Reversing : The Hacker's Guide to Reverse Engineering

xviii Contents

Part I Reversing Introduction xxiii

Chapter 1 Foundations

What Is Reverse Engineering?

Software Reverse Engineering: Reversing

Reversing Applications
- Security-Related Reversing
  - Malicious Software
  - Reversing Cryptographic Algorithms
  - Digital Rights Management
  - Auditing Program Binaries
- Reversing in Software Development
  - Achieving Interoperability with Proprietary Software
  - Developing Competing Software
  - Evaluating Software Quality and Robustness

Low-Level Software
- Assembly Language
- Compilers
- Virtual Machines and Bytecodes
- Operating Systems

The Reversing Process
- System-Level Reversing
- Code-Level Reversing

The Tools
- System-Monitoring Tools
- Disassemblers
- Debuggers
- Decompilers

Is Reversing Legal?
- Interoperability
- Competition
- Copyright Law
- Trade Secrets and Patents
- The Digital Millenium Copyright Act
- DMCA Cases
- License Agreement Considerations

Code Samples & Tools

Conclusion

Chapter 2 Low-Level Software

High-Level Perspectives
- Program Structure
  - Modules
  - Common Code Constructs
- Data Management
  - Variables
  - User-Defined Data Structures
  - Lists
- Control Flow
- High-Level Languages
  - C
  - C++
  - Java
  - C#

Low-Level Perspectives
- Low-Level Data Management
  - Registers
  - The Stack
  - Heaps
  - Executable Data Sections
- Control Flow

Assembly Language
- Registers
- Flags
- Instruction Format
- Basic Instructions
  - Moving Data
  - Arithmetic
  - Comparing Operands
  - Conditional Branches
  - Function Calls
- Examples

A Primer on Compilers and Compilation
- Defining a Compiler
- Compiler Architecture
  - Front End
  - Intermediate Representations
  - Optimizer
  - Back End
- Listing Files
- Specific Compilers

Execution Environments
- Software Execution Environments (Virtual Machines)
  - Bytecodes
  - Interpreters
  - Just-in-Time Compilers
  - Reversing Strategies
- Hardware Execution Environments in Modern Processors
  - Intel NetBurst
  - μops (Micro-Ops)
  - Pipelines
  - Branch Prediction

Conclusion

Chapter 3 Windows Fundamentals

Components and Basic Architecture
- Brief History
- Features
- Supported Hardware

Memory Management
- Virtual Memory and Paging
  - Paging
  - Page Faults
- Working Sets
- Kernel Memory and User Memory
- The Kernel Memory Space
- Section Objects
- VAD Trees
- User-Mode Allocations
- Memory Management APIs

Objects and Handles
- Named objects

Processes and Threads
- Processes
- Threads
- Context Switching
- Synchronization Objects
- Process Initialization Sequence

Application Programming Interfaces
- The Win32 API
- The Native API
- System Calling Mechanism

Executable Formats
- Basic Concepts
- Image Sections
- Section Alignment
- Dynamically Linked Libraries
- Headers
- Imports and Exports
- Directories

Input and Output
- The I/O System
- The Win32 Subsystem
  - Object Management

Structured Exception Handling

Conclusion

Chapter 4 Reversing Tools

Different Reversing Approaches
- Offline Code Analysis (Dead-Listing)
- Live Code Analysis

Disassemblers
- IDA Pro
- ILDasm

Debuggers
- User-Mode Debuggers
  - OllyDbg
  - User Debugging in WinDbg
  - IDA Pro
  - PEBrowse Professional Interactive
- Kernel-Mode Debuggers
  - Kernel Debugging in WinDbg
  - Numega SoftICE
  - Kernel Debugging on Virtual Machines

Decompilers

System-Monitoring Tools

Patching Tools
- Hex Workshop

Miscellaneous Reversing Tools
- Executable-Dumping Tools
  - DUMPBIN
  - PEView
  - PEBrowse Professional

Conclusion

Part II Applied Reversing

Chapter 5 Beyond the Documentation

Reversing and Interoperability

Laying the Ground Rules

Locating Undocumented APIs
- What Are We Looking For?

Case Study: The Generic Table API in NTDLL.DLL
- RtlInitializeGenericTable
- RtlNumberGenericTableElements
- RtlIsGenericTableEmpty
- RtlGetElementGenericTable
  - Setup and Initialization
  - Logic and Structure
  - Search Loop
  - Search Loop
  - Search Loop
  - Search Loop
  - Reconstructing the Source Code
- RtlInsertElementGenericTable
  - RtlLocateNodeGenericTable
  - RtlRealInsertElementWorker
  - Splay Trees
- RtlLookupElementGenericTable
- RtlDeleteElementGenericTable
- Putting the Pieces Together

Conclusion

Chapter 6 Deciphering File Formats

Cryptex

Using Cryptex

Reversing Cryptex

The Password Verification Process
- Catching the “Bad Password” Message
- The Password Transformation Algorithm
- Hashing the Password

The Directory Layout
- Analyzing the Directory Processing Code
- Analyzing a File Entry

Dumping the Directory Layout

The File Extraction Process
- Scanning the File List
- Decrypting the File
- The Floating-Point Sequence
- The Decryption Loop
- Verifying the Hash Value

The Big Picture

Digging Deeper

Conclusion

Chapter 7 Auditing Program Binaries

Defining the Problem

Vulnerabilities
- Stack Overflows
  - A Simple Stack Vulnerability
  - Intrinsic Implementations
  - Stack Checking
  - Nonexecutable Memory
- Heap Overflows
- String Filters
- Integer Overflows
  - Arithmetic Operations on User-Supplied Integers
- Type Conversion Errors

Case-Study: The IIS Indexing Service Vulnerability
- CVariableSet::AddExtensionControlBlock
- DecodeURLEscapes

Conclusion

Chapter 8 Reversing Malware

Types of Malware
- Viruses
- Worms
- Trojan Horses
- Backdoors
- Mobile Code
- Adware/Spyware

Sticky Software

Future Malware
- Information-Stealing Worms
- BIOS/Firmware Malware

Uses of Malware

Malware Vulnerability

Polymorphism

Metamorphism

Establishing a Secure Environment

The Backdoor.Hacarmy.D
- Unpacking the Executable
- Initial Impressions
- The Initial Installation
- Initializing Communications
- Connecting to the Server
- Joining the Channel
- Communicating with the Backdoor
- Running SOCKS4 Servers
- Clearing the Crime Scene

The Backdoor.Hacarmy.D: A Command Reference

Conclusion

Reversing : The Hacker's Guide to Reverse Engineering

Get our desktop app

Company

Features

Documentation

Resources