Reverse Engineering

Intro

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

Follow

1. https://twitter.com/wrongbaud

2. https://twitter.com/voidstarsec

Get better

1. https://hshrzd.wordpress.com/

Prerequisites

Read

1. https://en.wikipedia.org/wiki/Reverse_engineering

2. https://www.learn-c.org/

3. https://www.intel.com/content/www/us/en/resources-documentation/developer.html

4. https://www.intel.com/content/dam/develop/external/us/en/documents/introduction-to-x64-assembly-181178.pdf

5. https://www.cs.uaf.edu/2017/fall/cs301/reference/x86_64.html

6. https://cs.lmu.edu/~ray/notes/x86overview/

7. http://www.cs.cornell.edu/courses/cs412/2000SP/resources/Intel%20Architecture%20Vol.%201.PDF

8. https://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-2a-manual.html

9. https://godbolt.org/

10. https://en.wikipedia.org/wiki/Assembly_language

11. https://en.wikipedia.org/wiki/Low-level_programming_language

12. Academy of reverse engineering

13. https://learn.microsoft.com/en-us/sysinternals/

14. https://linker.iecc.com/

15. https://a.co/d/dqk8thB

16. https://en.wikipedia.org/wiki/X86_assembly_language

17. https://www.malwaretech.com/2018/03/best-programming-languages-to-learn-for-malware-analysis.html

18. https://www.malwarebytes.com/blog/news/2015/12/malware-crypters-the-deceptive-first-layer

19. Analysis of Virtualization-based Obfuscation

    1. writeup: https://synthesis.to/2021/10/21/vm_based_obfuscation.html

    2. slides: https://synthesis.to/presentations/r2con2021-deobfuscation.pdf

    3. video: https://www.youtube.com/watch?v=b6udPT79itk

    4. code: https://github.com/mrphrazer/r2con2021_deobfuscation

    5. https://www.youtube.com/watch?v=PAG3M7mWT2c&t=13229s – a talk on reversing VMProtect

    6. VMProtect 2 – Detailed Analysis of the Virtual Machine Architecture

    7. VMProtect 2 – Part Two, Complete Static Analysis

    8. A solution to VMProtect challenge from UIUCTF 2021 – SpeakEasy: https://medium.com/@acheron2302/speakeasy-writeup-3af3375ab63

    9. “Tickling VMProtect with LLVM”: [1][2][3] (more on LLVM here)

20. https://www.mandiant.com/resources/blog/flare-on-8-challenge-solutions

21. https://github.com/stephenfewer/ReflectiveDLLInjection

22. https://web.archive.org/web/20170719052516/https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

23. https://github.com/hasherezade/demos

24. https://www.youtube.com/watch?v=xewv122qxnk

25. https://www.youtube.com/watch?v=Fpb4eL3vMgk

26. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf

27. https://github.com/odzhan/injection

28. https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10#file-injection_demos-md

29. https://github.com/hasherezade/pe-sieve

30. https://github.com/hasherezade/hollows_hunter

31. https://github.com/hasherezade/pe-sieve/wiki/4.1.-Detect-shellcodes-(shellc)

32. https://www.youtube.com/watch?v=rDQmh1yFWGU

33. https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html

34. https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html

35. https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++

36. https://raw.githubusercontent.com/hasherezade/malware_training_vol1/main/slides/module2/Module2_2_hooking.pdf

37. https://www.malwarebytes.com/blog/news/2016/12/simple-userland-rootkit-a-case-study

38. https://github.com/hasherezade/pe-sieve

39. https://github.com/hasherezade/hollows_hunter

40. https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches

41. https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat)

42. https://github.com/hasherezade/hollows_hunter/wiki#hollows-hunter-vs-pe-sieve

43. https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/

44. https://leanpub.com/windowskernelprogramming

45. https://leanpub.com/u/zodiacon

46. https://github.com/zodiacon/windowskernelprogrammingbook

47. https://posts.specterops.io/methodology-for-static-reverse-engineering-of-windows-kernel-drivers-3115b2efed83

48. https://voidsec.com/windows-drivers-reverse-engineering-methodology/

49. https://raw.githubusercontent.com/jack8daniels2/threat-INTel/master/2016/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

50. https://resources.infosecinstitute.com/topic/hooking-idt/

51. https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks/

52. https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/

53. https://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/

54. https://www.malwarebytes.com/blog/news/2016/04/petya-ransomware

55. https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

56. https://toddcullumresearch.com/2018/01/21/become-remain-malware-researcher/

57. http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/

58. https://www.reversinghero.com/

59. https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware

Video

1. Introduction to Assembly

2. Introduction to C

3. Reversing Tutorial For Newbies

4. Reverse Engineering for Beginners

5. Introduction to Reverse Engineering

6. Reverse Engineering

7. Ghidra Reversing

8. Windows Internals

9. Malware Analysis

10. Technical Analysis of NullMixer Malware

11. Analyzing OneNote Malware

12. Reverse Engineering Binaries

13. Reverse Engineering Q&A Session

14. IDA Pro Reverse Engineering

15. TiGa’s course on IDA Pro

16. Introduction to Windbg

17. https://www.youtube.com/watch?v=75gBFiFtAb8

18. https://www.youtube.com/watch?v=wLXIWKUWpSs

19. https://www.youtube.com/watch?v=qCQRKLaz2nQ

20. CS6038

21. https://www.youtube.com/c/MalwareAnalysisForHedgehogs

22. https://www.youtube.com/c/oalabs

23. https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg

24. https://www.youtube.com/c/DuMpGuYTrIcKsTeR

25. https://www.youtube.com/c/hasherezade

26. https://www.youtube.com/watch?v=tbcrV1rNgMo

Environment

1. Malware and the tools for its analysis

2. Malware Analysis Virtual Machine

3. Creating a Simple Free Malware Analysis Environment

4. Reviews of various tools for reverse engineering

Code

1. x86 Assembler

   1. https://web.archive.org/web/20171110201344/http://win32assembly.programminghorizon.com/tutorials.html

   2. https://drive.google.com/file/d/1QMqqXraqtbUimsJMqqy2ABl58dOKI2qh/view

2. C++

   1. https://www.amazon.com/Programming-Language-2nd-Brian-Kernighan/dp/0131103628

   2. https://www.amazon.com/C-Programming-Language-4th/dp/0321563840

   3. https://www.amazon.com/Linux-Programming-Example-Kurt-Wall/dp/0789722151

   4. https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250

Study

1. https://www.begin.re/

2. https://malwareunicorn.org/workshops/re101#0

3. https://malwareunicorn.org/workshops/re102#0

4. https://legend.octopuslabs.io/sample-page.html

5. https://opensecuritytraining.info/Training.html

6. https://samsclass.info/126/126_S17.shtml

7. https://0xpat.github.io/

8. https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/

9. https://github.com/hasherezade/malware_training_vol1

Books

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

1. Reverse Engineering for Beginners

2. https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting-ebook/dp/B007ED2XDS

3. https://www.amazon.com/SZOR-VIRUS-DEFENSE-Symantec-Press-ebook/dp/B003DQ4WLQ/

4. https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf

5. https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033/

6. https://www.amazon.com/Hacker-Disassembling-Uncovered-Kris-Kaspersky/dp/1931769648/

7. https://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X

8. https://nostarch.com/rootkits

9. https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250

10. https://nostarch.com/ghpython.htm

Read

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

1. https://hackaday.io/course/172292-introduction-to-reverse-engineering-with-ghidra

2. http://bitblaze.cs.berkeley.edu/bitblaze-pub.html

3. https://a.co/d/d399HpW

4. https://courses.cs.washington.edu/courses/csep505/06sp/

5. https://a.co/d/5zpnNb1

6. https://a.co/d/8H1l6KI

7. https://a.co/d/deTwIYW

8. https://a.co/d/dC6IyTQ

9. https://a.co/d/cVv5jHv

10. http://spritesmods.com/

11. https://www.mandiant.com/resources/blog/defining-cobalt-strike-components

12. https://drive.google.com/file/d/1Sjm7xo4AwBxoLVo7X0Wx4u-tlHERevE-/view

13. https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm

14. https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt2.htm

15. https://learn.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN

16. https://raw.githubusercontent.com/corkami/pics/master/binary/PE101.png

17. https://raw.githubusercontent.com/corkami/pics/master/binary/PE102.png

18. https://raw.githubusercontent.com/hasherezade/malware_training_vol1/main/slides/module1/Module1_2_pe.pdf

19. https://hshrzd.wordpress.com/pe-bear/

Video

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

YouTube

1. https://www.youtube.com/playlist?list=PL_tws4AXg7auglkFo6ZRoWGXnWL0FHAEi

2. https://www.youtube.com/watch?v=d4Pgi5XML8E

3. https://www.youtube.com/watch?v=uyWVztMHWtk

4. https://www.youtube.com/watch?v=RFG5FuqY0CE

5. https://www.youtube.com/watch?v=5QBXNF7FKxM

6. https://www.youtube.com/watch?v=K0g-twyhmQ4

7. https://www.youtube.com/watch?v=aoEEH2EJdVY

8. https://www.youtube.com/watch?v=t-bjhu2z9wE

9. https://www.youtube.com/watch?v=RvvRO_gWYIg

10. https://www.youtube.com/watch?v=8ymVjHCIciQ

11. https://www.youtube.com/watch?v=nm7EeFGWpFU

12. https://www.youtube.com/watch?v=z8GrAPKTQ_k

13. https://www.youtube.com/watch?v=ZGfOfonUuaY

14. https://www.youtube.com/watch?v=iRSkpQ4ijrE

15. https://www.youtube.com/watch?v=znyA9GSvn80

16. https://www.youtube.com/watch?v=mxwPde9t8E8

17. https://forum.tuts4you.com/

Tools & Documentation

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

Disassemblers

1. IDA

2. JAD

3. Ghidra

Debugger

1. x64dbg

2. Edb-Debugger

3. windbg

4. ollydbg

5. W32Dasm

6. GDB GNU Debugger

Editors

1. cff explorer

2. Woodmans Reverse Engineering Tools

3. 101

Practice

Malware families

CTF Platforms

1. https://ocaml.org/docs
2. https://hackingthexbox.com/
3. https://www.root-me.org
4. https://crackmes.one/

Sourcecode

1. https://github.com/Visgean/Zeus
2. https://github.com/nyx0/Tinba
3. https://github.com/NextSecurity/Gozi-MBR-rootkit
4. https://github.com/nyx0/Pony
5. https://github.com/nyx0/Alina
6. https://github.com/nyx0/Carberp
7. https://github.com/vxunderground/MalwareSourceCode

Sandbox. Detonate malware

1. 1

Malware samples

1. https://malwarebreakdown.wordpress.com/
2. https://www.malware-traffic-analysis.net/
3. https://www.vx-underground.org/samples.html
4. https://www.malshare.com/
5. https://virusshare.com/
6. https://bazaar.abuse.ch/
7. https://thezoo.morirt.com/
8. https://beta.virusbay.io/

Trackers

1. http://benkow.cc/
2. http://vxvault.net/ViriList.php
3. http://cybercrime-tracker.net/

Hands-on

1. https://www.malwaretech.com/challenges/windows-reversing
2. https://www.malwarebytes.com/blog/news/2017/11/how-to-solve-the-malwarebytes-crackme-a-step-by-step-tutorial
3. https://www.malwarebytes.com/blog/news/2018/04/malwarebytes-crackme-2-another-challenge

   1. https://www.malwarebytes.com/blog/news/2018/05/malwarebytes-crackme-2-contest-summary
4. https://www.malwarebytes.com/blog/threat-intelligence/2021/10/the-return-of-the-malwarebytes-crackme

   1. https://www.malwarebytes.com/blog/threat-intelligence/2021/11/malwarebytes-crackme-contest-summary
5. https://guyinatuxedo.github.io/index.html
6. https://www.mandiant.com/resources/blog/2017-flare-on-challenge-solutions
7. https://hshrzd.wordpress.com/tag/flareon/
8. https://github.com/mytechnotalent/Reverse-Engineering
9. https://cdrdv2-public.intel.com/774494/325462-sdm-vol-1-2abcd-3abcd.pdf