Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

A friend of mine downloaded some malware from Facebook, and I'm curious to see what it does without infecting myself. I know that you can't really decompile an .exe, but can I at least view it in Assembly or attach a debugger?

Edit to say it is not a .NET executable, no CLI header.

You may get some information viewing it in assembly, but I think the easiest thing to do is fire up a virtual machine and see what it does. Make sure you have no open shares or anything like that that it can jump through though ;)

Sure, have a look at [IDA Pro][1]. They offer an eval version so you can try it out.


[1]:

[To see links please register here]

Any decent debugger can do this. Try [OllyDbg][1]. (edit: which has a great disassembler that even decodes the parameters to WinAPI calls!)


[1]:

[To see links please register here]

If you are just trying to figure out what a malware does, it might be much easier to run it under something like the free tool [Process Monitor][1] which will report whenever it tries to access the filesystem, registry, ports, etc...

Also, using a virtual machine like the free [VMWare server][2] is very helpful for this kind of work. You can make a "clean" image, and then just go back to that every time you run the malware.


[1]:

[To see links please register here]

"Process Monitor"
[2]:

[To see links please register here]

Good news. IDA Pro is actually free for its older versions now:

[To see links please register here]