Reverse engineering is a quite important business since it allows users to understand how systems work. It matters is the case of malware analysis, vulnerabilities exploitation and how to break cipher systems. Following the workshop proposed in the last edition, this one is about giving you bases and practice about how to reverse an application under Widows 10
To be able to reverse any software, we must be able to understand how they are written. More precisely, to understand what compiled software is supposed to do. This is where mastering different tools (IDA,Ghidra) to decompile and analyzing software matters. In addition to read the content of software, we are going to debug it so that we can manipulate it directly.
Malware are using cryptology for their own purposes. From ransomware which aims to cipher the full content of a disk to communication system which aims to protect messages exchanged by criminals, the cryptography is everywhere. But cryptography is a complex science which requires to be rigorous and well informed about different implementation flaws. Therein lies the rub… When it is not correctly performed, it is possible to break the security and get access to the data ciphered by such tools. The same way, malware can try to downgrade crypto used by secure software in order to get access to protected content.
This workshop aims to teach you about two main lines. The first is about reverse engineering and how operating system works. The second is about how to use cryptography in a secure way and how it is possible to exploit some flaws.
At a time where the technology is day after day increasingly diverse and more and more complex, it matters to understand how systems are working. If you are curious and you have always believed that mysteries in computer science should not stay mysteries and data protection is not magic, this workshop should be made for you.
By the end of workshop, participants will be able to:
Get an introduction to assembly language x86 and x64.
Understand several key components under Windows operating system.
Use IDA and Ghidra software to perform static analysis (and more).
Use Windbg debugger to perform dynamic analysis (and more).
Have practice about different and real examples on malware and operating system.
Be able to search autonomously something in a program by yourself.
The participants will get the following:
Several demo samples used for practice.
Slides from the presentation.
Other references to learn more about topics covered in the workshop.
Practice, practice and practice…
Course Content :
(it can change, depending to attendee level and interactions during the workshop)
General introduction: How program works under operating system.
What a program is?
How it interacts with operating system?
How to rule them with simple technics (Sysinternals tools).
What reverse engineering is about?
Laws in world about reverse.
Static and dynamic analysis.
Different tools for different purposes.
Demo & practice.
Operating system internals.
Presentation of main components under Windows (both user and kernel land).
Processes and Jobs
Demo: Using and reverse Windows Crypto API.
Practice: Do it yourself with IDA.
Dive inside reverse engineering.
Pseudo-code reverse engineering.
Assembly reverse engineering.
Most important instructions
Different calling conventions
Operating system interactions and considerations (under windows).
Practice: Debug with Windbg Preview.
Practice: Reverse and break a crypto algorithm.
Windows Crypto API
The main crypto API in userland.
What matters when we are implementing cryptography?
How we can downgrade crypto when software is running?
What are the main errors when we are implementing cryptography?
Which errors have been already performed by malware authors and how to exploit them (from real examples - demo).
Practice: Analyzing weak crypto algorithms.
Practice: Challenge with a communication software using cryptography. Who would be able to break it?
A laptop with enough memory in RAM to be efficient and disk space.
Intel or AMD processors (x86 or x64).
Software (ideally pre-installed):
Windows 10 operating system (downgraded mode with Windows 7).
IDA software (free version or a commercial one for a better use).
Visual studio community (or others) 2017.
Windbg Preview (available from the Windows 10 store).
There is no real requirement here; basic level in computer science would be enough since we expect that attendees are starting from zero. Nonetheless, in case of doubts:
With basics in programming (mastering C would be perfect).
With basics in mathematics and algebra.
Who should attend:
Students in IT and most especially in security
Security and software engineers
Anyone curious about how operating system and malware analysis is welcome.
What to expect:
Get a good knowledge about how things works in Windows and more generally in operating system world
Get practice by reversing software.
Understand the purpose and the use of both static and dynamic analysis.
Understand the different cryptography solutions under windows and how to use them.
Understand better how tedious bugs in software can lead to real and high consequences.
Good stories and culture about Windows (history, code, architecture, security and internals).
Practice, practice and practice… This is the only way to progress in reverse engineering and in IT in general ;-).
What not to expect:
Disclosure about vulnerabilities not corrected, patents or cracking protection of commercial software. It is not legal in addition not to be moral.
Reverse engineering of software written in C# or C++ (it is out of scope even if tools would be presented to proceed if attendee desires to do it).
Be able to mathematically break AES, RSA, (…) algorithms. Our focus is on how crypto is implemented and used by software.
David Baptiste , PHD Student,(C+V)^O Laboratory, ESIEA
DAVID Baptiste is a PhD student at the (C+V)^O laboratory in ESIEA. His research is mainly focused on malware analysis, security under windows operating system, networks, kernel development and vulnerabilities. Sometimes math, physic or anything cool from that stuff is perfect for him to enhance everyday life. He although likes good food and good vine (we never change), but he is okay if you offer him beers. He has already made several conferences included: iAwacs, Cocon, Ground zero summit, EICAR, ECCWS, Defcon.