updating all

2025-12-19 15:14:18 +01:00 · 2017-03-27 15:30:58 -07:00
parent 2f28f0cb07
commit ed59e999d3
8 changed files with 35 additions and 16 deletions
--- a/fundamentals2.md
+++ b/fundamentals2.md
@@ -41,10 +41,14 @@ The executable code has designated regions that require a different memory prote
 - Execute

 This diagram shows how this header is broken up.
-![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header")
+
+*Click to Enlarge*
+[![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header")](https://securedorg.github.io/images/PE32.png)

 Here is a hexcode dump of a PE header we will be working with.
-![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated")
+
+*Click to Enlarge*
+[![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated")](https://securedorg.github.io/images/PEHeader.gif)

 ---

--- a/fundamentals3.md
+++ b/fundamentals3.md
@@ -113,18 +113,20 @@ The **EIP** register contains the address of the next instruction to be executed

 ## Hello World ##

-![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World")](https://securedorg.github.io/images/helloworld.gif)

 ## Calling a Function ##

 ### Arguments on the Stack ###

-![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments")](https://securedorg.github.io/images/FunctionCall.gif)

 ### Local Variables on the Stack ###

-![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals")
-
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals")](https://securedorg.github.io/images/FunctionCall2.gif)

 [1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture

--- a/images/triageVMs2.gif
+++ b/images/triageVMs2.gif
--- a/images/triageVMs3.gif
+++ b/images/triageVMs3.gif
--- a/intro.md
+++ b/intro.md
@@ -11,7 +11,7 @@ title: Intro

 # Reverse Engineering #

-"is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information"[1](https://en.wikipedia.org/wiki/Reverse_engineering)
+"is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information" [[1]][1]

 ## What does it mean to be a reverse engineer? ##

@@ -54,5 +54,7 @@ title: Intro

 * Manual Debugging - Stepping through the program to navigate to your goals

+[1]: https://en.wikipedia.org/wiki/Reverse_engineering
+
 [Next -> Section 1](https://securedorg.github.io/RE101/section1)

--- a/retools.md
+++ b/retools.md
@@ -37,6 +37,7 @@ title: RE Tools
 ## Information Gathering

 * [CFF Explorer](http://www.ntcore.com/exsuite.php) - PE header parser (Used in this worksop)
+* [PE Explorer](http://www.heaventools.com/overview.htm) - PE inspection tool (Used in this worksop)
 * [BinText](https://www.mcafee.com/hk/downloads/free-tools/bintext.aspx) - Extract string from a binary
 * [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx) (Used in this worksop)
  * procmon
--- a/static.md
+++ b/static.md
@@ -98,21 +98,25 @@ Right before the first **push 0** there is a **mov esi,eax** which means esi = e

 When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.

-![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")](https://securedorg.github.io/images/static3.png)
 
 Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).

-![alt text](https://securedorg.github.io/images/static4.png "Xor routine")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/static4.png "Xor routine")](https://securedorg.github.io/images/static4.png)

 We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6.

-![alt text](https://securedorg.github.io/images/static5.png "Rename function")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/static5.png "Rename function")](https://securedorg.github.io/images/static5.png)

 Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe

 ```XORSearch.exe <Path to Unknown.exe> "A string to test"```

-![alt text](https://securedorg.github.io/images/static6.png "xor search")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/static6.png "xor search")](https://securedorg.github.io/images/static6.png)

 **"Yo this is dope!"** How weird.

@@ -128,7 +132,8 @@ It's easy to trace back through the program disassembly, but let's look at some

 **Jump Examples**

-![alt text](https://securedorg.github.io/images/static9.gif "jz jump")
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/static9.gif "jz jump")](https://securedorg.github.io/images/static9.gif)

 ```assembly
 jz loc_401962 ; jump too offset loc_401962 if the previous condition is zero
--- a/triage.md
+++ b/triage.md
@@ -94,16 +94,21 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
 7. Quick Detonation

 The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM.
+
 ![alt text](https://securedorg.github.io/images/triageVMs.gif "Victim and Sniffer")

 On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.

 On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events.
-![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")
+
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs2.gif)

 Go ahead and detonate the the malware.

-On the **Sniffer VM** look for an HTTP request. Right click and Follow->TCP Stream. I will display the HTTP get request that was sent by the malware.
-![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")
+On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware.
+
+*Click Image to Enlarge*
+[![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs3.gif)

 [Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)