Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
What You Will Learn
This course was designed for students who have an introductory / basic understanding of x86 assembly and reverse engineering as well as more advanced students wishing to refresh their skills and learn new approaches to familiar problems. The course will cover the basics of x86 assembly and pattern recognition, Windows process memory layout, tools of the trade (such as IDA Pro and OllyDbg), the PE file format and basic exploitation methodologies abused by worms to penetrate a target system (stack/heap overflows). As this course is focused on malicious code analysis, students will be given real-world virus samples to reverse engineer. The details of executable packing, obfuscation methods, anti-debugging and anti-disassembling will be revealed and re-enforced with hands-on exercises.
Toward the end of the course more advanced reverse engineering techniques with applications to malicious code analysis will be taught—including:
Various approaches to automation
Applications of binary matching/diffing