Analysis of a piece of code by letting it run (fully or step-by-step) on a real system or in a virtualized environment, as opposed to static analysis.
Dynamic analysis code means letting it run, unconstrained or stepping through it, on a real system or in a virtualized environment. This is in contrast to the related static-analysis.
Tools commonly used in dynamic analysis include debuggers of all kinds. GDB or WinDbg would be pure debuggers allowing for this. IDA Pro is somewhat of a swiss army knife for the reverse code engineer when it comes to dynamic-analysis as it allows one to use various kinds of debugger back ends, but also Bochs to emulate through bits and pieces of code ad hoc (the virtualized environment mentioned above).
Debugging subject code using the VMware workstation plugin in Eclipse or Visual Studio would be another example of using dynamic-analysis inside a virtualized environment.
Advantages
- allows to analyze malware in-vitro, such as when analyzing a malware involving kernel mode code with
livekdand WinDbg. - allows runtime encryptors or packers to unpack and see the unpacked code.
- it allows to see actual values arriving at points of interest, something that cannot be achieved in static-analysis.
Disadvantages
- the subject code could escape, which is particularly bad when analyzing malware.
- anti-debugging tricks can make the code behave differently from how it would usually behave.
- the code may have certain requirements to run which cannot be fulfilled under a debugger, dooming this approach to failure from the very start.
