Reverse Engineering Malware Progress #1
I am writing this blog post as a series to help others that are learning to reverse engineer malware in their journey as well.
There is an upcoming AlienVault Blog post that I will link here and in the current update when it goes live that explains my background and how I arrived at learning to reverse engineer malware.
The TL;DR is that I have been in Information Security since 2010 and have had various Blue Team assignments. I started in policy, most specifically assembling accreditation packages for a defense contractor. Then I moved from there to audit to UNIX administration to Information Security Engineer. I started transitioning into the technical side as an auditor then boosted my knowledge as a UNIX admin.
This enabled me to oversee (spoken: only security professional on the entire government contract) for a government contract. By virtue of happenstance, personalit(y/ies), and work ethic, I also picked up some Windows system administration skills when others slacked, were out of the office, or did not know how.
I was also exposed to administering the Intrusion Detection System, SIEM, Vulnerability Management program, network tap, and antivirus. All of this on top of writing policy to meet NIST SP 800-53R4 requirements (spoken: boring).
As my time was winding down at this position, I needed a change. The corporate culture was changing for the worse. A toxic supervisor was making things worse and taking a toll on my mental and physical health. Enter Sword & Shield.
More Background (but going somewhere)
I have been with Sword & Shield about 7 months now. In this time, I have been accepted, empowered, valued, and challenged. Things I sought in my previous role but came up short with. I have worked with policy, Incident Response, Phishing, and other technical things.
After hitting the speaking circuit, I started giving an Open Source Intelligence (OSINT) and Social Engineering talk. While the talk is still good and relevant, I also push myself to learn more. In pairing with a mentee for a talk. I asked Caroline what she wanted to learn. She was open to anything (she works in Risk).
Collectively, we came up with a Wayne’s World themed Data Carvey (Data or File Carving) talk and gave it at BSides Cincy. It went very well. While learning carving, I stumbled upon the ability to carve files out of packet captures. This began my journey.
Learning to Reverse
I spoke with Maddie Stone, someone I met at BSides Charm. She is a beast at Reversing. She provided me a laundry list of things to do to learn. I am still working through the stuff, but also fork off and try stuff ahead of my time to try and get a more gratifying analysis experience than those in training. Furthermore, I am still taking the other training.
I have also started taking an Exploit Development and Reverse Engineering class through Udemy. Thus far, it has focused less on Assembly (x86) and more on the exploitation side. No qualms here. It provides me insight into the other side of the proverbial coin.
So far, I am about 10% through C for Dummies. I have started reading and taking notes from Practical Reverse Engineering during my lunch break at work. I am still working through the Open Security Training Intro to x86 course and Udemy’s Reverse Engineering and Exploit Development course. I even created a Facebook group for it.
Things That I’ve Learned
In x86 (32-bit assembly of IA32):
- 8-32 bit registers (bits 0-31):
- EAX (Accumulator for operands and results)
- EBX (Base point for data segment)
- ECX (Counter for loops)
- EDX (Data & I/O pointer)
- ESI (Source Index)
- EDI (Destination Index)
- ESP (Stack Pointer)
- EBP (Base Pointer)
- 32 bit Instruction Pointer (EIP)
- 32 bit EFLAGS for status, math operations, and system flags
- 8-16 bit registers (bits 0-15):
- 8-8 bit registers
- Bits 0-7:
- Bits 8-15:
- Bits 0-7:
Common instructions (not an exhaustive list)
- PSH – Push
- POP – Pop
- MOV – Move
- ADD – Add
- SUB – Subtract
- DIV – Divide
- IMUL – Signed Multiply
- CALL – Call
- CMP – Compare
- JNZ – Jump Not Zero
- XOR – XOR
I have also learned better Binary to Hex to Decimal conversions:
To keep this short and sweet, I am going to stop here. Next time, I will provide less background and more information about the reversing process. I plan on discussing C in better detail as well as talk about REMnux and other resources for assessment and analysis.