Reverse Engineering and Malware Analysis
Reverse Engineering and Malware Analysis I (REMA) is a hands on training course through which the student will develop the competences required to identify and analyse malware in order to react to security incidents and perform in depth computer forensics investigations. REMA I provides the student with the hands-on environment to use disassemblers and debuggers and learn the different techniques used to reverse engineer software and perform malware analysis. The course takes the student through the analysis of different operating system structures, and complete source code reconstruction methodologies, teaching how to modify low level software programs to patch software vulnerabilities in legacy systems, and identifying malicious behavior.
“This is the reverse engineering course for those who want to learn by doing”
Who Should Attend
This course is ideally suited for:
- Incident handlers
- Penetration testers
- Computer forensics Analysts
- Security professionals wanting to gain practical knowledge and competences in the domain of reverse engineering and malware analysis as well as the use of tools and techniques
“The class will benefit anyone who wants to gain practical knowledge in the domain of reverse engineering and malware analysis”
Prerequisites
The course is “hands-on”, technically focused and aimed at those individuals who have a good understanding of Windows and Linux Operating systems. Prior high level programming experience is not required but it will be beneficial.
“This course will benefit anyone who wants to learn how software works behind the fancy user interfaces”
Duration:5 days
About the course
REMA I is a fully hands-on course developed around a set of real-life incident handling and malware analysis scenarios. Specifically, the course will address the following scenarios:
- The Reverse Engineering approach to Software Engineering
- Patching vulnerable legacy applications
- Inspection of software applications to assess whether they are malicious or benign
- Analysis of malicious software and understanding its behaviour
Laptop Requirements
A laptop is required to be able to work through all the practical hands-n workshops. Failure to meet the requirements below may result in the delegate not being able to carry out one or more of the practical workshops and thus not taking full benefit for the course. The minimum laptop requirements are:
- x86-compatible 1.5 Ghz CPU Minimum or higher
- DVD Drive
- 1GB RAM minimum or higher
- 10 Gigabyte available hard drive space
- The system must be capable of booting from a CD
- VMware Player or VMware Workstation.
REMA I Toolkit
The content of the REMA I Toolkit is:
- CDROM with all the required hacking tools
Course Outline
Day |
Details |
| 1 | The course begins by understanding how processors work, their internal control registers, general registers, how memory can is organised by operating systems, how the stack and procedural linking information is used and how data and variables are represented and referenced in memory. We cover the methodologies used by debuggers, the structure of executable files, anti reverse engineering techniques |
| 2 | We proceed by working on a hands-on reverse engineering scenario backwards tracing and identifying functions, altering low level code to maintain legacy software addressing and bypassing the constraints that could come up in real life scenarios. |
| 3 | Using the backwards tracing methods and low level code alterations we introduce to the student the reverse engineering driven vulnerability discovery methodology and the techniques used to repair vulnerable software. Additionally, we identify the key issues and techniques used in source code reconstruction with a variety of hands on examples. |
| 4 | We continue with the methodologies used to recover network and file system protocols used by applications when communicating over the network or storing information onto the hard drive. Additionally, we identify the constraints imposed by encryption algorithms and the techniques that can be used to bypass them. |
| 5 | Using the knowledge acquired up to this day, students will be engaged in malware forensics and analysis to identify and profile malicious software. |
Course Breakdown
Module 1: CPU Architectures, Memory Models and Low Level Code
1.1: Preface to Reverse Engineering
1.2: Arithmetic Representations
1.3: CPU Architectures
1.4: Memory Models
1.5: Stack and Procedural Linking Information
1.6: Data Representations
Module 2: Working With Debuggers and Decompilers
2.1: Debuggers and Decompilers
2.2: Analysis Types
2.3: Breakpoints
Module 3: Executable File Formats
3.1: Portable Executable Formats (PE)
3.2: Executable and Linking Format (ELF)
3.3: How Operating Systems load Executable in Memory
Module 4: Understanding the Compilation Process
4.1: Compiler Front End
4.2: Compiler Back End
4.3: Detecting Compilers
Module 5: Anti-Reverse Engineering Techniques
5.1: Detecting Debuggers
5.2: Eliminating Symbolic Information
5.3: Binary Code Obfuscation
Day 2
Module 6: Maintaining Black Box Software
6.1: Locating Points of Interest in Low Level Code
6.2: Patching or Altering Low Level Code
6.3: Creating Space for your Code
Day 3
Module 7: Black Box Software Testing and Evaluation
7.1: Detecting Programming Vulnerabilities
7.2: Hardening Applications
7.3: Repairing Software Vulnerabilities
Module 8: Black Box Source Code Recovery
8.1: Conventional Tools for Fast Recovery
8.2: Low Level Analysis
Day 4
Module 9: Recovering Protocol and Design Specifications
9.1: Conventional Tools for Fast Recovery
9.2: Low Level Analysis
9.3: Bypassing Encryption Mechanisms
Day 5
Module 10: Malware Reverse Engineering
10.1: The Lifecycle of a Malware
10.2: Windows Malware Detection
10.3: Linux Malware Detection
10.4: Malware Profiling
10.5: Conventional Tools
10.6: Malware Binary Analysis
10.7: Reporting Malware Analysis Findings
Why us?
"Our trainers are security consultants with many years of experience, highly dedicated to teach and share their knowledge."
"REMA is about acquiring practical skills and competence - not just theory."
"We focus on competance and low level understanding through hands-on excercises and real life scenarios"
Dr. Almerindo Graziano
CEO
Silensec
About the Author
