What to bring:
Students must bring their own Windows® 2000/XP Laptop with Adobe® Acrobat Reader®, an unzip utility and a full version (standard or advanced) of Ida Pro 4.7 or greater installed.
Failure to do so will make participation impossible. Students attempting to use the demo version of Ida available from DataRescue will be unable to complete many of the hands on portions of the course.
Students wishing to compile Ida plugins should also have either Microsoft® Visual C++® 6.0, Visual Studio® .NET, or a cygwin (recommended) environment that includes gcc, g++, and make.
The need for reverse engineering binary software components arises in more and more contexts every day. Common cases include analysis of malicious software such as viruses, worms, trojans and rootkits, analyzing binary drivers in order to develop open source drivers for alternate platforms, analyzing closed source software for security flaws, and source code recovery in legacy systems. The first step in such an analysis is generally the acquisition of a high quality disassembly of the binary component. Ida Pro is touted as the premier disassembler available today. Ida Pro is capable of disassembling machine languages for a large number of microprocessors and microcontrollers and is particularly strong when used on Windows and Linux® executables. This course will cover essential background material for effective reverse engineering before diving into the features of Ida Pro that set it apart from other disassemblers.
This is a two-day course that combines lectures with increasingly difficult hands-on exercises designed to familiarize the student with the capabilities of Ida Pro and its uses in analyzing various types of binary files.
What You Will Learn
The course will provide an overview of disassembler theory followed by a review of the structure of compiler-generated code. Armed with that background information, students will be introduced to the features of Ida Pro that set it apart from other disassemblers and learn how it can assist them in determining the behavior of various binary files. The course will cover the basics of the Ida Pro interface including the many informational displays it contains. Students will be introduced to the scripting capabilities of Ida Pro as well as its plugin architecture. Finally, students will be presented with techniques for dealing with statically linked, stripped, and obfuscated binaries.
How It Will Work
Each student will be provided with many example binaries that will be used throughout the course to demonstrate Ida Pro’s many features. The binaries run the range from simple demonstrations to real world examples of obfuscated malicious code. These binaries will be used in both instructor-led discussions and individual exercises to reinforce disassembly concepts and familiarize the student with a wide range of Ida Pro capabilities. In addition to sample binaries, students will be provided with valuable reverse engineering reference material including many Ida Pro sample scripts and plugins.
Who Should Attend?
Information security officers, anti-virus vendors, vulnerability researchers, security consultants, software developers and other nice people will all benefit from the techniques presented in this class. Remember that this course is practical and of an extremely technical nature, so a basic understanding of assembly language (preferably x86), C/C++ programming, networking, and security is a course prerequisite.
Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 20+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, CodeCon, and Shmoocon and is a co-author of the book "Gray Hat Hacking". In his spare time he is the Dean of Hacking for the Sk3wl of r00t, past and future champions of the capture the flag competition at Defcon.