Reversing malware analysis training part5 reverse engineering tools basics

download Reversing malware analysis training part5 reverse engineering tools basics

of 18

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Reversing malware analysis training part5 reverse engineering tools basics

Application Virtualization

Part 5 Reverse Engineering Tools BasicsSwapnil PathakReverse Engineering & Malware Analysis Training



The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainers only and nothing to do with the company or the organization in which the trainer is currently working.

However in no circumstances neither the trainer nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.



Special thanks to null & Garage4Hackers community for their extended support and cooperation.

Thanks to all the Trainers who have devoted their precious time and countless hours to make it happen.


Reversing & Malware Analysis Training

This presentation is part of our Reverse Engineering & Malware Analysis Training program. Currently it is delivered only during our local meet for FREE of cost.


Who am I Swapnil PathakMember SecurityXplodedSecurity ResearcherRE, Malware Analysis, Network SecurityEmail:


PE ToolsPE EditorDisassemblersIDA ProDebuggersOllyDbgOther Useful Tools

Presentation Outline

Portable Executable EditorAllow user to view, edit data structures present in PE file formatSome Common Use Cases:Change entry point of the executableView Import/Export/Sections within EXEChange characteristics of a file i.e. Dll to ExeFix anomalies of PE filesPE editorsHiew, PE Editor, CFF Explorer, StudPE, LordPE etcPE Tools

PE Editor

Popular commercial software used for Reverse Engineering.Disassembler and Debugger in one toolSupports variety of executable formats for different processors and OSProvides both Text & Graphical view of the code flow.View strings, Imports, Exports referenced in the executableSupport PluginsSome of the useful pluginsX86 emulatorIDAPythonIDARubIDA ScriptsWindbgIDA Pro

IDA Windows & purpose IDA View, Hex View, Imports, Strings, Functions windows etc.Graphs & Text view (use space to switch between views)Xref To & Xref From powerful featureJump & Search Edit function names (N), Add comments (;)IDA Pro Functions

IDA Pro in Action

Most Popular Ring 3 Debugger used in ReversingProvides the below mentioned functionalitiesDebugging program step by step (Single Stepping)Software, Hardware and Memory based BreakpointsExamine the current state of the program wrt variables, memory etc.Change the flow or state of Program by directly editing Instructions, Registers or Memory.Support Plugins, Here are popular ones,OllyDumpOllyAdvancedOllyScriptOllydbg

Different Windows CPU, Registers, Dump, Stack screensTrace Into, Trace Over, ExceptionsIntegrate windows API help file in ollydbgShortcuts (imp. Only)F7 Step into [call]F8 Single step [execute call]F9 RunF2 Breakpoint

Ollydbg Cont.

Ollydbg in Action

var hwdBP // Local variable to store hardware breakpointvar softBP // Local variable to strore software breakpointsti // Step into F7 commandfindop eip, #61# // find next POPADmov hwdBP, $RESULT // Store $RESULT to hardware breakpoint local variablebphws hwdBP, "x // Set hardware breakpoint (execute) on the next POPADrun // Run F9 commandfindop eip, #E9????????# // Find the next JMPmov softBP, $RESULT // Store $RESULT to software breakpoint local variablebp softBPrun // Run to JMP instructionsti // Step into the OEPcmt eip, ""msg "OEP found, you can dump the file starting from this address"ret

Source :

UPX Unpacking OllyscriptHere is example for Unpacking UPX based Malwares using OllyScript in OllyDbg

Packer Identifier ToolsRDG packer detectorPEIDExeScanUseful Tools

PEiD PE Packer Identifier Tool

Thank You !