Reverse Engineering Crash Course
Filip Kafka ESET
Do you want to start with reverse engineering or malware analysis, and learn it from the ground up? Do you want to know how to examine closed source software to find bugs, or maybe even exploit it? Or do you just want to understand the low-level concepts, and dig deeper to learn how your source code is translated into the binary and then executed by the processor? Then this course is for you.
This course will start by a quick introduction to the assembly language from its basics. You will understand the low-level concepts and levels of abstraction in the computer and then move onto the reverse engineering on x86_32 architecture. You will see how the binary is compiled from the source code, and what is hidden inside. You will use your newly-gained skills to start reverse engineering real-world malware samples.
The training will cover the malware basics and frequently used malicious techniques, and will teach you how to use tools to analyze them. As a bonus, a gentle introduction to exploits and shellcode will be provided.
During the course, we will first grasp the assembly language, and then quickly move into reverse engineering fundamentals. We will work with practical hands-on labs and examples of real-world malware samples.
While the explanation of assembly and reverse engineering will be platform independent, the malicious samples we will examine will be specific to the Windows platform, on which we will work during the labs.
- Introduction to assembler, basic syntax, registers, variables, constants, arithmetic and logical instructions, conditions, loops, subroutines, stack, privileges levels, C-constructs in assembly language.
- Writing a small program in assembly.
- Introduction to reverse engineering; levels of abstraction; disassembly (IDA) and debugging (IDA debugger and OllyDbg).
- Memory management (segmentation, paging, real and virtual addresses).
- Windows internals:
- Process and thread, PE file format; alignments in PE file and in memory; libraries; linking and loading.
- Registry, security (security descriptors, tokens, integrity levels).
- Win API functions and system calls from RE view.
- Basic malicious techniques – persistence, process injection and function hooking, file stealing, techniques used by common malware types (downloaders, droppers, keyloggers, backdoors).
- Other useful RE tools – CFF explorer, PEview, SysInternals, IDA python and plugins, Resource Hacker, PEiD, Fakenet, Wireshark, FAR manager and more.
- Obfuscation – anti-debug, anti-disassembly and anti-vm techniques and how to beat them manually, using tools and with scripting.
- Exploiting bugs (basics): memory corruption, logical bugs; creating and analyzing shellcode.
Who Should Take This Course
The training is suitable for anyone working in computer security field who has has little to no prior experience in assembly language, reverse engineering, malware analysis and exploitation. Targeted audience includes future malware analysts, malware researchers, system administrators, security officers, penetration testers, incident responders, software developers and anyone who wants to learn more about computer security or about computers in-depth.
Students should have a knowledge of basic programming concepts, and should be familiar with at least one of the following programing languages: C, C++, Python, Pascal or assembly.
Hardware & Software Requirement
Computer with virtual machine (for example VMWare or VirtualBox is suitable). The virtual machine must have: installed Windows OS 7 or higher with administrator privileges, at least 20 GB free space and 2 GB RAM. IDA Pro licensed is recommended, but IDA Freeware will be enough for the purposes of this training.
Filip Kafka Malware Researcher, ESET
Filip Kafka is a malware researcher at ESET's Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. He is a regular speaker at security conferences including the Virus Bulletin conference, the AVAR conference, Caro Workshop and NorthSec conference. He has also been speaking at various events aimed at raising awareness about malware and computer security, presented for local universities. His teaching experience includes running reverse engineering and malware research workshops in London, Brno or Bratislava, and regularly lecturing a reverse engineering course at the Slovak University of Technology and the Comenius University.