6. code level reversing

  • Published on
    12-Jun-2015

  • View
    770

  • Download
    1

Embed Size (px)

DESCRIPTION

2009 10

Transcript

  • 1. Code Level Reversing2009.11.03 ASEC (AhnLab Security Emergency response Center) Anti-Virus Researcher, CISSP

2. 1. Code Level Reversing Assembly Basic2. Debugging Basic3. Disassembling BasicCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 3. 1. Code Level Reversing Assembly BasicCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 4. 1. Code Level Reversing Assembly Basic 1) Code Level Reversing 1) , CPU, 2) Code Level Reversing Static Analysis 3) System Level Reversing 4Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 5. 1. Code Level Reversing Assembly Basic 2) Assembly Basic 1) 2) IA-32 ( 32 ) . 3) IA-32 Opcode (Operation Code) 2 Operand 4) Opcode MOV Operand () 3 - : (EAX EBX ) - : - : Operand RAM (Opcode)5 Operand, OperandCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 6. 1. Code Level Reversing Assembly Basic 2) Assembly Basic 1) - MOV 2 Operand - Operand . - Operand , , MOV Operand, 6 Operand Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 7. 1. Code Level Reversing Assembly Basic 2) Assembly Basic (1) 1) - ADD, SUB, MUL, DIV, IMUL, IDIV 6 ADDOperand 1,Operand 2- ADD : 2 Operand 1 SUBOperand 1,Operand 2- SUB : Operand 1 Operand 2 Operand 1 MULOperand- MUL : EAX Operand EDX:EAX 64 7Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 8. 1. Code Level Reversing Assembly Basic 2) Assembly Basic (2)DIVOperand- DIV : EDX:EAX 64 Operand EAX EDX IMULOperand- IMUL : EAX Operand EDX:EAX IDIVOperand- IDIV : EDX:EAX 64 Operand EAX EDX 8Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 9. 1. Code Level Reversing Assembly Basic 2) Assembly Basic 1) - CMP - CMP Operand 1 Operand 2 - CMPOperand 1,Operand 22) - JMP JMP 9 (, ) Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 10. 1. Code Level Reversing Assembly Basic 2) Assembly Basic 1) - CALL RET - CALL PUSH - RET . - RET CALL PUSH POP .CALL10 Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 11. 2. Debugging BasicCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 12. 2. Debugging Basic 1) Debugger 1) Debugger 2) Debugger 3) Software Breakpoint 4) Hardware Breakpoint CPU 5) Debugger User Mode Debugger Kernel Mode Debugger 12Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 13. 2. Debugging Basic 2) User Mode Debugger 1) User Mode Debugger User Mode 2) User Mode Debugger (Debuggee) 3) User Mode Debugger Kernel Mode Debugger 13Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 14. 2. Debugging Basic 3) User Mode Debugger 1) OllyDbg 2) WinDbg 3) IDA Pro 14Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 15. 2. Debugging Basic 4) Kernel Mode Debugger 1) Kernel Mode Debugger 2) Kernel Mode Debugger 15Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 16. 2. Debugging Basic 4) Kernel Mode Debugger 1) SoftICE 2) WinDBG 16Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 17. 3. Disassembling BasicCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 18. 3. Disassembling Basic 1) Dissasembler 1) Dissasembler 2) Dissasembler 18Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 19. 3. Disassembling Basic 2) Dissasembler 1) IDA Pro 2) 19Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 20. 3. Disassembling Basic20Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 21. * Reference1) The Art of Virus Research and Defense 2) 2) 4) : 5) Intel 64 and IA-32 Architectures Software Developer's Manuals 21Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved. 22. AhnLab The Joy of Care-Free Your Internet WorldCopyright (C) AhnLab, Inc. 1988-2009. All rights reserved. AhnLab, the AhnLab logo, and V3 are trademarks or registered trademarks of AhnLab, Inc., in Korea and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.22Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.

Recommended

View more >