SlideShare uma empresa Scribd logo

Intro to Reverse Engineering

Transferir como PPTX, PDF
Null Bhubaneswar
Null Bhubaneswar

Intro to Reverse Engineering Null Bhubaneswar 25th February 2023

Tecnologia
1 de 23
Intro to Reverse Engineering Abhijit Mohanta
Abhijit Mohanta ► Co-Founder and CTO Intelliroot ► Author of books “Malware Analysis and Detection Engineering” by Apress/Springer and “Preventing Ransomware” by PacktPub ► Security Researcher at Mcafee, Uptycs, Symantec and Juniper ► 15+ yrs in Malware Research and development of Malware Detection Technologies Antivirus, Sandboxes and EDR ► 6 patents on malware detection ► Had been speaker at SANS, Data Security Council of India and provided training at NASSCOM and training origanized by DRDO
Malware Analysis and Detection Engineering A Comprehensive Approach to Detect and Analyze Modern Malware Foreword by Pedram Amini
What is Reverse Engineering Derive pseudo code(not same code) from compiled software Note: Same source code is never derived Applied on Closed source programs Applications: Malware Analysis Find how the malware has been programmed – crypto algos etc Useful while developing and improvement antivirus EDR Vulnerability analysis Pin point bugs in software
Let’s understand Forward Engineering
TCC compilation(Demo) • http://download.savannah.gnu.org/releases/tinycc/ • Compiler the program on windows a .exe is created
Compiled Code 010101111 111111111 111000000 000000000 000000111 111110001  Machine code generated  The machine code in encapsulated in an executable(PE file format) for windows PE Header  To understand how PE files stores the machine code and executes learn PE file ,Windows internals  To learn what machine code does learn ASM, computer architecture disasm executable
Little deeper MZ PE file format .data .text .text section header .data section header Entry point More stuff -> import, export…
Why do we reverse engineer? Malware authors write code and compile it Obviously they do not share the source code They share the compile code which we reverse engineer Reverse Engineer required to know internal workings of malwares Algorithms used Evasive techniques used Reverse Engineering can help to improve detection technologies, write signature etc
 Before starting RE… Profile the sample properly PE/Non PE Platform – OS/architecture Thorough dynamic analysis Dynamic Memory strings Possible API calls using Rohitab API monitor
Programming languages and approach compiler compiler Interpreter C, C++ Java,VB Javascript, VBA bytecode Machine code Bytecode Interpreter Machine code
Languages and Tooling Compiler based C,C++ compiled to executable (PE, ELF) Executable generated directly executed by processor X86, x64 debuggers disassembler would work Intermediate language based – Java, .net, VB-Pcode compile to intermediate Intermediate code de-compile and debugger – DNSpy for .net Intermediate code executed by interpreter which translates to machine code Scripting languages – completely Interpreter based No compiled executable or intermediate code generated Javascript in using javascript engine in browser Powershell using powershell VBA macros in MSOffice using VBA Debugger Attacker sends the source code to victim
Code Protection for anti-Reversing Executable/Intermediate langaue Packers and protectors used Attacker send EXE to victim Attacker sends EXE(.net or VB) .jar(java) to victim Intermediate language De-compilers can almost derive the source code, so obfuscators used Scripting language Source code does the final work. No intermediate code or compiled executable generated Source code is obfuscated to make it unreadle
Importance of the following Why PE Needed to understand program layout execution. Malware use techniques PE infection Why windows internals Why assembly To understand code, unpack Does de-compiler like Ghidra solve all problems No- malware are obfuscated Definitely it makes our life easier
Diversity
Diversity of Compiled Code Architecture/ASM Operating System x86 x64 ARM Windows Linux Programming Language x86 PE x64 PE ARM PE Executable C/C++
FAQ’s PE can execute on Windows, ELF can execute on Linux Cross compilation A code can be compiled on Linux to run on windows. Provided the exe follows PE file format Similarly you can create a linux executable on windows For a executable to execute following should be appropriate File format(PE,ELF) , Operating system(Windows, Linux) architecture(x86 , ARM ) A PE file containing x86 code cannot execute on ARM processor even though
Types of Windows Executable - Language Native executables Machine code generated from compilation directly executed by the processor Languages C/C++ Delphi VB Native Go Tools used IDA, Ollydbg, Ghidra interpreter based executables Intermediate code or bytecode generated from compilation. Bytecode executed by interpreter Languages .Net VB.net VB P-Code Java Tools used Specific de-compiler used  For .net DNSpy
Types of Windows Executable - Module Exe – runs independently Debug using use mode debugger IDA, olly, x64dbg DLL – library modules Debug using user mode debugger Ollydbg has loaddll Sys – kernel module Use kernel debugger IDA pro, windbg SCR – screensaver OCX – ActiveX CPL – control panel extension
Challenges in RE Diversity – we already covered Encryption Obfuscation Anti-analysis techniques in malware
Encryption
obfuscate Plain code • A + B For Obfuscation • A + E – X –E + X +B

Recomendados

Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Prakashchand Suthar
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Software programming and development
Software programming and developmentSoftware programming and development
Software programming and developmentAli Raza
 
Insight into progam execution ppt
Insight into progam execution pptInsight into progam execution ppt
Insight into progam execution pptKeerty Smile
 
01. Introduction.ppt
01. Introduction.ppt01. Introduction.ppt
01. Introduction.pptReshmaR57
 
Chapter1.pdf
Chapter1.pdfChapter1.pdf
Chapter1.pdftharwatabdulhmed
 
System software
System softwareSystem software
System softwareSenthil Kanth
 
UnDeveloper Studio
UnDeveloper StudioUnDeveloper Studio
UnDeveloper StudioChristien Rioux
 

Recomendados

Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Hacking with Reverse Engineering and Defense against it
Hacking with Reverse Engineering and Defense against it Prakashchand Suthar
 
Reverse code engineering
Reverse code engineeringReverse code engineering
Reverse code engineeringKrishs Patil
 
Software programming and development
Software programming and developmentSoftware programming and development
Software programming and developmentAli Raza
 
Insight into progam execution ppt
Insight into progam execution pptInsight into progam execution ppt
Insight into progam execution pptKeerty Smile
 
01. Introduction.ppt
01. Introduction.ppt01. Introduction.ppt
01. Introduction.pptReshmaR57
 
Chapter1.pdf
Chapter1.pdfChapter1.pdf
Chapter1.pdftharwatabdulhmed
 
System software
System softwareSystem software
System softwareSenthil Kanth
 
UnDeveloper Studio
UnDeveloper StudioUnDeveloper Studio
UnDeveloper StudioChristien Rioux
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 
Compilers
CompilersCompilers
CompilersJayanga V. Liyanage
 
Introduction to compiler development
Introduction to compiler developmentIntroduction to compiler development
Introduction to compiler developmentDeepOad
 
Development workflow
Development workflowDevelopment workflow
Development workflowSigsiu.NET
 
aditya malkani compiler.pptx
aditya malkani compiler.pptxaditya malkani compiler.pptx
aditya malkani compiler.pptxWildVenomOP
 
report
reportreport
reportDiptika Shukla
 
Chapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdfChapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdfDrIsikoIsaac
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Glossary
GlossaryGlossary
Glossarywallinplanet
 
Chapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptxChapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptxdawod yimer
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfDrIsikoIsaac
 
Introduction.pptx
Introduction.pptxIntroduction.pptx
Introduction.pptxSUDHAKAR S
 
Python Introduction
Python IntroductionPython Introduction
Python IntroductionLearnbay Datascience
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 
Programming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & BytecodeProgramming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & BytecodeRichard Homa
 
01. introduction
01. introduction01. introduction
01. introductionbabaaasingh123
 
Lecture 10 software development
Lecture 10 software developmentLecture 10 software development
Lecture 10 software developmentJehanzaib Yousuf
 
Compiler_Lecture1.pdf
Compiler_Lecture1.pdfCompiler_Lecture1.pdf
Compiler_Lecture1.pdfAkarTaher
 
WAF 101
WAF 101WAF 101
WAF 101Null Bhubaneswar
 
Online_financial_fraud3
Online_financial_fraud3Online_financial_fraud3
Online_financial_fraud3Null Bhubaneswar
 

Mais conteúdo relacionado

Semelhante a Intro to Reverse Engineering

Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 
Introduction to compiler development
Introduction to compiler developmentIntroduction to compiler development
Introduction to compiler developmentDeepOad
 
Development workflow
Development workflowDevelopment workflow
Development workflowSigsiu.NET
 
aditya malkani compiler.pptx
aditya malkani compiler.pptxaditya malkani compiler.pptx
aditya malkani compiler.pptxWildVenomOP
 
Chapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdfChapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdfDrIsikoIsaac
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Chapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptxChapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptxdawod yimer
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfDrIsikoIsaac
 
Introduction.pptx
Introduction.pptxIntroduction.pptx
Introduction.pptxSUDHAKAR S
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 
Programming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & BytecodeProgramming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & BytecodeRichard Homa
 
Lecture 10 software development
Lecture 10 software developmentLecture 10 software development
Lecture 10 software developmentJehanzaib Yousuf
 
Compiler_Lecture1.pdf
Compiler_Lecture1.pdfCompiler_Lecture1.pdf
Compiler_Lecture1.pdfAkarTaher
 

Semelhante a Intro to Reverse Engineering (20)

Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Compilers
CompilersCompilers
Compilers
 
Introduction to compiler development
Introduction to compiler developmentIntroduction to compiler development
Introduction to compiler development
 
Development workflow
Development workflowDevelopment workflow
Development workflow
 
aditya malkani compiler.pptx
aditya malkani compiler.pptxaditya malkani compiler.pptx
aditya malkani compiler.pptx
 
report
reportreport
report
 
Chapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdfChapter1pdf__2021_11_23_10_53_20.pdf
Chapter1pdf__2021_11_23_10_53_20.pdf
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Glossary
GlossaryGlossary
Glossary
 
Chapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptxChapter 2 Program language translation.pptx
Chapter 2 Program language translation.pptx
 
unit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdfunit1pdf__2021_12_14_12_37_34.pdf
unit1pdf__2021_12_14_12_37_34.pdf
 
Introduction.pptx
Introduction.pptxIntroduction.pptx
Introduction.pptx
 
Python Introduction
Python IntroductionPython Introduction
Python Introduction
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programming
 
Programming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & BytecodeProgramming 1: Compilers, Interpreters & Bytecode
Programming 1: Compilers, Interpreters & Bytecode
 
01. introduction
01. introduction01. introduction
01. introduction
 
Lecture 10 software development
Lecture 10 software developmentLecture 10 software development
Lecture 10 software development
 
Compiler_Lecture1.pdf
Compiler_Lecture1.pdfCompiler_Lecture1.pdf
Compiler_Lecture1.pdf
 

Mais de Null Bhubaneswar

Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Null Bhubaneswar
 

Mais de Null Bhubaneswar (16)

WAF 101
WAF 101WAF 101
WAF 101
 
Online_financial_fraud3
Online_financial_fraud3Online_financial_fraud3
Online_financial_fraud3
 
Web App Pen Test
Web App Pen TestWeb App Pen Test
Web App Pen Test
 
BurpSuiteOverview
BurpSuiteOverviewBurpSuiteOverview
BurpSuiteOverview
 
Blue Team
Blue TeamBlue Team
Blue Team
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2
 
Information Security 101
Information Security 101Information Security 101
Information Security 101
 
Cloud_PT
Cloud_PT Cloud_PT
Cloud_PT
 
Online Financial Fraud
Online Financial FraudOnline Financial Fraud
Online Financial Fraud
 
Introduction_to_Cloud
Introduction_to_CloudIntroduction_to_Cloud
Introduction_to_Cloud
 
how_to_get_into_infosec
how_to_get_into_infosechow_to_get_into_infosec
how_to_get_into_infosec
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Intro to Reverse Engineering

  • 1. Intro to Reverse Engineering Abhijit Mohanta
  • 2. Abhijit Mohanta ► Co-Founder and CTO Intelliroot ► Author of books “Malware Analysis and Detection Engineering” by Apress/Springer and “Preventing Ransomware” by PacktPub ► Security Researcher at Mcafee, Uptycs, Symantec and Juniper ► 15+ yrs in Malware Research and development of Malware Detection Technologies Antivirus, Sandboxes and EDR ► 6 patents on malware detection ► Had been speaker at SANS, Data Security Council of India and provided training at NASSCOM and training origanized by DRDO
  • 3. Malware Analysis and Detection Engineering A Comprehensive Approach to Detect and Analyze Modern Malware Foreword by Pedram Amini
  • 4. What is Reverse Engineering Derive pseudo code(not same code) from compiled software Note: Same source code is never derived Applied on Closed source programs Applications: Malware Analysis Find how the malware has been programmed – crypto algos etc Useful while developing and improvement antivirus EDR Vulnerability analysis Pin point bugs in software
  • 7. Compiled Code 010101111 111111111 111000000 000000000 000000111 111110001  Machine code generated  The machine code in encapsulated in an executable(PE file format) for windows PE Header  To understand how PE files stores the machine code and executes learn PE file ,Windows internals  To learn what machine code does learn ASM, computer architecture disasm executable
  • 8. Little deeper MZ PE file format .data .text .text section header .data section header Entry point More stuff -> import, export…
  • 9. Why do we reverse engineer? Malware authors write code and compile it Obviously they do not share the source code They share the compile code which we reverse engineer Reverse Engineer required to know internal workings of malwares Algorithms used Evasive techniques used Reverse Engineering can help to improve detection technologies, write signature etc
  • 10.  Before starting RE… Profile the sample properly PE/Non PE Platform – OS/architecture Thorough dynamic analysis Dynamic Memory strings Possible API calls using Rohitab API monitor
  • 11. Programming languages and approach compiler compiler Interpreter C, C++ Java,VB Javascript, VBA bytecode Machine code Bytecode Interpreter Machine code
  • 12. Languages and Tooling Compiler based C,C++ compiled to executable (PE, ELF) Executable generated directly executed by processor X86, x64 debuggers disassembler would work Intermediate language based – Java, .net, VB-Pcode compile to intermediate Intermediate code de-compile and debugger – DNSpy for .net Intermediate code executed by interpreter which translates to machine code Scripting languages – completely Interpreter based No compiled executable or intermediate code generated Javascript in using javascript engine in browser Powershell using powershell VBA macros in MSOffice using VBA Debugger Attacker sends the source code to victim
  • 13. Code Protection for anti-Reversing Executable/Intermediate langaue Packers and protectors used Attacker send EXE to victim Attacker sends EXE(.net or VB) .jar(java) to victim Intermediate language De-compilers can almost derive the source code, so obfuscators used Scripting language Source code does the final work. No intermediate code or compiled executable generated Source code is obfuscated to make it unreadle
  • 14. Importance of the following Why PE Needed to understand program layout execution. Malware use techniques PE infection Why windows internals Why assembly To understand code, unpack Does de-compiler like Ghidra solve all problems No- malware are obfuscated Definitely it makes our life easier
  • 16. Diversity of Compiled Code Architecture/ASM Operating System x86 x64 ARM Windows Linux Programming Language x86 PE x64 PE ARM PE Executable C/C++
  • 17. FAQ’s PE can execute on Windows, ELF can execute on Linux Cross compilation A code can be compiled on Linux to run on windows. Provided the exe follows PE file format Similarly you can create a linux executable on windows For a executable to execute following should be appropriate File format(PE,ELF) , Operating system(Windows, Linux) architecture(x86 , ARM ) A PE file containing x86 code cannot execute on ARM processor even though
  • 18. Types of Windows Executable - Language Native executables Machine code generated from compilation directly executed by the processor Languages C/C++ Delphi VB Native Go Tools used IDA, Ollydbg, Ghidra interpreter based executables Intermediate code or bytecode generated from compilation. Bytecode executed by interpreter Languages .Net VB.net VB P-Code Java Tools used Specific de-compiler used  For .net DNSpy
  • 19. Types of Windows Executable - Module Exe – runs independently Debug using use mode debugger IDA, olly, x64dbg DLL – library modules Debug using user mode debugger Ollydbg has loaddll Sys – kernel module Use kernel debugger IDA pro, windbg SCR – screensaver OCX – ActiveX CPL – control panel extension
  • 20.
  • 21. Challenges in RE Diversity – we already covered Encryption Obfuscation Anti-analysis techniques in malware
  • 23. obfuscate Plain code • A + B For Obfuscation • A + E – X –E + X +B