2. Abhijit Mohanta
► Co-Founder and CTO Intelliroot
► Author of books
“Malware Analysis and Detection Engineering” by Apress/Springer
and “Preventing Ransomware” by PacktPub
► Security Researcher at Mcafee, Uptycs, Symantec and Juniper
► 15+ yrs in Malware Research and development of Malware
Detection Technologies Antivirus, Sandboxes and EDR
► 6 patents on malware detection
► Had been speaker at SANS, Data Security Council of India and
provided training at NASSCOM and training origanized by DRDO
3. Malware Analysis and Detection Engineering
A Comprehensive Approach to Detect and Analyze Modern Malware
Foreword by Pedram Amini
4. What is Reverse Engineering
Derive pseudo code(not same code) from compiled software
Note: Same source code is never derived
Applied on Closed source programs
Applications:
Malware Analysis
Find how the malware has been programmed – crypto algos etc
Useful while developing and improvement antivirus EDR
Vulnerability analysis
Pin point bugs in software
7. Compiled Code
010101111
111111111
111000000
000000000
000000111
111110001
Machine code generated
The machine code in encapsulated in an executable(PE file format) for windows
PE Header
To understand how PE files stores the machine code and executes learn PE file
,Windows internals
To learn what machine code does learn ASM, computer architecture
disasm
executable
8. Little deeper
MZ
PE file format
.data
.text
.text section header
.data section header
Entry point
More stuff ->
import,
export…
9. Why do we reverse engineer?
Malware authors write code and compile it
Obviously they do not share the source code
They share the compile code which we reverse engineer
Reverse Engineer required to know internal workings of malwares
Algorithms used
Evasive techniques used
Reverse Engineering can help to improve detection technologies,
write signature etc
10. Before starting RE…
Profile the sample properly
PE/Non PE
Platform – OS/architecture
Thorough dynamic analysis
Dynamic
Memory strings
Possible API calls using Rohitab API monitor
11. Programming languages and approach
compiler
compiler
Interpreter
C, C++ Java,VB Javascript, VBA
bytecode
Machine
code Bytecode Interpreter
Machine code
12. Languages and Tooling
Compiler based
C,C++ compiled to executable (PE, ELF)
Executable generated directly executed by processor
X86, x64 debuggers disassembler would work
Intermediate language based –
Java, .net, VB-Pcode compile to intermediate
Intermediate code de-compile and debugger – DNSpy for .net
Intermediate code executed by interpreter which translates to machine code
Scripting languages – completely Interpreter based
No compiled executable or intermediate code generated
Javascript in using javascript engine in browser
Powershell using powershell
VBA macros in MSOffice using VBA Debugger
Attacker sends the source code to victim
13. Code Protection for anti-Reversing
Executable/Intermediate langaue
Packers and protectors used
Attacker send EXE to victim
Attacker sends EXE(.net or VB) .jar(java) to victim
Intermediate language
De-compilers can almost derive the source code, so obfuscators used
Scripting language
Source code does the final work.
No intermediate code or compiled executable generated
Source code is obfuscated to make it unreadle
14. Importance of the following
Why PE
Needed to understand program layout execution. Malware use techniques PE
infection
Why windows internals
Why assembly
To understand code, unpack
Does de-compiler like Ghidra solve all problems
No- malware are obfuscated
Definitely it makes our life easier
16. Diversity of Compiled Code
Architecture/ASM
Operating
System
x86 x64 ARM
Windows Linux
Programming
Language
x86
PE
x64
PE
ARM
PE
Executable
C/C++
17. FAQ’s
PE can execute on Windows, ELF can execute on Linux
Cross compilation
A code can be compiled on Linux to run on windows. Provided the exe follows PE file
format
Similarly you can create a linux executable on windows
For a executable to execute following should be appropriate
File format(PE,ELF) ,
Operating system(Windows, Linux)
architecture(x86 , ARM )
A PE file containing x86 code cannot execute on ARM processor even
though
18. Types of Windows Executable - Language
Native executables
Machine code generated from
compilation directly executed by
the processor
Languages
C/C++
Delphi
VB Native
Go
Tools used
IDA, Ollydbg, Ghidra
interpreter based executables
Intermediate code or bytecode
generated from compilation.
Bytecode executed by interpreter
Languages
.Net
VB.net
VB P-Code
Java
Tools used
Specific de-compiler used
For .net DNSpy
19. Types of Windows Executable - Module
Exe – runs independently
Debug using use mode debugger
IDA, olly, x64dbg
DLL – library modules
Debug using user mode debugger
Ollydbg has loaddll
Sys – kernel module
Use kernel debugger IDA pro,
windbg
SCR – screensaver
OCX – ActiveX
CPL – control panel extension
20.
21. Challenges in RE
Diversity – we already covered
Encryption
Obfuscation
Anti-analysis techniques in malware