Reverse Engineering

What is Reverse Engineering?

Reverse engineering is the process of taking something apart and figuring out how it works. In the context of cyber security, reverse engineering can be used to figure out how a piece of malware works, or to find vulnerabilities in a piece of software. Reverse engineering is an important tool for security researchers, as it allows them to better understand how systems work and identify potential weaknesses.

Free Video Course

If you’re looking to get into reverse engineering, this is the course for you! MCSI’s videos will give you the foundation you need to get started in this exciting and important field. You’ll learn about the tools and techniques used by reverse engineers, and how to apply them in real-world scenarios.

Chapter 1: Introduction

Welcome to the world of malware reverse engineering! If you’re here, you likely already have a strong interest in understanding how malicious programs work and how to analyze them. In this course, we will explore the fundamentals of malware reverse engineering, including techniques to identify, analyze, and respond to threats. We’ll learn common tools and strategies used by security professionals to detect and defeat the latest malicious code. Get ready to expand your knowledge and take your security skills to the next level!

• Introduction to Reverse Engineering

• Why do we reverse engineer software?

• What knowledge do I need to have to be a reverse engineer?

• How does malware work?

• What are the main categories of tools we use for SRE?

• What is Software Packing and Code Obfuscation?

• What is Systematic Approach to Malware Analysis (SAMA)?

• Setting up a lab for Malware Reverse Engineering

• Protocol for safely handling and sharing malware samples

• Common IOCs to retrieve from Malware Reverse Engineering

Chapter 2: File Analysis

File analysis is an important step in malware reverse engineering. It involves the examination of a malicious executable file to determine the purpose of the file and how it works. This analysis typically involves looking at the file’s structure, the code and data contained in the file, and any strings that may be present. The analysis may also include looking at the functionality of the file and any other files or processes that it may interact with.

• Understanding file formats and magic numbers

• Executable File Types in Windows and Linux

• Lab Setup for Analyzing Malicious Files and Executables

• How to create a good collection of malware samples

• How to investigate malicious Office documents

• How to investigate a malicious disk image file

• How to investigate a malicious batch script

• How to investigate a malicious DLL

• Use Resource Hacker to retrieve a malware’s resources

Chapter 3: Classification Analysis

Classification analysis is an essential technique used in Malware Reverse Engineering for categorizing malware samples based on their structural and content-related characteristics. This process involves examining the properties and features of the file without executing it or disassembling its code.

• Use the Linux ‘file’ utility to recover file types

• Use PEStudio to analyze malware

• Use file hashes to identify and classify malware samples

• Use YARA to identify and classify malware samples

Chapter 4: Dynamic Analysis

Dynamic analysis is a crucial technique used in Malware Reverse Engineering for examining the behavior of malware samples in a controlled environment. Unlike static analysis, which involves examining the properties of a file without executing it, dynamic analysis involves executing the sample in a sandboxed environment to observe its behavior and interactions with the system.

• Introduction to Dynamic Analysis

• Automated malware analysis with Cuckoo Sandbox

• Analyzing malware samples with ProcMon

• Use Sysmon to analyze a malware sample

Chapter 5: Static Analysis

In this section of the video course, you will learn about the various tools and techniques used for static analysis, such as disassemblers, decompilers, and hex editors. We will also discuss how to analyze different aspects of a file, including its file header, strings, and code segments. By the end of this section, you will have a strong understanding of how to perform static analysis on malware samples and identify potential threats to the system.

• Extracting and analyzing strings from a malware sample

• Decompiling .NET code using ILSpy

Chapter 6: Windows Internals

In this section, we delve into Windows Internals from the perspective of reverse engineering. Gain a deep understanding of the internal mechanisms and structures of the Windows operating system, focusing specifically on how they can be leveraged for reverse engineering purposes. Explore key concepts such as process and thread management, memory allocation, DLL injection, hooking, and more. By uncovering the inner workings of Windows, you’ll develop the knowledge and skills necessary to analyze and manipulate software at a low-level, opening up a whole new world of possibilities for reverse engineering and vulnerability research.

• Kernel mode vs. user mode

• Windows Processes

• Windows Threads

• Windows Services

• Access Control Lists

• Users and Groups

• Shared Memory

• Drivers

• Virtual Memory

• Jobs

• Objects and Handles

• Registry

• Elevation

• Access Tokens

• Remote Procedure Calls

• Windows APIs and System Calls

Chapter 7: Windows Programming

In this section of the course, we’ll delve into Low-Level Windows Programming, focusing on Win32 APIs. This will help you understand the basics of how Windows works and how to interact with it using these programming tools. It’s a foundational step if you’re interested in exploring the intricacies of Windows programming.

• What are Windows APIs?

• Categories of Windows APIs

• Writing a C program that interacts with Windows APIs

• Writing a Python program that interacts with Windows APIs

Articles

Reverse engineering techniques can be applied to any system, but are commonly used on software and hardware. There are a variety of reverse engineering techniques, each with its own strengths and weaknesses.

Analyzing Portable Executable (PE) Files

The Portable Executable Format is a file format used for executables, object code, and DLLs. This format is used for 32-bit and 64-bit versions of Windows. The format is also known as PE32 (for 32-bit) and PE32+ (for 64-bit). The format is designed for use in Windows, and can be used by other operating systems.

• Reverse Engineering Portable Executables (PE) - Part 1

• Reverse Engineering Portable Executables (PE) - Part 2

• Fuzzy Hashing, Import Hashing and Section Hashing

• Don’t be Fooled by Malware in Disguise - Identifying Obfuscated Malware

• Analyzing malicious code without reverse engineering the assembly

Dynamic Analysis Techniques

Dynamic analysis is the process of reverse engineering a software program by observing its behavior at runtime. This can be done by running the program in a debugger and observing its execution, or by instrumenting the program to log its behavior. Dynamic analysis can be used to understand how a program works, to find bugs, or to perform security analysis.

• Introduction to Behavior Analysis Techniques

• Fileless Malware: a New Type of Malware That Doesn’t Rely on Executable Files

• Identifying Malware Persistance

Static Analysis Techniques

Static analysis techniques are used in reverse engineering in order to understand the structure and function of a given system. By analyzing the code and data of a given system, reverse engineers can better understand how the system works and identify potential security vulnerabilities. Static analysis techniques can be used to reverse engineer any type of system, including software, hardware, and firmware.

• Reverse Engineer Malware Without the Risk of Infection

Malware Injection Techniques

Malware Injection Techniques are used by attackers to insert malicious code into a legitimate process or file. This allows them to gain control of the system and perform various tasks, such as stealing data, launching denial of service attacks, or creating a backdoor. There are several ways to inject malware, including buffer overflows, process injection, and DLL injection. Attackers often use these techniques to exploit vulnerabilities in software and gain access to systems.

• Malware Injection Techniques: Introduction

• Malware Injection Techniques: Process Hollowing

• Malware Injection Techniques: Thread Execution Hijacking and SetWindowsHookEx

• Malware Injection Techniques: APC injection

• Malware Injection Techniques: AtomBombing, EWMI, NtTestAlert

• Malware Injection Techniques: API hooking techniques

Tools

There are a number of different tools that can be used for reverse engineering. These tools can be used to decompile code, to extract information from binaries, and to analyze data. Reverse engineering tools can be used to understand how a system works, to find vulnerabilities, and to create new programs that work with the system.

• Tools to get you Started in Malware Analysis

• Introduction to Debuggers and Disassemblers

• The Working Environment of Popular Debuggers and Disassemblers

• Know Your Malware: Classification is Key to Understanding Purpose and Function

YARA

YARA is a powerful tool for reverse engineering malware. It can be used to identify and classify malware, and to find and extract specific features from malware samples. YARA can also be used to create signatures that can be used to detect and block malware.

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 1

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 2

Workflow

What is a workflow?

A workflow is a series of steps that are followed in order to complete an engagement. In penetration testing, a workflow is important in order to ensure that all steps are followed in order to complete the testing process. By following a workflow, penetration testers can ensure that they are thorough in their testing and that they do not miss any important steps.

The image below proposes a workflow you can use to learn malware analysis: