Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Reverse Engineering

You're reading from   Mastering Reverse Engineering Re-engineer your ethical hacking skills

Arrow left icon
Product type Paperback
Published in Oct 2018
Publisher Packt
ISBN-13 9781788838849
Length 436 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Reginald Wong Reginald Wong
Author Profile Icon Reginald Wong
Reginald Wong
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Preparing to Reverse FREE CHAPTER 2. Identification and Extraction of Hidden Components 3. The Low-Level Language 4. Static and Dynamic Reversing 5. Tools of the Trade 6. RE in Linux Platforms 7. RE for Windows Platforms 8. Sandboxing - Virtualization as a Component for RE 9. Binary Obfuscation Techniques 10. Packing and Encryption 11. Anti-analysis Tricks 12. Practical Reverse Engineering of a Windows Executable 13. Reversing Various File Types 14. Other Books You May Enjoy

Basic analysis lab setup

A typical setup would require a system that can run malware without it being compromised externally. However, there are instances that may require external information from the internet. For starters, we're going to mimic an environment of a home user. Our setup will, as much as possible, use free and open source tools. The following diagram shows an ideal analysis environment setup:

The sandbox environment here is where we do analysis of a file. MITM, mentioned on the right of the diagram, means the man in the middle environment, which is where we monitor incoming and outgoing network activities. The sandbox should be restored to its original state. This means that after every use, we should be able to revert or restore its unmodified state. The easiest way to set this up is to use virtualization technology, since it will then be easy to revert to cloned images. There are many virtualization programs to choose from, including VMware, VirtualBox, Virtual PC, and Bochs. 

It should also be noted that there is software that can detect that it is being run, and doesn't like to be run in a virtualized environment. A physical machine setup may be needed for this case. Disk management software that can store images or re-image disks would be the best solution for us here. These programs include Fog, Clonezilla, DeepFreeze, and HDClone.

Our setup

In our setup, we will be using VirtualBox, which can be downloaded from https://www.virtualbox.org/. The Windows OS we will be using is Windows 7 32-bit, which can be downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. In the following diagram, the system, which has an internet connection, is installed with two virtual machines, a guest sandbox and guest MITM:

  1. Download and install VirtualBox and run it. VirtualBox has installers for both Windows and Linux. Download the Windows 7 32-bit image, as shown here:

  1. The image downloaded from the Microsoft website is zipped and should be extracted. In VirtualBox, click on File|Import Appliance. You should be shown a dialog where we can import the Windows 7 32-bit image. 
  2. Simply browse and select the OVA file that was extracted from the ZIP archive, then click on Next, as shown here:

  1. Before continuing, the settings can be changed. The default RAM is set to 4096 MB. The more RAM allocated and the higher the number of CPU cores set, the better performance will be noticed when running or debugging. However, the more RAM added, the same amount of disk space gets consumed when storing snapshots of the image. This means that if we allocated 1 GB of RAM, creating a snapshot will also consume at least 1GB of disk space.  We set our RAM to 2048 MB, which would be a reasonable amount for us to work on:

  1. Click on Import and it should start generating the virtual disk image. Once it has completed, we need to create our first snapshot. It is recommended to create a snapshot in a powered-off state, since the amount of disk space consumed is minimal. Look for the SnapShots tab, then click on Take. Fill out the Snapshot Name and Snapshot Description fields, then click on the OK button. This quickly creates your first snapshot.
In a power-on state, the amount of RAM plus the amount of modified disk space in the virtual machine is equal to the total disk space that a snapshot will consume.
  1. Click on Start to begin running the Windows 7 image. You should end up with the following window. In case it asks for a password, the default password is Passw0rd!:

At this point, the network setup is set to NAT. This means that any network resources required by the virtual machine will use the host computer's IP address. The IP address of the virtual machine is taken from the VirtualBox's virtual DHCP service. Remember that any network communication in the virtual machine makes use of the host computer's IP address.

Since we can't prevent a certain malware from sending out information to the web in order to return information back to our virtual machine, it is important to note that some ISPs may monitor common malware behavior. It would be best to review your contract with them and make a call if needed.

Most of our reverse engineering deals with malware and, as of the time of writing, attackers usually target Windows systems. Our setup uses Microsoft Windows 7 32-bit. Feel free to use other versions. We recommend installing the 32-bit version of Microsoft Windows, as it will be easier to track virtual and physical addresses later on during low-level debugging.

You have been reading a chapter from
Mastering Reverse Engineering
Published in: Oct 2018
Publisher: Packt
ISBN-13: 9781788838849
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image