Reverse Engineering

Subject Area


Learning Resources

Learn more by checking out these great sites.

Assembly for Reverse Engineering (RE)

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. Before you can begin analyzing native code, you need to be familiar with assembly. Assembly is a human-readable representation of machine code - this allows you to make sense of all of those 1s and 0s. In this module, you will learn the basics of assembly syntax, core components of CPU architecture and begin tracing program functionality. Learning outcomes: use assembly knowledge to analyze program using IDA Pro, interpret stack usage to determine function purpose, describe the use of the stack during function execution, define the structure of 32-bit registers in modern CPU architecture, identify conditional statements, loops and arrays. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

File Formats

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. File formats allow the organization of binary content. In the case of Windows executables (EXE) or shared libraries (DLL), this allows the operating system to parse the binary content and load into memory for execution. In this module you will learn the basics of the PE file format, what information can be gleaned from analyzing it and how a disassembly tool such as IDA Pro finds executablel code for disassembly. Learning outcomes: differentiate between different PE parsing utilities to select the correct one based on desired analysis objectives, interpret output from PE parsing utilities to understand program behavior, demonstrate working knowledge of the PE file format. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration

learning-resource

Building upon the Introductory Intel x86 class, this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work. Example applications include showing how hardware and memory mechanisms are used for software exploits, anti-debug techniques, rootkit hiding, and direct hardware access for keystroke logging.

Visit Website

Introduction To Reverse Engineering Software

learning-resource

Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.

Visit Website

Introduction to ARM

learning-resource

ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor.

Visit Website

Introduction to IDA Pro

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. The ability to reverse engineer native code is a key skill for any malware analyst, reverse engineer or computer scientist. In this module, you will learn the basics of the disassembly process and gain familiarization with IDA Pro, a leading disassembly tool. Learning outcomes: use effective techniques for utilizing IDA Pro to perform static analysis, discuss the process IDA Pro uses for loading and analyzing a binary file, demonstrate the ability to load a binary file with IDA Pro, demonstrate effective use of the IDA Pro interface. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration

learning-resource

Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis.

Visit Website

Network Protocols for Reverse Engineers

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. When performing reverse engineering activities, it often required to view network communication to gain a better understanding of your target software. This module will focus on analyzing application-layer protocols through PCAP files. Learning outcomes: interpret results from analyzing network traffic to provide analysis, demonstrate the usage of Wireshark to analyze common application protocols. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Number Systems

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. The ability to efficiently convert between base 10, base 2 and base 16 number systems is important for any reverse engineering, cyber security analyst or computer scientist. In this course, students will learn the base 10, base 16 and base 2 number systems and how to convert numeric values between them. At the end of the course is a hands-on lab that allows students to apply what they have learned. Learning outcomes: examine how negative values are stored and interpreted in computing systems, examine how negative values are stored and interpreted in computing systems and differentiate between different number systems used by computing systems. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Processes and Virtual Memory

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. Processes form the core structure that contains executable code within an operating system. In this course, you will learn what a process is, what it is composed of and key elements needed to aid in reverse engineering activities. Learning outcomes: operate tools such as Process Hacker 2 to analyze a programs use of virtual memory, interpret program memory allocations to assess program functionality, define the differences between a process and a program. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Reverse Engineering 101

learning-resource

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. You will be introduced to RE terms and processes, followed by creating a basic x86 assembly program, and reviewing RE tools and malware techniques. The course will conclude by participants performing hands-on malware analysis that consists of Triage, Static, and Dynamic analysis. Topics covered include: setting up a safe virtual malware analysis environment; operating system and assembly concepts; typical attack flows, malware classes, techniques; disassemblers, debuggers, & information gathering.

Visit Website

Reverse Engineering 102

learning-resource

This workshop provides builds on the fundamentals from re101 for reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. The purpose of this workshop is to get you familiar with Anti Reverse Engineering, Encryption, VM Evasion and Packing techniques.The course will conclude by participants performing hands-on malware analysis that consists of Triage, Static, and Dynamic analysis. Topics covered include: understand how Delphi application binaries are structured, evasion techniques (Anti-Re, Anti-Automation, Anti-VM), identifying encryption algorithms, the Unicorn Engine, identifying custom packing techniques, deeper analysis of the program to understand hidden functionality.

Visit Website

Reverse Engineering Malware

learning-resource

An email arrives in your inbox: "You have to check out this picture!" It came from your friends address, which you know and trust. It beckons you to open it. Maybe you weren't fooled this time, but it's likely at least one of the 50 other recipients couldn't resist. As we store more of our confidential information on our computers, from bank account credentials, to company secrets, the reward to risk ratio increases as has the number malware (malicious software) threats. While anti-virus and intrusion detection systems have improved over the years, nothing can substitute a skilled malware analyst when a business needs to understand and mitigate a network intrusion. This class picks up where the Introduction to Reverse Engineering Software course left off, exploring how static reverse engineering techniques can be used to understand what a piece of malware does and how it can be removed.

Visit Website

Reversing C++

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. Reversing C++ can pose unique challenges in the use of objects - which are essentially an extension of C structures. In this module you will learn how to identify C++ objects while reversing, trace polymorphic behavior through the use of virtual functions and virtual function tables, and identify member functions through the THIS pointer. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Structures and Calling Conventions

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. When reversing engineering native code, the ability to properly identify calling conventions and structure usage greatly enhances your ability to determine program behavior. In this module, you will learn how to identify structure usage in IDA Pro along with being able to identify function calling conventions. Learning outcomes: use the structure features of IDA Pro to create and apply a custom structure to an IDA database, distinguish the use of a structure while performing program analysis in IDA Pro (or other disassembly tool), differentiate between different calling conventions to correctly recognize function arguments, interpret disassembly output to identify calling conventions used by a program. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

The Life of Binaries

learning-resource

Topics include: Scanning and tokenizing source code; parsing a grammar; different targets for x86 assembly object files generation; linking object files together to create a well-formed binary; detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats; how an OS loads a binary into memory and links it on the fly before executing it.

Visit Website

The Windows API

learning-resource

This module is part of the CLARK Undergraduate Reverse Engineering course. The Windows API allows developers to create applications designed to run within the Windows operating system that take advantage of all of the features Windows has to offer. For the reverse engineer, if you are analyzing windows binaries (malicious or benign) begins with understanding how the Windows API is used and how you can determine program behavior from the use of these APIs. In this module, you will learn about the Windows API, how programs use it and where to find information about it. Learning outcomes: use Dependency Walker to identify import and API usage (Windows API) of sample program, identify commonly used libraries and APIs, demonstrate the ability to evaluate the use of the Windows API to assess potential program functionality. This module by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Undergraduate Reverse Engineering Course

learning-resource

"UG: Reverse Engineering" by Josh Stroschein of Dakota State University includes the following modules: Number Systems Introduction to IDA Pro Assembly for Reverse Engineering (RE) File Formats Structures and Calling Conventions Reversing C++ The Windows API Processes and Virtual Memory Network Protocols for Reverse Engineers "UG: Reverse Engineering" by Josh Stroschein, NSA Funded Curriculum is licensed under CC BY-NC-SA 4.0.

Visit Website

Video Playlist: Intermediate Intel x86

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'Intermediate Intel x86' course being delivered. Building upon the Introductory Intel x86 class, this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work. Example applications include showing how hardware and memory mechanisms are used for software exploits, anti-debug techniques, rootkit hiding, and direct hardware access for keystroke logging.

Visit Website

Video Playlist: Introduction To Reverse Engineering Software

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'Introduction To Reverse Engineering Software' course being delivered. Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.

Visit Website

Video Playlist: Introduction to ARM

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'Introduction to ARM' course being delivered. ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor.

Visit Website

Video Playlist: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'Introductory Intel x86' course being delivered. Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis.

Visit Website

Video Playlist: Reverse Engineering Malware

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'Reverse Engineering Malware' course being delivered. This class picks up where the Introduction to Reverse Engineering Software course left off, exploring how static reverse engineering techniques can be used to understand what a piece of malware does and how it can be removed.

Visit Website

Video Playlist: The Life of Binaries

learning-resource

A Youtube playlist of the OpenSecurityTraining.info 'The Life of Binaries' course being delivered. Topics include: Scanning and tokenizing source code; parsing a grammar; different targets for x86 assembly object files generation; linking object files together to create a well-formed binary; detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats; how an OS loads a binary into memory and links it on the fly before executing it.

Visit Website