Reverse Engineering Malware Progress #1

Reverse Engineering Malware Progress #1

I am writing this blog post as a series to help others that are learning to reverse engineer malware in their journey as well.

There is an upcoming AlienVault Blog post that I will link here and in the current update when it goes live that explains my background and how I arrived at learning to reverse engineer malware.

Quick Background

The TL;DR is that I have been in Information Security since 2010 and have had various Blue Team assignments. I started in policy, most specifically assembling accreditation packages for a defense contractor. Then I moved from there to audit to UNIX administration to Information Security Engineer. I started transitioning into the technical side as an auditor then boosted my knowledge as a UNIX admin.

This enabled me to oversee (spoken: only security professional on the entire government contract) for a government contract. By virtue of happenstance, personalit(y/ies), and work ethic, I also picked up some Windows system administration skills when others slacked, were out of the office, or did not know how.

I was also exposed to administering the Intrusion Detection System, SIEM, Vulnerability Management program, network tap, and antivirus. All of this on top of writing policy to meet NIST SP 800-53R4 requirements (spoken: boring).

As my time was winding down at this position, I needed a change. The corporate culture was changing for the worse. A toxic supervisor was making things worse and taking a toll on my mental and physical health. Enter Sword & Shield.

More Background (but going somewhere)

I have been with Sword & Shield about 7 months now. In this time, I have been accepted, empowered, valued, and challenged. Things I sought in my previous role but came up short with. I have worked with policy, Incident Response, Phishing, and other technical things.

After hitting the speaking circuit, I started giving an Open Source Intelligence (OSINT) and Social Engineering talk. While the talk is still good and relevant, I also push myself to learn more. In pairing with a mentee for a talk. I asked Caroline what she wanted to learn. She was open to anything (she works in Risk).

Collectively, we came up with a Wayne’s World themed Data Carvey (Data or File Carving) talk and gave it at BSides Cincy. It went very well. While learning carving, I stumbled upon the ability to carve files out of packet captures. This began my journey.

Learning to Reverse

I spoke with Maddie Stone, someone I met at BSides Charm. She is a beast at Reversing. She provided me a laundry list of things to do to learn. I am still working through the stuff, but also fork off and try stuff ahead of my time to try and get a more gratifying analysis experience than those in training. Furthermore, I am still taking the other training.

I have also started taking an Exploit Development and Reverse Engineering class through Udemy. Thus far, it has focused less on Assembly (x86) and more on the exploitation side. No qualms here. It provides me insight into the other side of the proverbial coin.

Current Progress

So far, I am about 10% through C for Dummies. I have started reading and taking notes from Practical Reverse Engineering during my lunch break at work. I am still working through the Open Security Training Intro to x86 course and Udemy’s Reverse Engineering and Exploit Development course. I even created a Facebook group for it.

Things That I’ve Learned

In x86 (32-bit assembly of IA32):

  • 8-32 bit registers (bits 0-31):
    • EAX (Accumulator for operands and results)
    • EBX (Base point for data segment)
    • ECX (Counter for loops)
    • EDX (Data & I/O pointer)
    • ESI (Source Index)
    • EDI (Destination Index)
    • ESP (Stack Pointer)
    • EBP (Base Pointer)
  • 32 bit Instruction Pointer (EIP)
  • 32 bit EFLAGS for status, math operations, and system flags
  • 8-16 bit registers (bits 0-15):
    • AX
    • BX
    • CX
    • DX
    • SI
    • DI
    • SP
    • BP
  • 8-8 bit registers
    • Bits 0-7:
      • AL
      • BL
      • CL
      • DL
    • Bits 8-15:
      • AH
      • BH
      • CH
      • DH

Common instructions (not an exhaustive list)

  • PSH – Push
  • POP – Pop
  • MOV – Move
  • ADD – Add
  • SUB – Subtract
  • DIV – Divide
  • IMUL – Signed Multiply
  • CALL – Call
  • CMP – Compare
  • JNZ – Jump Not Zero
  • XOR – XOR

I have also learned better Binary to Hex to Decimal conversions:

Decimal Binary Hexadecimal
0 0000b 0x00
1 0001b 0x01
2 0010b 0x02
3 0011b 0x03
4 0100b 0x04
5 0101b 0x05
6 0110b 0x06
7 0111b 0x07
8 1000b 0x08
9 1001b 0x09
10 1010b 0x0A
11 0110b 0x0B
12 1100b 0x0C
13 1101b 0x0D
14 1110b 0x0E
15 1111b 0x0F

To keep this short and sweet, I am going to stop here. Next time, I will provide less background and more information about the reversing process. I plan on discussing C in better detail as well as talk about REMnux and other resources for assessment and analysis.

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.