Reverse Engineering Deep Dive

Name: Reverse Engineering Deep Dive
Rating: 4.2 (16 reviews)

Deobfuscations, disassembly, shellcode analysis and beyond

Created byCristina Gheorghisan

Last updated 10/2020

English

What you'll learn

Writing Python deobfuscation tools for AutoIt scripts.
Crafting efficient regular expressions to reduce tens of thousands of lines of obfuscated code down to manageable hundreds.
Basic functional programming concepts, to help us write elegant and cleaner code.
In-depth shellcode analysis, including extracting and reproducing find-by-hash function resolution algorithms.
Multiple in-the-wild techniques for bypassing anti-viruses.
Discovering a cryptanalysis flaw, and use it to recover an encrypted payload.
Basic steganography tricks.
Reverse engineering a couple of process injection techniques, known and unknown ones.
In-depth Metasploit shellcode deobfuscation and reversing.

Course content

8 sections • 36 lectures • 5h 47m total length

Introduction5:48
Course introduction, topics and learning goals.
Environment setup3:47
Virtual environment configuration and tools of the trade.

AutoIt Encryption/Decryption11:27
Extract and explore an AutoIt implementation of symmetric encryption.
AutoIt Symmetric Encryption
Steganography10:33
Identify and explore an image-base simple steganography technique.
Image Based Steganography
Cryptanalysis7:00
Identify an encryption flaw in the key-generation malware code.
Shellcode Decryption and DLL Loading in AutoIt
Payload Extraction9:41
Extract and decrypt the next stage payload.

MSF Downloader Overview9:52
Generate a downloader payload using MSFvenom and perfom high-level static analysis on it.
Code Obfuscations9:58
Identify and reverse assembly level code obfuscations: junk code, code flow obfuscations, function calling tricks.
Find-By-Hash (Dynamic)12:21
Dynamic function resolution by hash (Debugging)
Find-By-Hash (Static)11:01
Dynamic function resolution by hash (Static analysis)
Debugging With IDA Pro13:30
Learn how breakpoints work under the hood.
Dealing With Exceptions8:11
Understand and work with exceptions in IDA Pro and x64dbg.
Downloader Payload Overview12:39
Metasploit downloader payload - code analysis and functionality wrap up.
Bypass Defender AV9:38
Simple tricks to wrap your shellcode and bypass Defender Antivirus.
Bypass Defender AV
Payload Binder10:40

RunPE13:03
RunPE process injection technique - AutoIt implementation and testing.
RunPE AV Bypass10:24
Run arbitrary GUI applications using RunPE implementation and bypass AVs.
Window Events Process Hollowing11:09
A different implementation of process hallowing technique, with an interesting twist.
Window Events Process Hollowing AV Bypass12:02
Bypass Defender AV with window events, process hollowing and payload encryption.
Process Hollowing Detection7:31
How to detect injected processes using 3rd party tools and libraries.

Shellcode Extraction8:20
Extract the shellcode responsible to kickstart the process hollowing.
Shellcode Testing - Part 18:59
Prepare a wrapper for dynamic analysis of extracted shellcode.
Shellcode Analysis
Shellcode Testing - Part 211:20
Fix memory permissions errors in shellcode testing wrapper.
Shellcode Testing - Part 39:44
Shellcode Overview11:59
High-level analysis of the injector shellcode.
Find-By-Hash Algorithm - Python Implementation8:06
Port the dynamic function resolution algorithm from assembly to Python and generate C header files.
Find-By-Hash Algorithm - Functional Programming Implementation8:21
Functional programming implementation of the Find-by-hash function resolution algorithm.
Find-By-Hash Algorithm - C Port to DLL10:13
Shellcode Analysis - Wrap-up7:33
Wrap-up the shellcode analysis and clarify all the code thoroughly.
Shellcode Debugging11:05
Tricks to debug the process injector shellcode.

Requirements

Windows 8.1 virtual machine
Install all the analysis tools
The will to learn

Description

This course is logically designed to guide students gradually through some of the complicated parts of static and dynamic analysis of real-world malware. Instead of covering the topic broadly on the surface, we will take all the ramifications presented to us by the sample and use them as opportunities to deep dive and learn.

During our investigations we will cover a lot of adjacent topics. We will write Python deobfuscation scripts, embed assembly algorithms into C++ libraries, analyse steganography tricks and encryption flaws and many many more.

The course is very practical and exercises have been designed and tested for an updated Windows 8.1 operating system. There are no pre-requisites for this class other that a Windows virtual machine and the will to learn. All the 3rd party tools discussed are freely available online. Familiarity with Python and C/C++ is beneficial because these two are heavily used throughout the modules.

Assessments:

To get the most out of this course, I recommend doing all the assignments.
All the 6 practical assignments can be solved using information from the course.
There are no solutions provided, because I believe we learn best by doing.
I'm asking each student to send in their solutions to all the exercises at the end of the course.
If you stumble or have any questions, I'm more than happy to help anytime. Reach out directly or via the Q&A section.
Feel free to discuss the assignments with other students in the Q&A section, but please don't post the solutions or answers online.

Who this course is for:

Security testers
Malware analysts
Forensics investigators
System administrators
Information security students
rested in information security in general and reverse engineering in particular

Reverse Engineering Deep Dive

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 10min

Dynamic Analysis2 lectures • 23min

Deobfuscation2 lectures • 21min

Payload Extraction4 lectures • 39min

Metasploit Payload Analysis9 lectures • 1hr 38min

Process Injection and AV Bypass Techniques5 lectures • 54min

Shellcode10 lectures • 1hr 36min

Wrap Up2 lectures • 9min

Requirements

Description

Who this course is for: