Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018
Reverse Engineering ● Take a product, understand how it works ● Usually limited to certain aspects, not full systems ● Need to know a little bit about a lot of topics to gain understanding ● Need to know a lot about a lot of topics to make significant changes ● Often learning on the job
Capture the Flag (CTF) ● Hacking competitions ● Challenges presented; covers many topics ● https://ctftime.org/ ○ Register teams for leaderboard (not required) ○ Check calendar for upcoming CTFs ● http://overthewire.org/wargames/ ○ Similar, but not live/timed events ● See Resources at the end for more
Concepts ● Learn what type of object you are reverse engineering. Is it a(n)… ○ Windows EXE? ○ Office document? ○ Script? ○ Encoded/encrypted blob? ● Let the malware (or object/code/whatever is in front of you) do the work ● Google EVERYTHING
What we’ll be going over today... ● A mix of FLARE-On + LabyREnth challenges ● Real life malware ● Introduction to tools used to reverse engineer ● What to look for ● Live demos from here on… ● Please ask questions!
Resources - Debuggers ● gdb ● IDA Pro (not the freeware version) ○ Linux, command line-based ● OllyDbg ● WinDbg ○ Windows, only ○ Windows, command line-based ○ http://www.ollydbg.de/ ● lldb ○ Becoming outdated, but tried, tested, and trusted ○ OSX, command line-based ● edb-debugger ● x64dbg ○ Linux, mainly ○ Windows, GUI ○ OllyDbg clone ○ https://x64dbg.com/ ○ https://github.com/eteran/edb-debugger ● radare2 ○ Multiplatform, command line-based (vim-like) ○ Significant learning curve, but very powerful! ○ https://github.com/radare/radare2/
Resources - Disassemblers ● All of the tools listed in Debuggers are also disassemblers ● Capstone ○ For scripting; useful in Python ○ https://github.com/aquynh/capstone/ ● objdump (Linux) ○ CLI tool for dumping code and other artifacts out of ELF (Linux executable format) binaries ● otool (objdump for OSX) ○ Also useful for parsing out the Mach-O executable file format for OSX binaries
Resources - Dynamic Execution (Sandboxing) ● Process Hacker 2 ○ Advanced Task Manager for Windows, allows manipulating running processes, injecting code, etc. ● procmon ○ Process monitor for windows, allows viewing events generated by processes, e.g. files opened, processes executed, etc. ● FakeNet ○ Intercept and, optionally, manipulate network traffic ○ Extensible with plugins so that you can write a fake command and control server to communicate with malware
Resources - Reading Material ● Practical Malware Analysis, by Michael Sikorski ○ Excellent malware analysis introduction with labs/questions and answers to guide you ○ Good for reverse engineering in general, not just malware ● Reverse Engineering, by Bruce Dang ● The Art of Memory Forensics, by Michael Hale Ligh ● Follow people/organizations on Twitter ○ @TheHackerNews ■ Random security news ○ @patrickwardle ■ Former NSA; active in exploit research and writes many free tools for OSX defense ○ @virustotal - online sandbox ○ @cyb3rops - Florian Roth (detections, malware/actor tracking)
Resources - CTFs ● FLARE-On Challenge ( http://flare-on.com/ ) ○ Past challenges can be downloaded in bulk; no need to solve in sequence ○ Search online for peoples’ writeups if you need help (Reddit, etc.) ○ Check back (or check Reddit/Twitter) in June/July for news on this year’s challenge ● LabyREnth Challenge ( https://labyrenth.com ) ○ Past challenges may or may not be available; check it out ○ Check back (or check Reddit/Twitter) in June/July for news on this year’s challenge ● Check CTF Time for upcoming events ○ https://ctftime.org/ ○ 2 CTFs this weekend! ● http://overthewire.org/wargames/ ○ Similar, but not live/timed events
Resources - Conferences ● DEFCON ○ Inexpensive ○ Presentations are often peoples’ pet projects ○ Various competitions and amusements ○ During late summers ● BlackHat ○ Expensive ○ Geared toward training sessions ○ During late summers ● RSA ○ Enterprise security products ○ Mid-spring (just passed 2 weeks ago) ● Check around Twitter/Reddit/community for other conferences
Recommend
More recommend
