Automated Reverse Engineering with Binary Ninja

This comprehensive 4-day course will train both novice and advanced reverse engineers to leverage Binary Ninja's features to automate reverse engineering and security research tasks, such as deobfuscation and patching, structure and class recovery, executable unpacking, vulnerability discovery, and writing shellcode payloads and exploits. Students will hit the ground running with a fast paced comprehensive overview of Binary Ninja’s user interface before diving directly into the defining features of the tool: the Python API and Binary Ninja Intermediate Languages, or BNIL. We will cover both the Low Level IL and Medium Level IL and why they are both superior to native disassembly for program analysis. From there, we will work in-depth with the Python API and explore how to develop plugins to serve as force multipliers in students’ analysis tasks; this will include more obscure aspects of the API, such as automating creation of structures, creating new BinaryViews, and post-analysis callbacks. Finally, we will further apply these automation techniques to search for vulnerabilities in binary code and generate an exploit, along with a shellcode payload in C with the Shellcode Compiler.

Objective

• Automate both simple and complex reverse engineering tasks in an architecture agnostic manner using Binary Ninja's Python API and ILs
• Identify and deobfuscate both data and control flow obfuscations
• Generate exploit payloads and shellcode automatically

Class Outline

Day 1

• Introduction to Binary Ninja and its UI
• The Python scripting console
• Binary Ninja API
• The Binary Ninja Intermediate Languages: Lifted IL, LLIL, Mapped MLIL, and MLIL
• Static Single Assignment Form
• Automated decoding of obfuscated strings
• The Transform API and writing custom Transforms

Day 2

• Extending Binary Ninja with the PluginCommand API
• Running analysis in Background tasks and worker queues
• Automated structure and virtual table recovery
• Analysis callbacks: completion events, data notifications, and function recognizers
• Using callbacks for type propagation

Day 3

• Writing custom BinaryViews
• Using a BinaryView to automate unpacking packed executables
• Extending builtin Architectures with ArchitectureHooks
• Automated control flow recovery with an ArchitectureHook
• Control flow patching

Day 4

• Modeling vulnerabilities with Binary Ninja
• Automated payload generation
• Writing shellcode in C with the Shellcode Compiler

Prerequisites

Students should have some experience with both Python and C; C++ experience is useful but not required. Additionally, foundational knowledge of assembly and reverse engineering concepts is necessary.

Software requirement

Students should bring a laptop with Binary Ninja (Personal or Commercial) and VMWare Fusion or Workstation.

BIO

Josh Watson is a Senior Security Engineer with Trail of Bits. An acknowledged Binary Ninja expert, he has both presented talks and offered trainings on automating analysis with Binary Ninja. In his spare time, he hosts a Twitch stream in which he writes tools and reverse engineers binaries with Binary Ninja for a live audience.