Advanced Reverse Engineering by Nicolas Brulez

Learn how to unpack Packers and Protectors, and how to analyse Polymorphic viruses

Instructor: Nicolas Brulez
Dates: 10-12 June 2008
Availability: 13 Seats

Day 1: Unpacking Custom Executable Protections

The focus of the first day is unpacking custom executables protections.

None of the protections presented are downloadable, some of them are used to protect malicious applications, whereas the others were written by the instructor.

You will be introduced to Virtual Machines and proprietay assembly and will learn how to make sense of the instruction set, in order to analyse highly obfuscated routines.

Day 2: x64 Reverse Engineering

The second day will focus on taking appart x64 packers, and obviously, how to reconstruct fully working unpacked executables.

Hand written assembly code will be presented, as well as information regarding code injection for reverse engineering purpose, on the x64 platform.

Day3: Malware Analysis

The last day of the training focus on taking appart malicious applications.

The covered examples pervert applications and drivers by injecting assembly stubs in their victims.

Techniques to analyse such samples will be presented to the audience with many practical exercises.

Class Requirements

IMPORTANT: This training isn't for beginners, and none of the basic stuff will be presented. You must know how to unpack most of the existing packers, and be fluent in x86 assembly to take this course. The author may require students to take appart a little executable in order to be accepted to the training session because we want advanced reverse engineers to progress, and this can only be done if all students can follow the course. There won't be any introduction to reverse engineering class this year, unless we receive enough requests.

Legal IDA Pro license (5.1 or 5.2 preferred)

VMware for the malicious applications

Being able to run x64 code is a plus, you must be (almost) fluent in x86 assembly,you must know how to unpack files.

Bio

Nicolas is a Senior Virus Researcher at Websense Security Labs, where he analyzes computer viruses, develops tools, and conducts security research. Prior to that, he was the Chief of Security for Digital River/Silicon Realms where he worked on the SoftwarePassport/Armadillo protection system for 4 years and specialized in anti-reverse engineering techniques for defence against attacks on software protection.

He has been doing reverse engineering for over a decade and is an active participant in the field of viral threat research whose results are used by various anti-virus companies and regularly writes for the French security magazine MISC.

Nicolas has authored a number of papers, lectured on assembly programming and reverse engineering at various computer engineering schools, and frequently speaks at international security conferences, including: RECON (Canada), PacSec (Japan), RuxCon (Australia), SSTIC (France), Virus Bulletin, Toorcon (USA), and APWG (Brussels).

Nicolas is an associate researcher at the Virology and Cryptology Laboratory of "Ecole Supérieur et d'Application des Transmissions" and also the official reverse engineering instructor at RECON.