Training Reversing

Training Reversing

From BruCON 2017

Jump to: navigation, search

Rapid Reverse Engineering by Russ Gideon

Course Description

This course combines deep understanding of reverse engineering with rapid triage techniques to provide students with a broad capability to analyze malicious artifacts uncovered during incident response. By tailoring the instruction to rapid assessment of binaries, we equip students with the skills required to keep up with modern malware and rapidly extract the most valuable and pertinent data to their investigations, including Indicators of Compromise (IOCs). Rapid RE includes considerable lab time utilizing replicated enterprise networks and attacks as observed in the wild. Students will leave with an understanding of:

  • How real world attacks are carried out
  • File triage processes and techniques
  • Intelligence extraction techniques from malware
  • How to deal with binary obfuscation techniques
  • How to get indicators from a file in a hurry

Course Outline

  • Rapid inspection of various file formats
    • Metadata extraction from PE, PDF, and Office docs
    • Finding buried artifacts in files
  • Assured Dynamic Analysis
    • Extracting Host IOCs from file formats with dynamic analysis
    • Working with DLLs
    • Splatter network IOC extraction and log file analysis
    • Memory Analysis
  • Process Tracing for Rapid File Assessments
    • Intro to Intel PIN
    • Code tracing with Pin
    • Shellcode analysis with Pin
  • IDA Efficiencies
    • Intro to IDA Scripting
    • x86 emulation
    • De-obfuscation techniques
  • Unpacking
    • Using IDA for unpacking assistance
    • Unpacking in-memory

Student Requirements

Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4 gig’s of memory is needed. Student laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc. We encourage students to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

Students must have:

  • A concept of scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows administration.
  • A concept of malware analysis and reverse engineering malware processes
  • Programming in C and previous knowledge of assembly will help students, but is not a must.

Trainer Biography

Russ Gideon has many years of experience in information security fulfilling many diverse roles from

being a core component of an Incident Response operation to managing an effective Red Team. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research, LLC.

More information is available on carnal0wnage

300px-twitter-icon.jpg @attackresearch

Wed. 23 - Fri. 25 April (09:00 - 17:00)


Back to Training Overview