SlideShare ist ein Scribd-Unternehmen logo

Reversing & Malware Analysis Training Part 5 - Reverse Engineering Tools Basics

Als PPTX, PDF herunterladen
securityxploded
securityxploded

This presentation is part of our Reverse Engineering & Malware Analysis Training program. For more details refer our Security Training page http://securityxploded.com/security-training.php

Technologie
1 von 19
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the Trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I Swapnil Pathak  Member SecurityXploded  Security Researcher  RE, Malware Analysis, Network Security  Email: swapnilpathak101@gmail.com www.SecurityXploded.com
Presentation Outline  PE Tools  PE Editor  Disassemblers  IDA Pro  Debuggers  OllyDbg  Other Useful Tools www.SecurityXploded.com
PE Tools  Portable Executable Editor  Allow user to view, edit data structures present in PE file format  Some Common Use Cases:  Change entry point of the executable  View Import/Export/Sections within EXE  Change characteristics of a file i.e. Dll to Exe  Fix anomalies of PE files  PE editors  Hiew, PE Editor, CFF Explorer, StudPE, LordPE etc www.SecurityXploded.com
PE Editor www.SecurityXploded.com
IDA Pro  Popular commercial software used for Reverse Engineering.  Disassembler and Debugger in one tool  Supports variety of executable formats for different processors and OS  Provides both Text & Graphical view of the code flow.  View strings, Imports, Exports referenced in the executable  Support Plugins  Some of the useful plugins  X86 emulator  IDAPython  IDARub  IDA Scripts  Windbg www.SecurityXploded.com
IDA Pro Functions  IDA Windows & purpose – IDA View, Hex View, Imports, Strings, Functions windows etc.  Graphs & Text view (use “space” to switch between views)  Xref To & Xref From – powerful feature  Jump & Search  Edit function names (N), Add comments (;) www.SecurityXploded.com
IDA Pro in Action www.SecurityXploded.com
Ollydbg  Most Popular Ring 3 Debugger used in Reversing  Provides the below mentioned functionalities  Debugging program step by step (Single Stepping)  Software, Hardware and Memory based Breakpoints  Examine the current state of the program wrt variables, memory etc.  Change the flow or state of Program by directly editing Instructions, Registers or Memory.  Support Plugins, Here are popular ones,  OllyDump  OllyAdvanced  OllyScript www.SecurityXploded.com
Ollydbg Cont.  Different Windows – CPU, Registers, Dump, Stack screens  Trace Into, Trace Over, Exceptions  Integrate windows API help file in ollydbg  Shortcuts (imp. Only)  F7 – Step into [call]  F8 – Single step [execute call]  F9 – Run  F2 – Breakpoint www.SecurityXploded.com
Ollydbg in Action www.SecurityXploded.com
UPX Unpacking Ollyscript Here is example for Unpacking UPX based Malwares using OllyScript in OllyDbg var hwdBP // Local variable to store hardware breakpoint var softBP // Local variable to strore software breakpoint sti // Step into F7 command findop eip, #61# // find next POPAD mov hwdBP, $RESULT // Store $RESULT to hardware breakpoint local variable bphws hwdBP, "x“ // Set hardware breakpoint (execute) on the next POPAD run // Run F9 command findop eip, #E9????????# // Find the next JMP mov softBP, $RESULT // Store $RESULT to software breakpoint local variable bp softBP run // Run to JMP instruction sti // Step into the OEP cmt eip, "<<>>" msg "OEP found, you can dump the file starting from this address" ret Source : http://x9090.blogspot.in/2009/07/ollyscript-tutorial-unpack-upx.html www.SecurityXploded.com
Useful Tools  Packer Identifier Tools  RDG packer detector  PEID  ExeScan www.SecurityXploded.com
PEiD – PE Packer Identifier Tool www.SecurityXploded.com
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Empfohlen

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 

Empfohlen

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
securityxploded
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
securityxploded
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
securityxploded
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
securityxploded
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
securityxploded
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
securityxploded
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
securityxploded
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
securityxploded
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
securityxploded
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
securityxploded
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
securityxploded
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
securityxploded
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
securityxploded
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
securityxploded
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
securityxploded
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
securityxploded
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 

Weitere ähnliche Inhalte

Mehr von securityxploded

Mehr von securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Kürzlich hochgeladen (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Reversing & Malware Analysis Training Part 5 - Reverse Engineering Tools Basics

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the Trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I Swapnil Pathak  Member SecurityXploded  Security Researcher  RE, Malware Analysis, Network Security  Email: swapnilpathak101@gmail.com www.SecurityXploded.com
  • 6. Presentation Outline  PE Tools  PE Editor  Disassemblers  IDA Pro  Debuggers  OllyDbg  Other Useful Tools www.SecurityXploded.com
  • 7. PE Tools  Portable Executable Editor  Allow user to view, edit data structures present in PE file format  Some Common Use Cases:  Change entry point of the executable  View Import/Export/Sections within EXE  Change characteristics of a file i.e. Dll to Exe  Fix anomalies of PE files  PE editors  Hiew, PE Editor, CFF Explorer, StudPE, LordPE etc www.SecurityXploded.com
  • 8. PE Editor www.SecurityXploded.com
  • 9. IDA Pro  Popular commercial software used for Reverse Engineering.  Disassembler and Debugger in one tool  Supports variety of executable formats for different processors and OS  Provides both Text & Graphical view of the code flow.  View strings, Imports, Exports referenced in the executable  Support Plugins  Some of the useful plugins  X86 emulator  IDAPython  IDARub  IDA Scripts  Windbg www.SecurityXploded.com
  • 10. IDA Pro Functions  IDA Windows & purpose – IDA View, Hex View, Imports, Strings, Functions windows etc.  Graphs & Text view (use “space” to switch between views)  Xref To & Xref From – powerful feature  Jump & Search  Edit function names (N), Add comments (;) www.SecurityXploded.com
  • 11. IDA Pro in Action www.SecurityXploded.com
  • 12. Ollydbg  Most Popular Ring 3 Debugger used in Reversing  Provides the below mentioned functionalities  Debugging program step by step (Single Stepping)  Software, Hardware and Memory based Breakpoints  Examine the current state of the program wrt variables, memory etc.  Change the flow or state of Program by directly editing Instructions, Registers or Memory.  Support Plugins, Here are popular ones,  OllyDump  OllyAdvanced  OllyScript www.SecurityXploded.com
  • 13. Ollydbg Cont.  Different Windows – CPU, Registers, Dump, Stack screens  Trace Into, Trace Over, Exceptions  Integrate windows API help file in ollydbg  Shortcuts (imp. Only)  F7 – Step into [call]  F8 – Single step [execute call]  F9 – Run  F2 – Breakpoint www.SecurityXploded.com
  • 14. Ollydbg in Action www.SecurityXploded.com
  • 15. UPX Unpacking Ollyscript Here is example for Unpacking UPX based Malwares using OllyScript in OllyDbg var hwdBP // Local variable to store hardware breakpoint var softBP // Local variable to strore software breakpoint sti // Step into F7 command findop eip, #61# // find next POPAD mov hwdBP, $RESULT // Store $RESULT to hardware breakpoint local variable bphws hwdBP, "x“ // Set hardware breakpoint (execute) on the next POPAD run // Run F9 command findop eip, #E9????????# // Find the next JMP mov softBP, $RESULT // Store $RESULT to software breakpoint local variable bp softBP run // Run to JMP instruction sti // Step into the OEP cmt eip, "<<>>" msg "OEP found, you can dump the file starting from this address" ret Source : http://x9090.blogspot.in/2009/07/ollyscript-tutorial-unpack-upx.html www.SecurityXploded.com
  • 16. Useful Tools  Packer Identifier Tools  RDG packer detector  PEID  ExeScan www.SecurityXploded.com
  • 17. PEiD – PE Packer Identifier Tool www.SecurityXploded.com
  • 18. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com