Practical Binary Analysis

Practical Binary Analysis

Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly
by Dennis Andriesse
December 2018, 456 pp.

Download Chapter 5: Basic Binary Analysis In Linux
Download code samples and virtual machine.

As malware increasingly obfuscates itself and applies anti-analysis techniques to thwart our analysis, we need more sophisticated methods that allow us to raise that dark curtain designed to keep us out—binary analysis can help. The goal of all binary analysis is to determine (and possibly modify) the true properties of binary programs to understand what they really do, rather than what we think they should do. While reverse engineering and disassembly are critical first steps in many forms of binary analysis, there is much more to be learned.

This hands-on guide teaches you how to tackle the fascinating but challenging topics of binary analysis and instrumentation and helps you become proficient in an area typically only mastered by a small group of expert hackers. It will take you from basic concepts to state-of-the-art methods as you dig into topics like code injection, disassembly, dynamic taint analysis, and binary instrumentation. Written for security engineers, hackers, and those with a basic working knowledge of C/C++ and x86-64, Practical Binary Analysis will teach you in-depth how binary programs work and help you acquire the tools and techniques needed to gain more control and insight into binary programs.

Once you’ve completed an introduction to basic binary formats, you’ll learn how to analyze binaries using techniques like the GNU/Linux binary analysis toolchain, disassembly, and code injection. You’ll then go on to implement profiling tools with Pin and learn how to build your own dynamic taint analysis tools with libdft and symbolic execution tools using Triton. You’ll learn how to:

  • Parse ELF and PE binaries and build a binary loader with libbfd
  • Use data-flow analysis techniques like program tracing, slicing, and reaching definitions analysis to reason about runtime flow of your programs
  • Modify ELF binaries with techniques like parasitic code injection and hex editing
  • Build custom disassembly tools with Capstone
  • Use binary instrumentation to circumvent anti-analysis tricks commonly used by malware
  • Apply taint analysis to detect control hijacking and data leak attacks
  • Use symbolic execution to build automatic exploitation tools

With exercises at the end of each chapter to help solidify your skills, you’ll go from understanding basic assembly to performing some of the most sophisticated binary analysis and instrumentation. Practical Binary Analysis gives you what you need to work effectively with binary programs and transform your knowledge from basic understanding to expert-level proficiency.

Author Bio 

Dennis Andriesse has a Ph.D. in system and network security and uses binary analysis daily in his research. He is one of the main contributors to PathArmor, a Control-Flow Integrity system that defends against control-flow hijacking attacks such as ROP. Andriesse was also one of the attack developers involved in the takedown of the GameOver Zeus P2P botnet.

Table of contents 


Part I: Binary Formats

Chapter 1: Anatomy of a Binary
Chapter 2: The ELF Format
Chapter 3: The PE Format: A Brief Introduction
Chapter 4: Building a Binary Loader Using libbfd

Part II: Binary Analysis Fundamentals

Chapter 5: Basic Binary Analysis In Linux
Chapter 6: Disassembly and Binary Analysis Fundamentals
Chapter 7: Simple Code Injection Techniques for ELF

Part III: Advanced Binary Analysis

Chapter 8: Customizing Disassembly
Chapter 9: Binary Instrumentation
Chapter 10: Principles of Dynamic Taint Analysis
Chapter 11: Practical Dynamic Taint Analysis with libdft
Chapter 12: Principles of Symbolic Execution
Chapter 13: Practical Symbolic Execution with Triton

Part IV: Appendices

Appendix A: A Crash Course on x86 Assembly
Appendix B: Implementing PT_NOTE Overwriting Using libelf
Appendix C: List of Binary Analysis Tools
Appendix D: Further Reading

View the detailed Table of Contents
View the Index


"Dennis Andriesse has put together a book that combines the necessary knowledge and tools enabling the reader to grasp not only the fundamentals of binary analysis, but also to put the newfound knowledge to the test in practical and illustrative examples of binary analysis."
Sven Dietrich, Cipher: the newsletter of the IEEE Computer Society's Technical Committee on Security and Privacy

"This book that deserves the title of deep dive. There is no waste anywhere—just lean, mean, information."
Full Circle Magazine

"If you want to reverse engineer some code, learn to be a white hat hacker or a black hat hacker then it's well worth reading."
I Programmer

"Explains the subject in a straightforward and concise way! The author is a very knowledgeable security researcher and his work is state of the art!"
—Nucu Labs

“This book reads like a workshop that teaches readers what tools exist for both Linux and Windows and how to string them together to write tools for reverse engineering binaries . . . if you are well versed in programming, this book will still teach you a good approach at tackling many problems with binary analysis.”
—John Skandalakis, Software Engineer, Tripwire

Extra Stuff 

Featured in Tripwire VERT.

Featured on Greg Laden's Blog and Nucu Labs.


Please see for a list of errata and updates.

Community Contributions

CTF Walkthroughs
Chapter 5 CTF walkthrough @ Nucu Labs | lvl2
Chapter 5 CTF walkthrough @ Cool|Byte | lvl1-lvl4 lvl5
Chapter 5 CTF walkthrough @ Matteo Malvica | lvl6 lvl7
Chapter 5 CTF walkthrough @ Miles Mulet | lvl8

Exercise Solutions
0xe1a00000's examples and solutions to selected exercises | Github
Fare9's solutions to the Ch12 exercises | Pastebin

Code and Tools
Fare9's custom versions of the PBA tools | Github