Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright and Credits
Mastering Reverse Engineering
Packt Upsell
Why subscribe?
Packt.com
Contributors
About the author
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Preparing to Reverse
Reverse engineering
Technical requirements
Reverse engineering as a process
Seeking approval
Static analysis
Dynamic analysis
Low-level analysis
Reporting
Tools
Binary analysis tools
Disassemblers
Debuggers
Monitoring tools
Decompilers
Malware handling
Basic analysis lab setup
Our setup
Samples
Summary
Identification and Extraction of Hidden Components
Technical requirements
The operating system environment
The filesystem
Memory
The registry system
Typical malware behavior
Persistence
Run keys
Load and Run values
Startup values
The Image File Execution Options key
Malware delivery
Email
Instant messenger
The computer network
Media storage
Exploits and compromised websites
Software piracy
Malware file properties
Payload – the evil within
Tools
Autoruns
The Process explorer
Summary
Further reading
The Low-Level Language
Technical requirements
Binary numbers
Bases
Converting between bases
Binary arithmetic
Signed numbers
x86
Registers
Memory addressing
Endianness
Basic instructions
Opcode bytes
Copying data
MOV and LEA
Arithmetic operations
Addition and subtraction
Increment and decrement instructions
Multiplication and division instructions
Other signed operations
Bitwise algebra
Control flow
Stack manipulation
Tools – builder and debugger
Popular assemblers
MASM
NASM
FASM
x86 Debuggers
WinDbg
Ollydebug
x64dbg
Hello World
Installation of FASM
It works!
Dealing with common errors when building
Dissecting the program
After Hello
Calling APIs
Common Windows API libraries
Short list of common API functions
Debugging
Summary
Further reading
Static and Dynamic Reversing
Assessment and static analysis
Static analysis
File types and header analysis
Extracting useful information from file
PEid and TrID
python-magic
file
MASTIFF
Other information
PE executables
Deadlisting
IDA (Interactive Disassembler)
Decompilers
ILSpy – C# Decompiler
Dynamic analysis
Memory regions and the mapping of a process
Process and thread monitoring
Network traffic
Monitoring system changes
Post-execution differences
Debugging
Try it yourself
Summary
References
Tools of the Trade
Analysis environments
Virtual machines
Windows
Linux
Information gathering tools
File type information
Hash identifying
Strings
Monitoring tools
Default command-line tools
Disassemblers
Debuggers
Decompilers
Network tools
Editing tools
Attack tools
Automation tools
Software forensic tools
Automated dynamic analysis
Online service sites
Summary
RE in Linux Platforms
Setup
Linux executable – hello world
dlroW olleH
What have we gathered so far?
Dynamic analysis
Going further with debugging
A better debugger
Setup
Hello World in Radare2
What is the password?
Network traffic analysis
Summary
Further reading
RE for Windows Platforms
Technical requirements
Hello World
Learning about the APIs
Keylogger
regenum
processlist
Encrypting and decrypting a file
The server
What is the password?
Static analysis
A quick run
Deadlisting
Dynamic analysis with debugging
Decompilers
Summary
Further reading
Sandboxing - Virtualization as a Component for RE
Emulation
Emulation of Windows and Linux under an x86 host
Emulators
Analysis in unfamiliar environments
Linux ARM guest in QEMU
MBR debugging with Bochs
Summary
Further Reading
Binary Obfuscation Techniques
Data assembly on the stack
Code assembly
Encrypted data identification
Loop codes
Simple arithmetic
Simple XOR decryption
Assembly of data in other memory regions
Decrypting with x86dbg
Other obfuscation techniques
Control flow flattening obfuscation
Garbage code insertion
Code obfuscation with a metamorphic engine
Dynamic library loading
Use of PEB information
Summary
Packing and Encryption
A quick review on how native executables are loaded by the OS
Packers, crypters, obfuscators, protectors and SFX
Packers or compressors
Crypters
Obfuscators
Protectors
SFX Self-extracting archives
Unpacking
The UPX tool
Debugging though the packer
Dumping processes from memory
Memory dumping with VirtualBox
Extracting the process to a file using Volatility
How about an executable in its unpacked state?
Other file-types
Summary
Anti-analysis Tricks
Anti-debugging tricks
IsDebuggerPresent
Debug flags in the PEB
Debugger information from NtQueryInformationProcess
Timing tricks
Passing code execution via SEH
Causing exceptions
A typical SEH setup
Anti-VM tricks
VM running process names
Existence of VM files and directories
Default MAC address
Registry entries made by VMs
VM devices
CPUID results
Anti-emulation tricks
Anti-dumping tricks
Summary
Practical Reverse Engineering of a Windows Executable
Things to prepare
Initial static analysis
Initial file information
Deadlisting
Debugging
The unknown image
Analysis summary
Summary
Further Reading
Reversing Various File Types
Analysis of HTML scripts
MS Office macro analysis
PDF file analysis
SWF file analysis
SWFTools
FLASM
Flare
XXXSWF
JPEXS SWF decompiler
Summary
Further reading
Other Books You May Enjoy
Leave a review - let other readers know what you think
← Prev
Back
Next →
← Prev
Back
Next →