Practical Reverse Engineering

Analyzing how hacks are done, so as to stop them in the future Reverse engineering is the process of analyzing hardware or software and understanding it, without having access to the source code or design documents. Hackers are able to reverse engineer systems and exploit what they find with scary results. Now the good guys can use the same tools to thwart these threats. Practical Reverse Engineering goes under the hood of reverse engineering for security analysts, security engineers, and system programmers, so they can learn how to use these same processes to stop hackers in their tracks. The book covers x86, x64, and ARM (the first book to cover all three); Windows kernel-mode code rootkits and drivers; virtual machine protection techniques; and much more. Best of all, it offers a systematic approach to the material, with plenty of hands-on exercises and real-world examples. Offers a systematic approach to understanding reverse engineering, with hands-on exercises and real-world examples Covers x86, x64, and advanced RISC machine (ARM) architectures as well as deobfuscation and virtual machine protection techniques Provides special coverage of Windows kernel-mode code (rootkits/drivers), a topic not often covered elsewhere, and explains how to analyze drivers step by step Demystifies topics that have a steep learning curve Includes a bonus chapter on reverse engineering tools Practical Reverse Engineering: Using x86, x64, ARM, Windows Kernel, and Reversing Tools provides crucial, up-to-date guidance for a broad range of IT professionals.

Analyzing how hacks are done, so as to stop them in thefutureReverse engineering is the process of analyzing hardware orsoftware and understanding it, without having access to the sourcecode or design documents. Hackers are able to reverse engineersystems and exploit what they find with scary results. Now the goodguys can use the same tools to thwart these threats. PracticalReverse Engineering goes under the hood of reverse engineeringfor security analysts, security engineers, and system programmersso they can learn how to use these same processes to stop hackersin their tracks.The book covers x86, x64, and ARM (the first book to cover allthree); Windows kernel-mode code rootkits and drivers; virtualmachine protection techniques; and much more. Best of all, itoffers a systematic approach to the material, with plenty ofhands-on exercises and real-world examples.* Offers a systematic approach to understanding reverseengineering, with hands-on exercises and real-world examples* Covers x86, x64, and advanced RISC machine (ARM) architecturesas well as deobfuscation and virtual machine protectiontechniques* Provides special coverage of Windows kernel-mode code(rootkits/drivers), a topic not often covered elsewhere, andexplains how to analyze drivers step by step* Demystifies topics that have a steep learning curve* Includes a bonus chapter on reverse engineering toolsPractical Reverse Engineering: Using x86, x64, ARM, WindowsKernel, and Reversing Tools provides crucial, up-to-dateguidance for a broad range of IT professionals.

Introduction xxiiiChapter 1 x86 and x64 1Register Set and Data Types 2Instruction Set 3Syntax 4Data Movement 5Exercise 11Arithmetic Operations 11Stack Operations and Function Invocation 13Exercises 17Control Flow 17System Mechanism 25Address Translation 26Interrupts and Exceptions 27Walk-Through 28Exercises 35x64 36Register Set and Data Types 36Data Movement 36Canonical Address 37Function Invocation 37Exercises 38Chapter 2 ARM 39Basic Features 40Data Types and Registers 43System-Level Controls and Settings 45Introduction to the Instruction Set 46Loading and Storing Data 47LDR and STR 47Other Usage for LDR 51LDM and STM 52PUSH and POP 56Functions and Function Invocation 57Arithmetic Operations 60Branching and Conditional Execution 61Thumb State 64Switch-Case 65Miscellaneous 67Just-in-Time and Self-Modifying Code 67Synchronization Primitives 67System Services and Mechanisms 68Instructions 70Walk-Through 71Next Steps 77Exercises 78Chapter 3 The Windows Kernel 87Windows Fundamentals 88Memory Layout 88Processor Initialization 89System Calls 92Interrupt Request Level 104Pool Memory 106Memory Descriptor Lists 106Processes and Threads 107Execution Context 109Kernel Synchronization Primitives 110Lists 111Implementation Details 112Walk-Through 119Exercises 123Asynchronous and Ad-Hoc Execution 128System Threads 128Work Items 129Asynchronous Procedure Calls 131Deferred Procedure Calls 135Timers 140Process and Thread Callbacks 142Completion Routines 143I/O Request Packets 144Structure of a Driver 146Entry Points 147Driver and Device Objects 149IRP Handling 150A Common Mechanism for User-Kernel Communication 150Miscellaneous System Mechanisms 153Walk-Throughs 155An x86 Rootkit 156An x64 Rootkit 172Next Steps 178Exercises 180Building Confidence and Solidifying Your Knowledge 180Investigating and Extending Your Knowledge 182Analysis of Real-Life Drivers 184Chapter 4 Debugging and Automation 187The Debugging Tools and Basic Commands 188Setting the Symbol Path 189Debugger Windows 189Evaluating Expressions 190Process Control and Debut Events 194Registers, Memory, and Symbols 198Breakpoints 208Inspecting Processes and Modules 211Miscellaneous Commands 214Scripting with the Debugging Tools 216Pseudo-Registers 216Aliases 219Language 226Script Files 240Using Scripts Like Functions 244Example Debug Scripts 249Using the SDK 257Concepts 258Writing Debugging Tools Extensions 262Useful Extensions, Tools, and Resources 264Chapter 5 Obfuscation 267A Survey of Obfuscation Techniques 269The Nature of Obfuscation: A Motivating Example 269Data-Based Obfuscations 273Control-Based Obfuscation 278Simultaneous Control-Flow and Data-Flow Obfuscation 284Achieving Security by Obscurity 288A Survey of Deobfuscation Techniques 289The Nature of Deobfuscation: Transformation Inversion 289Deobfuscation Tools 295Practical Deobfuscation 312Case Study 328First Impressions 328Analyzing Handlers Semantics 330Symbolic Execution 333Solving the Challenge 334Final Thoughts 336Exercises 336Appendix Sample Names and Corresponding SHA1 Hashes 341Index 343