Reverse Engineering with Ida Pro
Christopher S. Eagle
USA 2011 Weekend Training Session //July 30-31
USA 2011 Weekday Training Session //August 1-2
The need for reverse engineering binary software components arises in more and more contexts every day. Common cases include analysis of malicious software such as viruses, worms, trojans and rootkits, analyzing binary drivers in order to develop open source drivers for alternate platforms, analyzing closed source software for security flaws, and source code recovery in legacy systems. The first step in such an analysis is generally the acquisition of a high quality disassembly of the binary component. Ida Pro is touted as the premier disassembler available today. Ida Pro is capable of disassembling machine languages for a large number of microprocessors and microcontrollers and is particularly strong when used on Windows and LinuxÆ executables. This course will cover essential background material for effective reverse engineering before diving into the features of Ida Pro that set it apart from other disassemblers.
This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to familiarize the student with the capabilities of Ida Pro and its uses in analyzing various types of binary files.
What You Will Learn:
The course will provide an overview of disassembler theory followed by a review of the structure of compiler-generated code. Armed with that background information, students will be introduced to the features of Ida Pro that set it apart from other disassemblers and learn how it can assist them in determining the behavior of various binary files. The course will cover the basics of the Ida Pro interface including the many informational displays it contains.
Students will be introduced to the scripting capabilities of Ida Pro, including the use of IdaPython as well as IDA's plugin architecture. The course concludes with coverage of IDA's debugger. Throughout the course students will be presented with techniques for dealing with statically linked, stripped, and obfuscated binaries.
How It Will Work:
Each student will be provided with many example binaries that will be used throughout the course to demonstrate Ida Pro's many features. The binaries run the range from simple demonstrations to real world examples of obfuscated malicious code. These binaries will be used in both instructor-led discussions and individual exercises to reinforce disassembly concepts and familiarize the student with a wide range of Ida Pro capabilities. In addition to sample binaries, students will be provided with valuable reverse engineering reference material including many Ida Pro sample scripts and plugins.
Who Should Attend:
Information security officers, anti-virus vendors, vulnerability researchers, security consultants, software developers and other nice people will all benefit from the techniques presented in this class. Remember that this course is practical and of an extremely technical nature, so a basic understanding of assembly language (preferably x86), C/C++ programming, networking, and security is a course prerequisite.
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
The class requires that a version of IDA Pro 5.0 or greater be installed on the participant's laptop. Participants are responsible for purchasing their own copy of Ida Pro directly from Hex-Rays.
What to bring:
Students must furnish their own laptop with their own copy of Ida Pro installed. Laptops should be configure with software to read .pdf files, and handle .zip and .tgz archives. To make the most of the course, a full version (standard or advanced) of Ida Pro 5.0 (preferably 6.0) or greater should be installed. Ida 6.0 and later are available in GUI versions for Windows, Linux, and OS X.
Failure to properly configure your laptop will make participation difficult. Students attempting to use the freeware or demo versions of Ida available from Hex-Rays will be unable to complete many of the hands on portions of the course.
Students using Microsoft Windows who wish to compile Ida plugins should also have either Microsoft Visual Studio (C++) 2008 or 2010 (Visual Studio Express is acceptable), or a MinGW environment that includes gcc, g++, and make.
Students using Linux or OS X should have g++ and make installed.
Students wishing to make use of IdaPython must have a working installation of 32-bit Python compatible with their version of Ida. For Ida 6.0, this is currently Python 2.6.
Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 25+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, Defcon, CodeCon, and Shmoocon and is the author of "The IDA Pro Book", the definitive guide to IDA Pro. In his spare time he is the Dean of Hacking for the Sk3wl of r00t, past champions of the Defcon Capture the Flag Competition.
Ends April 30
Ends Jun 15
Ends Jul 29