April 05, 2017
Reverse Engineering Malware 101 Workshop

Reverse engineering already sounds like black magic, when in reality it simply entails lots of practice and strong foundations in computer science concepts. Think of it like learning a new language. First, you must know the building blocks to a sentence, and then keep practicing until you can speak fluently. Reverse engineering works the same way. Malware analysts and researchers use reverse engineering as a tool to understand the behavior of the malware sample in order to detect, prevent, or get rid of it.

So what do reverse engineers do? At their core, reverse engineers:

  • Take things apart to figure out how they work
  • Love puzzle solving
  • Develop experiments and tools
  • Can think outside the box
  • Constantly learn new things 

If that sounds like you, reverse engineering malware may be your calling.

Unfortunately, the perception that reverse engineering is a black magic keeps many people from giving it a shot.  And too often you may not fully understand what you learned in computer science courses, or it may not be intuitive to apply that knowledge to the real world.  So I created a workshop that is easy to understand and easy to follow along, and presented it last week at the Women in Cybersecurity Conference in Tucson, AZ.



Women in Cybersecurity Conference Reverse Engineering Workshop


The best way to learn is by getting hands on practice. In this workshop, the main take away is learning how to set analysis goals. By using tools and computer science concepts you can work step by step to those analysis goals. The executable provided at the workshop link contains many malware-like techniques for you to work through, and also includes a secret image to discover at the end of the analysis. The workshop is broken up into six sections:

1) Setup and Fundamentals

  • Setting up a baseline analysis environment
  • Anatomy of a Microsoft Windows PE program
  • X86 Assembly

2) Malware Techniques

  • Attack Flow
  • Malware Classes
  • Techniques

3) Reverse Engineering Tools

  • Disassemblers
  • Debuggers
  • Information Gathering

4) Triage Analysis (Lab 1)

  • Using Information Gathering Tools
  • Lab 1

5) Static Analysis (Lab 2)

  • Reading disassembled code
  • Lab 2    

6) Dynamic Analysis (Lab 3)

  • Manual Debugging
  • Lab 3
  • Finding the secret image

Over the course of the workshop, you’ll get step-by-step guidance on the fundamentals of reverse engineering, and learn the various techniques and tools. You’ll then get a chance to reverse engineer on your own in both static and dynamic analysis environments. For those of you with a background in reverse engineering, this should be a great refresher, and for those new to the field, enjoy!