Standard Training

Reverse Engineering with IDA (3 days)

The goal of this course is to provide a quick but solid introduction to software reverse engineering goals, techniques and tools. For 2012, the training has been updated to be more dynamic and to better cover modern programs, recent worms, and new IDA features.

Target Audience:

The course is designed for IT Security Engineers, Security Software Developers, Researchers, Forensic Specialists, Virus Analysts, Software Validators.

Prerequitises:

A good knowledge of x86 assembly
basic understanding of the MS Windows API
basic programming skills in a procedural programming language (C/C++ is preferred)

Goals:

This training will demonstrate the use of IDA to analyze binary programs on modern operating systems. While the training will be mainly focused on Microsoft Windows programs, the skills taught are universal and usable on other IDA supported platform.

The following topics will be covered:

Feature oriented introduction to the IDA architecture: the training will focus on making the most of the core IDA disassembly features, its debugger and IDC to dissect modern real world malware such as MyDoom, Zotob and Warezov.
Binary program analysis in IDA : where to begin, how to proceed toward the goal
The binary level representation of modern programs and how malware abuses the conventions through code obfuscation, code hiding, etc. Special techniques to handle obfuscated code.
Problems encountered during analysis and how to handle them.
Automating IDA : batch processing, scripts, plugins

Course Outline:

IDA overview
Common executable file features
Debugger
IDC

IDA features
Memory organization
FLIRT
Type system
IDS files

Working with IDA
Creating the database: various information sources
Various views of the database
Navigation
Modifying the listing
Patching the program
With all this information, how do I start my analysis?

Working with high level data
Arrays
Structures
Enumerations and bitfields

Advanced operations
Offsets
Bulk operations
Special structure types
Function prototypes
Processor specific issues

Code obfuscation
Overview of obfuscation techniques
Countermeasures
Exercises with several real-world sample files