Advanced Threats Reverse Engineering
The workshop is devoted to analysis of malware created using object oriented programming languages. In recent time we see a large spike of complex threats with elaborate object-oriented architecture among which the most notorious examples are: Stuxnet, Flamer, Duqu. The approaches to analysis of such malware are rather distinct compared to the malware developed using procedural programming languages. The authors will consider the examples written in C++ and compiled with MS Visual C++.
In the workshop the authors will share with participants experience of reverse engineering object-oriented code which they’ve accumulated over the recent years while performing analysis of complex threats.
- Introduction into object-oriented code reverse engineering: calling conventions, compiler transformations, system structures (vftables, RTTI) and etc.
- using static code analysis tools for reconstructing complex data types
- automating C++ code reverse engineering using IDA Python and Hex-Rays Decompiler SDK
- methodology of object type reconstruction using Hex-Rays Decompiler extensions (HexRaysCodeXplorer)
- analysis of malware with object-oriented architecture (C++) and position independent code: STuxnet, Flame, Gapz
Participant will receive:
- understanding of object-oriented and position independent code with respect to reverse engineering
- practical experience of using IDA Pro and Hex-Rays Decompiler for reconstructing complex data types
- basics of developing plugins for Hex-Rays Decompiler
- practical experience of complex threat analysis: Stuxnet, Flamer, Gapz
a laptop with preinstalled IDA Pro and Hex-Rays Decompiler
Part 1: Introduction to advanced static analysis - Reversing object-oriented programs - Practical type reconstruction with IDA Pro and HexRays Decompiler Part 2: Automating C++ code reverse engineering - Useful plugins and tools - IDA Python automation - Introduction to Hex-Rays Decompiler SDK - Methodology of object type reconstruction with HexRaysCodeXplorer Part 3: Going deeper with complex threats - Position-independent code analysis in Gapz - The hell of code with Stuxnet and Flame