples of misleading or confusing are: Misaligned addresses - jumping to the middle of an instruction will lead to new instructions that aren't shown in most static analysis tools. Overwritting code - this is less relevant in the days of widespread DEP/NX use, but if instructions are written over, then the instructions you analyze are not the ones that are run. You could potentially analyze what was written if it was stored in the binary, but if it is fetched from elsewhere then there's not much to be done. DLL hijacking techniques - calling benign functions in trusted DLLs, not accounting for the fact that the DLL you expected was overridden, and a new, unanalyzed function is actually run.

Like
M. Saad A.
Report contribution
Static disassembly helps determine the structure of the malware, which includes but is not limited to the techniques used to avoid or disable technologies such as antivirus, searching mechanisms, and the intelligence to determine a virtual host versus a physical host which could dictate whether or not the malware should trigger or remain dormant. It is the static analysis that helps in the development of detections within the intrusion detection system.

Like

2 Dynamic disassembly

Dynamic disassembly is the analysis of binary code by executing it in a controlled environment, such as a virtual machine or a debugger. This process can be done using tools like debuggers or emulators, which can monitor and manipulate the code execution and observe its behavior and effects. Dynamic disassembly has several advantages, including being accurate and complete, as it can reveal the actual code flow and logic, as well as runtime values of variables and registers. It is also informative and insightful, providing insight into the malware's interactions with the system, such as network connections, file operations, registry modifications, or process injections. Additionally, dynamic disassembly can bypass some anti-analysis techniques by capturing the code after it is unpacked, decrypted, or deobfuscated in memory. Despite these benefits, dynamic disassembly has some drawbacks as well. It is slow and can require a lot of resources and attention, plus it is risky and can expose the analyst or system to potential harm if the malware detects the analysis environment. Lastly, it may miss some code sections or features if they are not triggered by the given input or analysis conditions.

Add your perspective

Skyler Curtis

Sr Software Engineer and Security Researcher
Report contribution
Some malware implements anti-analysis techniques that can determine if a debugger or process trace is attached and react. Some malware will react by simply shutting down and preventing analysis, some by acting non malicious to "pass inspection" or fly under the radar, and some attempt to annoy, inhibit, or discourage the analyst or even actively attack analyst machines.

Like

3 Combining static and dynamic disassembly

Static and dynamic disassembly are not mutually exclusive, but rather complementary techniques that can benefit from each other. For example, static disassembly can help identify the entry point, the main functions, and the relevant code sections of the binary code, which can guide the dynamic disassembly process and save time and effort. On the other hand, dynamic disassembly can help validate, clarify, and enrich the static disassembly results, by providing concrete data and evidence of the code behavior and functionality. Therefore, malware analysts should use both methods in a flexible and iterative manner, depending on the malware sample and the analysis objective.

Add your perspective

4 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

What are the advantages and disadvantages of static and dynamic disassembly?

1

2

3

4

1 Static disassembly

2 Dynamic disassembly

3 Combining static and dynamic disassembly

4 Here’s what else to consider

Malware Analysis

Rate this article

Thanks for your feedback

More articles on Malware Analysis

More relevant reading