Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
Analyzing how hacks are done, so as to stop them in the future
Reverse engineering is the process of analyzing hardware or software and understanding it, without having access to the source code or design documents. Hackers are able to reverse engineer systems and exploit what they find with scary results. Now the good guys can use the same tools to thwart these threats. Practical Reverse Engineering goes under the hood of reverse engineering for security analysts, security engineers, and system programmers, so they can learn how to use these same processes to stop hackers in their tracks.
The book covers x86, x64, and ARM (the first book to cover all three); Windows kernel-mode code rootkits and drivers; virtual machine protection techniques; and much more. Best of all, it offers a systematic approach to the material, with plenty of hands-on exercises and real-world examples.
- Offers a systematic approach to understanding reverse engineering, with hands-on exercises and real-world examples
- Covers x86, x64, and advanced RISC machine (ARM) architectures as well as deobfuscation and virtual machine protection techniques
- Provides special coverage of Windows kernel-mode code (rootkits/drivers), a topic not often covered elsewhere, and explains how to analyze drivers step by step
- Demystifies topics that have a steep learning curve
- Includes a bonus chapter on reverse engineering tools
Practical Reverse Engineering: Using x86, x64, ARM, Windows Kernel, and Reversing Tools provides crucial, up-to-date guidance for a broad range of IT professionals.
Chapter 1 x86 and x64 1
Register Set and Data Types 2
Instruction Set 3
Data Movement 5
Arithmetic Operations 11
Stack Operations and Function Invocation 13
Control Flow 17
System Mechanism 25
Address Translation 26
Interrupts and Exceptions 27
Register Set and Data Types 36
Data Movement 36
Canonical Address 37
Function Invocation 37
Chapter 2 ARM 39
Basic Features 40
Data Types and Registers 43
System-Level Controls and Settings 45
Introduction to the Instruction Set 46
Loading and Storing Data 47
LDR and STR 47
Other Usage for LDR 51
LDM and STM 52
PUSH and POP 56
Functions and Function Invocation 57
Arithmetic Operations 60
Branching and Conditional Execution 61
Thumb State 64
Just-in-Time and Self-Modifying Code 67
Synchronization Primitives 67
System Services and Mechanisms 68
Next Steps 77
Chapter 3 The Windows Kernel 87
Windows Fundamentals 88
Memory Layout 88
Processor Initialization 89
System Calls 92
Interrupt Request Level 104
Pool Memory 106
Memory Descriptor Lists 106
Processes and Threads 107
Execution Context 109
Kernel Synchronization Primitives 110
Implementation Details 112
Asynchronous and Ad-Hoc Execution 128
System Threads 128
Work Items 129
Asynchronous Procedure Calls 131
Deferred Procedure Calls 135
Process and Thread Callbacks 142
Completion Routines 143
I/O Request Packets 144
Structure of a Driver 146
Entry Points 147
Driver and Device Objects 149
IRP Handling 150
A Common Mechanism for User-Kernel Communication 150
Miscellaneous System Mechanisms 153
An x86 Rootkit 156
An x64 Rootkit 172
Next Steps 178
Building Confidence and Solidifying
Your Knowledge 180
Investigating and Extending Your Knowledge 182
Analysis of Real-Life Drivers 184
Chapter 4 Debugging and Automation 187
The Debugging Tools and Basic Commands 188
Setting the Symbol Path 189
Debugger Windows 189
Evaluating Expressions 190
Process Control and Debut Events 194
Registers, Memory, and Symbols 198
Inspecting Processes and Modules 211
Miscellaneous Commands 214
Scripting with the Debugging Tools 216
Script Files 240
Using Scripts Like Functions 244
Example Debug Scripts 249
Using the SDK 257
Writing Debugging Tools Extensions 262
Useful Extensions, Tools, and Resources 264
Chapter 5 Obfuscation 267
A Survey of Obfuscation Techniques 269
The Nature of Obfuscation: A Motivating Example 269
Data-Based Obfuscations 273
Control-Based Obfuscation 278
Simultaneous Control-Flow and Data-Flow
Achieving Security by Obscurity 288
A Survey of Deobfuscation Techniques 289
The Nature of Deobfuscation: Transformation Inversion 289
Deobfuscation Tools 295
Practical Deobfuscation 312
Case Study 328
First Impressions 328
Analyzing Handlers Semantics 330
Symbolic Execution 333
Solving the Challenge 334
Final Thoughts 336
Appendix Sample Names and Corresponding SHA1 Hashes 341
Alexandre Gazet is a senior security researcher at QuarksLab focusing on reverse engineering and software protection.
Elias Bachaalany is a software security engineer at Microsoft.
|ReadMe||2.72 KB||Click to Download|
|Code Download: Chapter 4||8.38 KB||Click to Download|
|Code Download: Chapter 5||19.90 KB||Click to Download|
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
|1||3||Text correction: Error under Register Set and Data Types
The Note in the middle of the page states "Although there are seven debug registers..."
It should read "eight debug registers"
|1||4||Text correction: Errors in code
The block of ARM code:
01: 1B 68 LDR R3, [R3]
; read the value at address R3
02: 5A 1C ADDS R2, R3, #1
; add 1 to it
01: 1A 68 LDR R2, [R3]
; read the value at address R3 and save it in R2
02: 52 1C ADDS R2, R2, #1
; add 1 to it
|1||5||Text correction: Error under "Syntax"
the second bullet point, "AT&T adds a prefix to the instruction..." should read "AT&T adds a suffix to the instruction..."
|17||5||Text correction: Error in Assembly code under "Data Movement"
The third-to-last line of code,
; set EAX to the value at address (EAX+34)
; set EAX to the value at address (ESI+0x34)
|1||6||Text correction: Errors in code under "Pseudo C" in "Data Movement"
In the first listing on the page, lines 4 and 5:
04: *(esi+34) = eax;
05: eax = *(esi+34);
04: *(esi+0x34) = eax;
05: eax = *(esi+0x34);
|1||7||Text correction: Errors in explanation of Figure 1-2
The first sentence following the figure, "...Importance is set to 0x1 (underlined bits)..." should read:
"...Importance is set to 0x1 (italicized bits)..."
In the block of code following, the "C6" at the beginning of lines 5 and 6 should not be italicized.
The last sentence of the paragraph following the code block, "In the example, the override prefix bytes are C6 and 66 (italicized)." should read:
"In the example, the override prefix byte is 66 (italicized)."
The fourth sentence in the last paragraph, "If DF is 0, the addresses are decremented..." should read:
"If DF is 1, the addresses are decremented..."
|1||9||Text correction: Error in assembly code
Line 6 of the code block under "Assembly":
; copies 4 bytes from EDI to ESI ; increment each by 4
; copies 4 bytes from ESI to EDI ; increment each by 4
|1||36||Correction: Error in Figure 1-6
The 8-bit register on the right-hand side of the figure, given as "PL", should be "BPL"
|3||146||Correction: Errors in Figure 3-8
The labels on the left of the figure, "Static Port" and "Dynamic Port" should read "Static part" and Dynamic part".
|3||150||Text correction: Error in code listing under "IRP Handling"
The code listing has an extraneous "*" character. The listing should read:
|3||159||Text correction: Error in code
The first code listingafter the bullet list contains an extraneous "*" character. The code should read:
|3||159||Errata in Text
The text reads:
It supports IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL operations, and sub_10300 is the handler (renamed to IRP_ReadCloseDeviceIo).
It supports IRP_MJ_CREATE, IRP_MJ_CLOSE, and IRP_MJ_DEVICE_CONTROL operations, and sub_10300 is the handler (renamed to IRP_ReadCloseDeviceIo).
|2||50||Errata in text
"R3 is the index multiplied by 2"
"R3 is the index multiplied by 4"