Non-Windows Malware - Android

Android architecture overview, Permissions, Activities and Receivers, Operation system Sandbox, APK file format and contents, DEX file reversing techniques, introducing JEB, setting up environment, Android emulator vs phone.

Practice: Determine file functionality.

Malware Behaviour

Advanced dynamic analysis. Windows malware techniques. Anti-analysis - obfuscation, anti-debugging, anti-emulation. Packers, crypters and protectors. Practice: Bypassing malware anti-analysis techniques. Static and dynamic unpacking.

Non-Windows Malware

Mobile, Unix, Mac OS malware overview session, statistics, risks, attack vectors, loud cases: banking malware, ransomware, IoT attacks.

Introduction to the main reverse engineering concepts and terms

Setting up needed software and safe environment. Processor architectures, CISC vs RISC, data types, endianness, main purpose hardware registers, virtual memory and memory addressing, stack and stackframe.

Introduction to x86 and x64 Architecture and Assembly

Function epilogue and prologue. Calling conventions. Register set and instruction set. Finding C code constructs in Assembly. Practice: Assembly Hands-on and Exercises.

Dynamic Analysis and Debugging

Monitoring Windows APIs. Using system monitoring utilities to capture file system, registry and network activity. Debugging windows applications using x64dbg, windbg. Practice: Dynamic malware analysis and debugging exercises. Determining sample functionality.

Windows OS Architecture and Static Analysis

Windows Architecture overview. Kernel mode vs user mode. Portable Executable file format. Compiler, Assembler and Linker. Practice: Working with PE files, Determining compiler, Quick static malware analysis. Reverse Engineering C and C++ code using HIEW and IDA Pro.

Non-Windows Malware - Linux

Linux architecture overview, SELinux, executable object types: scripts, binary file types; Static analysis: ELF file format, reversing files with HIEW, IDA. Dynamic analysis: strace, GDB, remote debugging. Setting up analysis environment.

Practice: Determine file functionality.

Non-Windows Malware - Linux

Mac OS architecture overview, microkernel, auto start, KEXT modules; Static file analysis: installation package types, package contents, unpacking, Mach-O file format, reversing files with otool, HIEW, IDA; Dynamic file analysis: ptrace, remote debugging with GDB and IDA. Setting up analysis environment.

Practice: Determine file functionality.

Non-Windows Malware - Advanced Topics

Android: building own Android, patching sources. Dumping crypted dex files
Linux: unpacking some wide spread packers, making your own honeypot
Mac OS: determining file behavior using dtrace, creating dtrace scripts
Practice: dump dex file using own sandbox, create own honeypot and collect files, trace some simple app using dtrace.

Byte-code based and scripting programming languages

Native code vs Byte-code. Virtual Machines, Binary Translation, Code Emulation, JIT. Main analysis techniques and tools. Practice: Reverse Engineering and deobfuscation of C#

Software vulnerabilities and exploits

Classification. Types and causes for binary vulnerabilities. Common exploitation techniques. Modern Operating System security features. Bypassing OS exploit preventions and mitigations. Practice: Shellcode analysis.

Exploit Analysis

MS Office Exploits. Local Privilege Escalation Exploits. Browser Exploits. Java and Flash exploit analysis. Linux kernel exploit analysis. Practice: Hands-on exploit analysis.

Advanced Reverse Engineering

Writing IDA Pro / WinDBG Scripts and Plugins. Automating Reverse Engineering tasks with Python. SAT/SMT Solvers. Dynamic Binary Instrumentation.

Final Exam