Reverse Engineering

What is Reverse Engineering?

Reverse engineering is the process of taking something apart and figuring out how it works. In the context of cyber security, reverse engineering can be used to figure out how a piece of malware works, or to find vulnerabilities in a piece of software. Reverse engineering is an important tool for security researchers, as it allows them to better understand how systems work and identify potential weaknesses.

Free Video Course

If you’re looking to get into reverse engineering, this is the course for you! MCSI’s videos will give you the foundation you need to get started in this exciting and important field. You’ll learn about the tools and techniques used by reverse engineers, and how to apply them in real-world scenarios.

Chapter 1: Introduction to Reverse Engineering

• Understanding file formats and magic numbers

• Executable File Types in Windows and Linux

• Lab Setup for Analyzing Malicious Files and Executables

• What is Software Packing and Code Obfuscation?

Chapter 2: File Analysis

• How to create a good collection of malware samples

• How to investigate malicious Office documents

• How to investigate a malicious disk image file

• How to investigate a malicious batch script

• How to investigate a malicious DLL

Articles

Reverse engineering techniques can be applied to any system, but are commonly used on software and hardware. There are a variety of reverse engineering techniques, each with its own strengths and weaknesses.

Analyzing Portable Executable (PE) Files

The Portable Executable Format is a file format used for executables, object code, and DLLs. This format is used for 32-bit and 64-bit versions of Windows. The format is also known as PE32 (for 32-bit) and PE32+ (for 64-bit). The format is designed for use in Windows, and can be used by other operating systems.

• Reverse Engineering Portable Executables (PE) - Part 1

• Reverse Engineering Portable Executables (PE) - Part 2

• Fuzzy Hashing, Import Hashing and Section Hashing

• Don’t be Fooled by Malware in Disguise - Identifying Obfuscated Malware

• Analyzing malicious code without reverse engineering the assembly

Dynamic Analysis Techniques

Dynamic analysis is the process of reverse engineering a software program by observing its behavior at runtime. This can be done by running the program in a debugger and observing its execution, or by instrumenting the program to log its behavior. Dynamic analysis can be used to understand how a program works, to find bugs, or to perform security analysis.

• Introduction to Behavior Analysis Techniques

• Fileless Malware: a New Type of Malware That Doesn’t Rely on Executable Files

• Identifying Malware Persistance

Static Analysis Techniques

Static analysis techniques are used in reverse engineering in order to understand the structure and function of a given system. By analyzing the code and data of a given system, reverse engineers can better understand how the system works and identify potential security vulnerabilities. Static analysis techniques can be used to reverse engineer any type of system, including software, hardware, and firmware.

• Reverse Engineer Malware Without the Risk of Infection

Malware Injection Techniques

Malware Injection Techniques are used by attackers to insert malicious code into a legitimate process or file. This allows them to gain control of the system and perform various tasks, such as stealing data, launching denial of service attacks, or creating a backdoor. There are several ways to inject malware, including buffer overflows, process injection, and DLL injection. Attackers often use these techniques to exploit vulnerabilities in software and gain access to systems.

• Malware Injection Techniques: Introduction

• Malware Injection Techniques: Process Hollowing

• Malware Injection Techniques: Thread Execution Hijacking and SetWindowsHookEx

• Malware Injection Techniques: APC injection

• Malware Injection Techniques: AtomBombing, EWMI, NtTestAlert

• Malware Injection Techniques: API hooking techniques

Tools

There are a number of different tools that can be used for reverse engineering. These tools can be used to decompile code, to extract information from binaries, and to analyze data. Reverse engineering tools can be used to understand how a system works, to find vulnerabilities, and to create new programs that work with the system.

• Tools to get you Started in Malware Analysis

• Introduction to Debuggers and Disassemblers

• The Working Environment of Popular Debuggers and Disassemblers

• Know Your Malware: Classification is Key to Understanding Purpose and Function

YARA

YARA is a powerful tool for reverse engineering malware. It can be used to identify and classify malware, and to find and extract specific features from malware samples. YARA can also be used to create signatures that can be used to detect and block malware.

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 1

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 2

Workflow

What is a workflow?

A workflow is a series of steps that are followed in order to complete an engagement. In penetration testing, a workflow is important in order to ensure that all steps are followed in order to complete the testing process. By following a workflow, penetration testers can ensure that they are thorough in their testing and that they do not miss any important steps.

The image below proposes a workflow you can use to learn malware analysis: