I'll first promote the resources that I used because that's what worked for me. Then I'll talk about how to get practice via a certain CTF, and share some resources that I believe have been useful to others.
PMA
That stands for Practical Malware Analysis. This book is already showing its age, but I still think it is the best all-in-one resource to learn reverse engineering fundamentals.
The approach I took that helped me really absorb the material was:
- Read the book through and just absorb it;
- Go back through for the labs, reviewing each chapter as necessary;
- When a lab takes more than a certain time (start with 30 minutes), use the back of the book for the answer;
- If you don't see the connection between what you've seen so far and the answer in the back of the book, read the extended answer to see how they got that; and,
- Always read the extended answer to glean any techniques that might be more efficient than the road you took.
It takes discipline to remember that you have limited time and you need to move through the labs if you are to learn and improve. If you're banging your head into the wall, you're that much closer to giving up, which is only okay if you have determined that this is simply not interesting to you anymore.
If you don't know assembly language well and you think it is hindering your ability to move through PMA, then suspend that process and take some time with...
x86 Assembly Language
I will suggest two main roads for learning x86 (and x64) assembly language, and a couple of other references to support them. The first and most accessible main resource is the one that a lot of my colleagues have said helped them: http://opensecuritytraining.info/
A lot of reverse engineers, both aspiring and established, say that Xeno's courses are where they learned assembly language, and it went really well for them, so with it being available online for free, I have to put it out there.
As for myself, my main resource for learning x86 assembly language was Richard Blum's book, Professional Assembly Language Programming. The book teaches with GNU tools, so it uses the AT&T syntax which is largely unpopular with the RE crowd, but on the upside, the GNU tools are superlatively easy to acquire and use on most Linux distributions.
Aside from those, the first chapter (x86/x64) of Practical Reverse Engineering reinforced and clarified some essential concepts for me.
Finally, for the definitive RTFM experience, Volume 2 of Intel's processor manuals contains the instruction set reference, which you can use to look up weird instructions you come across. If you're using IDA Pro, there is also an auto-comment mode in IDA Pro that may help remind you if you are just getting started.
Debugging
Tarik Soulami's book Inside Windows Debugging is an outstanding read about not just WinDbg but Windows internals. I can't recommend it emphatically enough.
FLARE-On Challenges
If you're done with PMA and ready for some practice, the FLARE-On Challenge binaries archived at http://flare-on.com/ pose a unique training opportunity for two reasons: first, because they deliberately mimic real malware; and second, because they are all accompanied by solution write-ups on fireeye.com:
- 2014: part 1 and part 2
- 2015: https://www.fireeye.com/blog/threat-research/2015/09/flare-on_challenges.html
- 2016: https://www.fireeye.com/blog/threat-research/2016/11/2016_flare-on_challe.html
- 2017: https://www.fireeye.com/blog/threat-research/2017/10/2017-flare-on-challenge-solutions.html
- I wrote challenge 7 and the associated solution write-up, you should check it out! :-)
When used for training, I suggest approaching these incrementally: attack level 1 of each, level 2 of each, level 3 of each, in turn. I also suggest treating them like the PMA labs: if you exceed a certain duration analyzing them, peek at the solution write-up and see if that gives you a shove in the right direction.
Things I Did That You Don't Have To
The first book I read about RE-related things was actually not PMA; it was The Shellcoder's Handbook, 1st Edition (2nd Edition is here). This was not a gentle introduction. But looking back, it taught me a lot of things that I refer back to very frequently. So maybe it was more formative for me than I even remember.
I also continue to get a lot out of reading Kyle Loudon's book, Mastering Algorithms in C. The book talks about all those things I consider to be magic, especially crypto and compression.
Other Resources
- @malwareunicorn has made available her materials for learning about RE, and it looks like an interesting way to get started: https://securedorg.github.io/RE101/
- 2017.12.27: A vulnerability researcher told me that his "Aha! book" was Reversing: Secrets of Reverse Engineering. I took a look at this while visiting a bookstore and it looks not only informative but interesting.
- ...
See the ellipsis? I'm going to tack things onto this article as I learn about them. If you know of one, hollar. It's easy for me to remember what helped ME, but I could use a reminder of what others have found helpful.
No comments:
Post a Comment