diff --git a/fundamentals2.md b/fundamentals2.md index 1bf00d4..e5119a1 100644 --- a/fundamentals2.md +++ b/fundamentals2.md @@ -41,10 +41,14 @@ The executable code has designated regions that require a different memory prote - Execute This diagram shows how this header is broken up. -![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header") + +*Click to Enlarge* +[![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header")](https://securedorg.github.io/images/PE32.png) Here is a hexcode dump of a PE header we will be working with. -![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated") + +*Click to Enlarge* +[![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated")](https://securedorg.github.io/images/PEHeader.gif) --- diff --git a/fundamentals3.md b/fundamentals3.md index ca4014c..ddd12ca 100644 --- a/fundamentals3.md +++ b/fundamentals3.md @@ -113,18 +113,20 @@ The **EIP** register contains the address of the next instruction to be executed ## Hello World ## -![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World")](https://securedorg.github.io/images/helloworld.gif) ## Calling a Function ## ### Arguments on the Stack ### -![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments")](https://securedorg.github.io/images/FunctionCall.gif) ### Local Variables on the Stack ### -![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals") - +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals")](https://securedorg.github.io/images/FunctionCall2.gif) [1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture diff --git a/images/triageVMs2.gif b/images/triageVMs2.gif index d24fa0c..6e3b5e0 100644 Binary files a/images/triageVMs2.gif and b/images/triageVMs2.gif differ diff --git a/images/triageVMs3.gif b/images/triageVMs3.gif index d298555..77a4949 100644 Binary files a/images/triageVMs3.gif and b/images/triageVMs3.gif differ diff --git a/intro.md b/intro.md index fbe6d2d..d58f7f6 100644 --- a/intro.md +++ b/intro.md @@ -11,7 +11,7 @@ title: Intro # Reverse Engineering # -"is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information"[1](https://en.wikipedia.org/wiki/Reverse_engineering) +"is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information" [[1]][1] ## What does it mean to be a reverse engineer? ## @@ -54,5 +54,7 @@ title: Intro * Manual Debugging - Stepping through the program to navigate to your goals +[1]: https://en.wikipedia.org/wiki/Reverse_engineering + [Next -> Section 1](https://securedorg.github.io/RE101/section1) diff --git a/retools.md b/retools.md index 1cc3820..9127de5 100644 --- a/retools.md +++ b/retools.md @@ -37,6 +37,7 @@ title: RE Tools ## Information Gathering * [CFF Explorer](http://www.ntcore.com/exsuite.php) - PE header parser (Used in this worksop) +* [PE Explorer](http://www.heaventools.com/overview.htm) - PE inspection tool (Used in this worksop) * [BinText](https://www.mcafee.com/hk/downloads/free-tools/bintext.aspx) - Extract string from a binary * [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx) (Used in this worksop) * procmon diff --git a/static.md b/static.md index fc82d2a..afbe2cc 100644 --- a/static.md +++ b/static.md @@ -98,21 +98,25 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function. -![alt text](https://securedorg.github.io/images/static3.png "Unknown Function") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")](https://securedorg.github.io/images/static3.png) Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/). - -![alt text](https://securedorg.github.io/images/static4.png "Xor routine") + +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/static4.png "Xor routine")](https://securedorg.github.io/images/static4.png) We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6. -![alt text](https://securedorg.github.io/images/static5.png "Rename function") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/static5.png "Rename function")](https://securedorg.github.io/images/static5.png) Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe ```XORSearch.exe "A string to test"``` -![alt text](https://securedorg.github.io/images/static6.png "xor search") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/static6.png "xor search")](https://securedorg.github.io/images/static6.png) **"Yo this is dope!"** How weird. @@ -128,7 +132,8 @@ It's easy to trace back through the program disassembly, but let's look at some **Jump Examples** -![alt text](https://securedorg.github.io/images/static9.gif "jz jump") +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/static9.gif "jz jump")](https://securedorg.github.io/images/static9.gif) ```assembly jz loc_401962 ; jump too offset loc_401962 if the previous condition is zero diff --git a/triage.md b/triage.md index 9c7b204..589cce1 100644 --- a/triage.md +++ b/triage.md @@ -94,16 +94,21 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g 7. Quick Detonation The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM. + ![alt text](https://securedorg.github.io/images/triageVMs.gif "Victim and Sniffer") On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim. On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events. -![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer") + +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs2.gif) Go ahead and detonate the the malware. -On the **Sniffer VM** look for an HTTP request. Right click and Follow->TCP Stream. I will display the HTTP get request that was sent by the malware. -![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer") +On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware. + +*Click Image to Enlarge* +[![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs3.gif) [Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)