More Related Content
What's hot
What's hot (20)
Similar to Reverse engineering & immunity debugger
Similar to Reverse engineering & immunity debugger (20)
Recently uploaded
Recently uploaded (20)
Reverse engineering & immunity debugger
- 1. Reverse Engineering & Immunity Debugger Mahakant Sharma M.Tech First year 2nd Sem RSU2008018/20031100821012
- 2. AGENDA Reverse Engineering & Immunity Debugger • What is a Reverse Engineering • Anatomy of a Windows PE C program • X86 Assembly Language • Typical Attack Flow • Reverse Engineering (RE) Tools & Immunity Debugger 20XX 2
- 3. What is Reverse Engineering??? Presentation title 20XX 3
- 4. INTRODUCTION Reverse Engineering & Immunity Debugger Reversing Engineering is the process of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information 20XX 4
- 5. What does it mean to be a reverse engineer Reverse Engineering & Immunity Debugger •Take things apart to figure out how it works •Love puzzle solving •Develop experiments and tools •Think outside the box •Constantly learn new things •Determine what are the goals •Get to just what you need, or •Know enough to recreate it •Use reconnaissance and triage skills to determine a target starting point •Work step by step to get to your goals •Record your findings through the analysis 20XX 5
- 6. Flow for Malware Analysis Reverse Engineering & Immunity Debugger • Setup a baseline analysis environment • Triage to determine a starting point •Static Analysis - Get a sense of where everything is before debugging •Dynamic Analysis - Determine behaviours that can't be understood by static analysis •Manual Debugging - Stepping through the program to navigate to your goals 20XX 6
- 7. Anatomy of Windows PE C Program Typical windows programs are in the Portable Executable (PE) Format. It's portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code. Presentation title 20XX 7
- 8. Flow Chart of PE C Program Reverse Engineering & Immunity Debugger 20XX 8
- 9. Flow Chart of PE C Program Reverse Engineering & Immunity Debugger 20XX 9 User-mode vs. Kernel Mode •In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table •In kernel mode, applications share virtual address space. This diagram shows the relationship of application components for user-mode and kernel-mode
- 10. PE Header Reverse Engineering & Immunity Debugger 20XX 10 • The PE header provides information to operating system on how to map the file into memory. The executable code has designated regions that require a different memory protection (RWX) • Read • Write • Execute
- 11. Memory Layout Reverse Engineering & Immunity Debugger 20XX 11 •Stack - region of memory is added or removed using "last-in-first-out" (LIFO) procedure •Heap - region for dynamic memory allocation •Program Image - The PE executable code placed into memory •DLLs - Loaded DLL images that are referenced by the PE •TEB - Thread Environment Block stores information about the current running thread(s) •PEB - Process Environment Block stores information about loaded modules and processes.
- 12. Flow Chart of PE C Program Reverse Engineering & Immunity Debugger 20XX 12 The Stack •Data is either pushed onto or popped off of the stack data structure •EBP - Base Pointer is the register that used to store the references in the stack frame
- 13. X86 Assembly Language Reverse Engineering & Immunity Debugger 20XX 13
- 14. X86 Assembly Language Reverse Engineering & Immunity Debugger The C programming is a high level language interpreted by the compiler that converts code into machine instructions called assembly language. By using a disassembler tool we can get the assembly language of a compiled C program. The Intel 8086 and 8088 were the first CPUs to have an instruction set that is now commonly referred to as x86. Intel Architecture 32-bit (IA-32) sometimes also called i386 is the 32-bit version of the x86 instruction set architecture. The x86 architecture is little-endian, meaning that multi-byte values are written least significant byte first. 20XX 14
- 15. OpCodes & Instructions Reverse Engineering & Immunity Debugger Each Instruction represents opcodes (hex code) that tell the machine what to do next. Three categories of instructions: •Data Movement/Access •Arithmetic / Logic •Control-Flow Common Instructions •mov, lea (data movement, data access) •add, sub (arithmetic) •or, and, xor (Logic) •shr, shl (Logic) •ror, rol (Logic) •jmp, jne, jnz, jnb (Control Flow) •push, pop, call, leave, enter, ret (Control Flow) 20XX 15
- 16. Registers Reverse Engineering & Immunity Debugger General-Purpose Registers: Register EAX EBX ECX EDX ESI EDI Description Accumulator Register Base Register Counter Register Data Register Source Index Destination Index 20XX 16
- 17. Registers Reverse Engineering & Immunity Debugger Segment Registers: Register SS CS DS ES FS GS Description Stack Segment, Pointer to the stack Code Segment, Pointer to the code Data Segment, Pointer to the data Extra Segment, Pointer to extra data F Segment, Pointer to more extra data G Segment, Pointer to still more extra data 20XX 17
- 18. Typical Attack Flow Reverse Engineering & Immunity Debugger • What is a Reverse Engineering • Anatomy of a Windows PE C program • X86 Assembly Language • Typical Attack Flow • Reverse Engineering (RE) Tools & Immunity 20XX 18
- 19. Malware Classes Reverse Engineering & Immunity Debugger Class Description Virus Code that propagates (replicates) across systems with user intervention Worm Code that self- propagates/replicates across systems without requiring user intervention Bot Automated process that interacts with other network services Trojan Malware that is often disguised as legitimate software Ransomware Malware that holds the victim's data hostage by cryptography or other means 20XX 19
- 20. Malware Techniques Reverse Engineering & Immunity Debugger • Compression • Obfuscation • Persistence 20XX 20
- 21. Malware Techniques Presentation title Compression Combining the compressed data with decompression code into a single executable •Runtime packers •Self extractive archives 20XX 21
- 22. Malware Techniques Presentation title Obfuscation: •Deliberate act of creating obfuscated code that is difficult for humans to understand •Plain text strings will appear as base64 or Xor •Malicious behavior will include junk functions or routines that do nothing to throw off the reverser. •Control-Flow Flattening 20XX 22
- 23. Malware Techniques Presentation title Persistence: •Once malware gains access to a system, it often looks to be there for a long time. •If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware. 20XX 23
- 24. Reverse Engineering tools and Immunity DBg. Presentation title 20XX 24
- 25. What is Immunity Presentation title Immunity Debugger is a powerful new way to write exploits, analyse malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. 20XX 25
- 26. Immunity Overview Presentation title •A debugger with functionality designed specifically for the security industry •Cuts exploit development time by 50% •Simple, understandable interfaces •Robust and powerful scripting language for automating intelligent debugging •Lightweight and fast debugging to prevent corruption during complex analysis •Connectivity to fuzzers and exploit development tools 20XX 26
- 27. The way to get started is to quit talking and begin doing. Walt Disney Presentation title 20XX 27
- 28. Thank you Mahakant Sharma MTech 1st year 2nd Sem RSU2008018/ 20031100821 012 Presentation title 20XX 28
- 29. Team Mahakant Sharma Presentation title 20XX 29