Be able to:
- analyze standard malwares or userland applications;
- improve its debugging skills and more generally its static/dynamic analysis techniques;
- use tools like IDA to perform static analysis and script them.
Methodology is at the heart of the training to maximize the autonomy of attendees once the training is completed.
This training is dedicated to analysts who want to learn key concepts and methodologies and better understand or analyze faster, in a blackbox way, any code that can be found in the wild (malwares, applications, libraries, an exploit…). The training is focused on methodological aspects with all technical concepts that are needed to learn how to reverse a binary from a static and dynamic point of view. Practical exercises own an important place in this training.
People who want to start with binary analysis on Intel platforms (e.g. malware analysts or application pentesters at large) Target OS are Linux and Windows but knowledge can easily be applied on any platform running on Intel IA-32 architecture.
Reverse engineering is hard to learn when fully beginning from scratch, some knowledge is needed as prerequisites to let the training focus on analysis methodology.
Some key skills that are needed:
- Python for basic scripting;
- C language basic/intermediate knowledge (pointers handling, standard C library usage);
- Basic knowledge of x86 assembly (base instructions, stack, shellcode, hello world debugging…).
The whole training in divided into theoretical courses and practices (more than 50%), proportionally distributed inside each training day.
Exercises will be adapted according attendees group reverse engineering level which can vary from various reasons.
Some practical exercises:
- Various algorithm analysis, some crackmes resolving;
- Malware analysis;
- Bypass anti-debug / anti-analysis tricks;
- IDA scripting (e.g: automated string deciphering in a obfuscated binary);
- Tooling with frida and some debuggers.
- Focus on x86/x86-64 assembly language
- Assembly reminders (mnemonics, stacks and main concepts)
- Common structures recognition
- First steps with IDA and static analysis
- Binary file format (PE / ELF)
- How a program is loaded in memory?
- What’s inside process address space?
- Analysis methodologies (static and dynamic)
- Dynamic analysis with debuggers (OS specific)
- Analysis automation, “build your own tools” using frida and hooking techniques
- Scripting analysis with tools
- Protected binary analysis
- Bypassing anti-debugs, anti-vm and basic obfuscations
- More on tools scripting (IDA and debuggers)
Day 5The last day is dedicated to an optional module depending on the topic to focus on:
Option 1 (native malware analysis): - Deal with common tricks used in malwares - Malware code injection techniques - Dealing with malwares using cryptography - Focus on a malware analysis on Windows
Option 2 (.net reverse engineering): - Introduction to .net specific analysis tool and methodology - Ransomware analysis (written in .net) as practical work - First steps with protected .net binaries
Option 3 (Deobfuscation / protected binaries analysis): - Binaries/functions rebuilding - Understand and bypass common obfuscation techniques - First steps with virtual machines