What to bring:
Students must bring their own Windows 2000/XP Laptop with Adobe Acrobat Reader, an unzip utility and a full version (standard or advanced) of IDA Pro 4.7 or greater installed. Failure to do so will make participation impossible. Students attempting to use the demo version of Ida available from Data Rescue will be unable to complete many of the hands on portions of the course.
Black Hat offers discount pricing for this software to registered students. Software may be purchased at the same time as your registration.
The need for reverse engineering binary software components arises in more and more contexts every day. Common cases include analysis of malicious software such as viruses, worms, trojans and rootkits, analyzing binary drivers in order to develop open source drivers for alternate platforms, analyzing closed source software for security flaws, and source code recovery in legacy systems. The first step in such an analysis is generally the acquisition of a high quality disassembly of the binary component. IDA Pro is touted as the premier disassembler available today. IDA Pro is capable of disassembling a large number of instruction sets and is particularly strong when used on Windows and Linux executables. This course will cover essential background material for effective reverse engineering before diving into the features of IDA Pro that set it apart from other disassemblers.
Topics to be covered include:
- Key features of compiled code
- Stack frames
- Control flow constructs (branching, looping, functions)
- Binary file formats
- Basic disassembly theory
- Ida Pro basics
- Available views
- File navigation
- Disassembly concepts
- Improving the readability of your disassembly
- Cross-referencing, flow-charting and graphing
- Data structures
- Library identification
- Type libraries
- Advanced Ida Features
- Debugging Windows binaries
- Ida scripting
- Ida plug-ins
- Reverse Engineering Obfuscated Code
Knowledge of C/C++
Working knowledge of assembly language (x86 helpful)
If the student is required to bring a preconfigured machine, please indicate all software and configurations that the student must prepare for beforehand.
Students must bring their own Windows 2000/XP Laptop with Adobe Acrobat Reader, an unzip utility and a full version (standard or advanced) of IDA Pro 4.7 or greater installed. Failure to do so will make participation impossible. Students attempting to use the demo version of Ida available from Data Rescue will be unable to complete many of the hands on portions of the course. Black Hat offers discount pricing for this software to registered students. Software may be purchased at the same time as you register for the class.
Students wishing to compile the plugin examples will require a C/C++ compiler (Visual C++, or gcc for Windows).
A general knowledge of x86-assembly language as well as a good knowledge of C/C++ is recommended in order to better follow the course.
Several other tools will be provided on the CD (IDA Plugins, IDA SDK, IDC Scripts).
The student should have an understanding of most of the following concepts and technologies:
ISC2 CISSP/SCCP CPE Credits
Students are eligible to receive 16 Continuing Professional Education (CPE) credits upon completion of class. Black Hat will automatically forward your information to ISC2.
Course Length: 2 days
Cost: US $1800 by October 1, 2005 or US $2000 after October 1, 2005
All course materials, lunch and two coffee breaks will be provided. NOTE: A Certificate of Completion will be offered. You must provide your own laptop.
Because the class requires that a version of IDA Pro 4.7 or greater be installed on the participant's laptop, Black Hat is pleased to offer IDA Pro Standard and IDA Pro Advanced. In order to purchase the software, you must
- 1) be a fully paid and registered student for this class
2) select the IDA Pro Software on the registration page
Chris Eagle is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 18 years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering.