When we talk about dynamic binary analysis, and include this phase in our methodology, I cannot emphasize enough how cautious we have to be when working through this step. By its very nature, dynamic analysis involves analyzing the binary while it's running. This is why we're using virtual machines and why we'll take extra precautions to make sure that while we're working through dynamically analyzing a binary, we don't infect ourselves. If we follow along exactly as guided in Chapter 1, Setting Up the Lab, we'll also have fresh snapshots of our virtual machines, in the event we either intentionally infect our virtual machine to understand a binary better, or some other malicious result arises from our dynamic analysis. One extra precaution we can take is to disconnect the virtual network adapter in the virtual machine or disable our Ethernet adapter in the operating system itself. That way, if any binary we analyze attempts to connect to a remote host, it will fail. This is also a good time to double-check we aren't mounting any host operating system directories in our virtual machine guest as shared folders.

In this recipe, we'll learn about the dynamic analysis phase in our methodology and the tools we have at our disposal. Working through this step of the methodology will really enforce the knowledge we learned in the previous chapter about IA32 and IA64, how a program can make system calls on Linux, and in-depth knowledge of the ELF specification. While performing dynamic analysis provides us with great insight into how a binary interacts with our system while its running, there are some shortcomings of the tools we'll use that are important for us to understand. First, we will rely heavily on the power of debuggers such as GDB and EDB. This means the information we gather is only as complete as our understanding of the tool's features, and any anti-debugging functionality built into the binary may make our analysis efforts increasingly more challenging. This also means that if we miss executing some of the binary's functionality, we'll miss out on understanding exactly what that functionality does.

For this phase of the methodology, we want to get as much information about the binary's behavior while its running. To do that, we'll rely heavily on debugging the application using GDB or EDB, or by writing our own debugger as needed. We want to watch for any system calls the binary makes, any socket connections, any filesystem interaction, and so on. We'll use the debugger to interrogate each register and the stack as we step through each instruction while analyzing the binary.