Reverse Engineering

Intro

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

Follow

  1. https://twitter.com/wrongbaud

  2. https://twitter.com/voidstarsec

Get better

  1. https://hshrzd.wordpress.com/

Prerequisites

Read

  1. https://en.wikipedia.org/wiki/Reverse_engineering

  2. https://www.learn-c.org/

  3. https://www.intel.com/content/www/us/en/resources-documentation/developer.html

  4. https://www.intel.com/content/dam/develop/external/us/en/documents/introduction-to-x64-assembly-181178.pdf

  5. https://www.cs.uaf.edu/2017/fall/cs301/reference/x86_64.html

  6. https://cs.lmu.edu/~ray/notes/x86overview/

  7. http://www.cs.cornell.edu/courses/cs412/2000SP/resources/Intel%20Architecture%20Vol.%201.PDF

  8. https://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-2a-manual.html

  9. https://godbolt.org/

  10. https://en.wikipedia.org/wiki/Assembly_language

  11. https://en.wikipedia.org/wiki/Low-level_programming_language

  12. Academy of reverse engineering

  13. https://learn.microsoft.com/en-us/sysinternals/

  14. https://linker.iecc.com/

  15. https://a.co/d/dqk8thB

  16. https://en.wikipedia.org/wiki/X86_assembly_language

  17. https://www.malwaretech.com/2018/03/best-programming-languages-to-learn-for-malware-analysis.html

  18. https://www.malwarebytes.com/blog/news/2015/12/malware-crypters-the-deceptive-first-layer

  19. Analysis of Virtualization-based Obfuscation

    1. writeup: https://synthesis.to/2021/10/21/vm_based_obfuscation.html

    2. slides: https://synthesis.to/presentations/r2con2021-deobfuscation.pdf

    3. video: https://www.youtube.com/watch?v=b6udPT79itk

    4. code: https://github.com/mrphrazer/r2con2021_deobfuscation

    5. https://www.youtube.com/watch?v=PAG3M7mWT2c&t=13229s – a talk on reversing VMProtect

    6. VMProtect 2 – Detailed Analysis of the Virtual Machine Architecture

    7. VMProtect 2 – Part Two, Complete Static Analysis

    8. A solution to VMProtect challenge from UIUCTF 2021 – SpeakEasy: https://medium.com/@acheron2302/speakeasy-writeup-3af3375ab63

    9. “Tickling VMProtect with LLVM”: [1][2][3] (more on LLVM here)

  20. https://www.mandiant.com/resources/blog/flare-on-8-challenge-solutions

  21. https://github.com/stephenfewer/ReflectiveDLLInjection

  22. https://web.archive.org/web/20170719052516/https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

  23. https://github.com/hasherezade/demos

  24. https://www.youtube.com/watch?v=xewv122qxnk

  25. https://www.youtube.com/watch?v=Fpb4eL3vMgk

  26. https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf

  27. https://github.com/odzhan/injection

  28. https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10#file-injection_demos-md

  29. https://github.com/hasherezade/pe-sieve

  30. https://github.com/hasherezade/hollows_hunter

  31. https://github.com/hasherezade/pe-sieve/wiki/4.1.-Detect-shellcodes-(shellc)

  32. https://www.youtube.com/watch?v=rDQmh1yFWGU

  33. https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html

  34. https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html

  35. https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++

  36. https://raw.githubusercontent.com/hasherezade/malware_training_vol1/main/slides/module2/Module2_2_hooking.pdf

  37. https://www.malwarebytes.com/blog/news/2016/12/simple-userland-rootkit-a-case-study

  38. https://github.com/hasherezade/pe-sieve

  39. https://github.com/hasherezade/hollows_hunter

  40. https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches

  41. https://github.com/hasherezade/pe-sieve/wiki/4.7.-Scan-for-IAT-Hooks-(iat)

  42. https://github.com/hasherezade/hollows_hunter/wiki#hollows-hunter-vs-pe-sieve

  43. https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/

  44. https://leanpub.com/windowskernelprogramming

  45. https://leanpub.com/u/zodiacon

  46. https://github.com/zodiacon/windowskernelprogrammingbook

  47. https://posts.specterops.io/methodology-for-static-reverse-engineering-of-windows-kernel-drivers-3115b2efed83

  48. https://voidsec.com/windows-drivers-reverse-engineering-methodology/

  49. https://raw.githubusercontent.com/jack8daniels2/threat-INTel/master/2016/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

  50. https://resources.infosecinstitute.com/topic/hooking-idt/

  51. https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks/

  52. https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/

  53. https://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/

  54. https://www.malwarebytes.com/blog/news/2016/04/petya-ransomware

  55. https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

  56. https://toddcullumresearch.com/2018/01/21/become-remain-malware-researcher/

  57. http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/

  58. https://www.reversinghero.com/

  59. https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware

Video

  1. Introduction to Assembly

  2. Introduction to C

  3. Reversing Tutorial For Newbies

  4. Reverse Engineering for Beginners

  5. Introduction to Reverse Engineering

  6. Reverse Engineering

  7. Ghidra Reversing

  8. Windows Internals

  9. Malware Analysis

  10. Technical Analysis of NullMixer Malware

  11. Analyzing OneNote Malware

  12. Reverse Engineering Binaries

  13. Reverse Engineering Q&A Session

  14. IDA Pro Reverse Engineering

  15. TiGa’s course on IDA Pro

  16. Introduction to Windbg

  17. https://www.youtube.com/watch?v=75gBFiFtAb8

  18. https://www.youtube.com/watch?v=wLXIWKUWpSs

  19. https://www.youtube.com/watch?v=qCQRKLaz2nQ

  20. CS6038

  21. https://www.youtube.com/c/MalwareAnalysisForHedgehogs

  22. https://www.youtube.com/c/oalabs

  23. https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg

  24. https://www.youtube.com/c/DuMpGuYTrIcKsTeR

  25. https://www.youtube.com/c/hasherezade

  26. https://www.youtube.com/watch?v=tbcrV1rNgMo

Environment

  1. Malware and the tools for its analysis

  2. Malware Analysis Virtual Machine

  3. Creating a Simple Free Malware Analysis Environment

  4. Reviews of various tools for reverse engineering

Code

  1. x86 Assembler

    1. https://web.archive.org/web/20171110201344/http://win32assembly.programminghorizon.com/tutorials.html

    2. https://drive.google.com/file/d/1QMqqXraqtbUimsJMqqy2ABl58dOKI2qh/view

  2. C++

    1. https://www.amazon.com/Programming-Language-2nd-Brian-Kernighan/dp/0131103628

    2. https://www.amazon.com/C-Programming-Language-4th/dp/0321563840

    3. https://www.amazon.com/Linux-Programming-Example-Kurt-Wall/dp/0789722151

    4. https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250

Study

  1. https://www.begin.re/

  2. https://malwareunicorn.org/workshops/re101#0

  3. https://malwareunicorn.org/workshops/re102#0

  4. https://legend.octopuslabs.io/sample-page.html

  5. https://opensecuritytraining.info/Training.html

  6. https://samsclass.info/126/126_S17.shtml

  7. https://0xpat.github.io/

  8. https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/

  9. https://github.com/hasherezade/malware_training_vol1

Books

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

  1. Reverse Engineering for Beginners

  2. https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting-ebook/dp/B007ED2XDS

  3. https://www.amazon.com/SZOR-VIRUS-DEFENSE-Symantec-Press-ebook/dp/B003DQ4WLQ/

  4. https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf

  5. https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033/

  6. https://www.amazon.com/Hacker-Disassembling-Uncovered-Kris-Kaspersky/dp/1931769648/

  7. https://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X

  8. https://nostarch.com/rootkits

  9. https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250

  10. https://nostarch.com/ghpython.htm

Read

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

  1. https://hackaday.io/course/172292-introduction-to-reverse-engineering-with-ghidra

  2. http://bitblaze.cs.berkeley.edu/bitblaze-pub.html

  3. https://a.co/d/d399HpW

  4. https://courses.cs.washington.edu/courses/csep505/06sp/

  5. https://a.co/d/5zpnNb1

  6. https://a.co/d/8H1l6KI

  7. https://a.co/d/deTwIYW

  8. https://a.co/d/dC6IyTQ

  9. https://a.co/d/cVv5jHv

  10. http://spritesmods.com/

  11. https://www.mandiant.com/resources/blog/defining-cobalt-strike-components

  12. https://drive.google.com/file/d/1Sjm7xo4AwBxoLVo7X0Wx4u-tlHERevE-/view

  13. https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm

  14. https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt2.htm

  15. https://learn.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN

  16. https://raw.githubusercontent.com/corkami/pics/master/binary/PE101.png

  17. https://raw.githubusercontent.com/corkami/pics/master/binary/PE102.png

  18. https://raw.githubusercontent.com/hasherezade/malware_training_vol1/main/slides/module1/Module1_2_pe.pdf

  19. https://hshrzd.wordpress.com/pe-bear/

Video

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

YouTube

  1. https://www.youtube.com/playlist?list=PL_tws4AXg7auglkFo6ZRoWGXnWL0FHAEi

  2. https://www.youtube.com/watch?v=d4Pgi5XML8E

  3. https://www.youtube.com/watch?v=uyWVztMHWtk

  4. https://www.youtube.com/watch?v=RFG5FuqY0CE

  5. https://www.youtube.com/watch?v=5QBXNF7FKxM

  6. https://www.youtube.com/watch?v=K0g-twyhmQ4

  7. https://www.youtube.com/watch?v=aoEEH2EJdVY

  8. https://www.youtube.com/watch?v=t-bjhu2z9wE

  9. https://www.youtube.com/watch?v=RvvRO_gWYIg

  10. https://www.youtube.com/watch?v=8ymVjHCIciQ

  11. https://www.youtube.com/watch?v=nm7EeFGWpFU

  12. https://www.youtube.com/watch?v=z8GrAPKTQ_k

  13. https://www.youtube.com/watch?v=ZGfOfonUuaY

  14. https://www.youtube.com/watch?v=iRSkpQ4ijrE

  15. https://www.youtube.com/watch?v=znyA9GSvn80

  16. https://www.youtube.com/watch?v=mxwPde9t8E8

  17. https://forum.tuts4you.com/

Tools & Documentation

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum

Disassemblers

  1. IDA

  2. JAD

  3. Ghidra

Debugger

  1. x64dbg

  2. Edb-Debugger

  3. windbg

  4. ollydbg

  5. W32Dasm

  6. GDB GNU Debugger

Editors

  1. cff explorer

  2. Woodmans Reverse Engineering Tools

  3. 101

Practice

Malware families

CTF Platforms

  1. https://ocaml.org/docs

  2. https://hackingthexbox.com/

  3. https://www.root-me.org

  4. https://crackmes.one/

Sourcecode

  1. https://github.com/Visgean/Zeus

  2. https://github.com/nyx0/Tinba

  3. https://github.com/NextSecurity/Gozi-MBR-rootkit

  4. https://github.com/nyx0/Pony

  5. https://github.com/nyx0/Alina

  6. https://github.com/nyx0/Carberp

  7. https://github.com/vxunderground/MalwareSourceCode

Sandbox. Detonate malware

  1. 1

Malware samples

  1. https://malwarebreakdown.wordpress.com/

  2. https://www.malware-traffic-analysis.net/

  3. https://www.vx-underground.org/samples.html

  4. https://www.malshare.com/

  5. https://virusshare.com/

  6. https://bazaar.abuse.ch/

  7. https://thezoo.morirt.com/

  8. https://beta.virusbay.io/

Trackers

  1. http://benkow.cc/

  2. http://vxvault.net/ViriList.php

  3. http://cybercrime-tracker.net/

Hands-on

  1. https://www.malwaretech.com/challenges/windows-reversing

  2. https://www.malwarebytes.com/blog/news/2017/11/how-to-solve-the-malwarebytes-crackme-a-step-by-step-tutorial

  3. https://www.malwarebytes.com/blog/news/2018/04/malwarebytes-crackme-2-another-challenge

    1. https://www.malwarebytes.com/blog/news/2018/05/malwarebytes-crackme-2-contest-summary

  4. https://www.malwarebytes.com/blog/threat-intelligence/2021/10/the-return-of-the-malwarebytes-crackme

    1. https://www.malwarebytes.com/blog/threat-intelligence/2021/11/malwarebytes-crackme-contest-summary

  5. https://guyinatuxedo.github.io/index.html

  6. https://www.mandiant.com/resources/blog/2017-flare-on-challenge-solutions

  7. https://hshrzd.wordpress.com/tag/flareon/

  8. https://github.com/mytechnotalent/Reverse-Engineering

  9. https://cdrdv2-public.intel.com/774494/325462-sdm-vol-1-2abcd-3abcd.pdf

Last updated