Details
Reversing
Secrets of Reverse Engineering1. Aufl.
|
30,99 € |
|
| Verlag: | Wiley |
| Format: | EPUB |
| Veröffentl.: | 12.12.2011 |
| ISBN/EAN: | 9781118079768 |
| Sprache: | englisch |
| Anzahl Seiten: | 624 |
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.
Beschreibungen
Beginning with a basic primer on reverse engineering-including computer internals, operating systems, and assembly language-and then discussing the various<br /> applications of reverse engineering, this book provides readers with practical, in-depth techniques for software reverse engineering. The book is broken into two parts, the first deals with security-related reverse engineering and the second explores the more practical aspects of reverse engineering. In addition, the author explains how to reverse engineer a third-party software library to improve interfacing and how to reverse engineer a competitor's software to build a better product.<br /> * The first popular book to show how software reverse engineering can help defend against security threats, speed up development, and unlock the secrets of competitive products<br /> * Helps developers plug security holes by demonstrating how hackers exploit reverse engineering techniques to crack copy-protection schemes and identify software targets for viruses and other malware<br /> * Offers a primer on advanced reverse-engineering, delving into "disassembly"-code-level reverse engineering-and explaining how to decipher assembly language
<p>Foreword vii</p> <p>Acknowledgments xi</p> <p>Introduction xxiii</p> <p><b>Part I Reversing 101 1</b></p> <p><b>Chapter 1 Foundations 3</b></p> <p>What Is Reverse Engineering? 3</p> <p>Software Reverse Engineering: Reversing 4</p> <p>Reversing Applications 4</p> <p>Security-Related Reversing 5</p> <p>Malicious Software 5</p> <p>Reversing Cryptographic Algorithms 6</p> <p>Digital Rights Management 7</p> <p>Auditing Program Binaries 7</p> <p>Reversing in Software Development 8</p> <p>Achieving Interoperability with Proprietary Software 8</p> <p>Developing Competing Software 8</p> <p>Evaluating Software Quality and Robustness 9</p> <p>Low-Level Software 9</p> <p>Assembly Language 10</p> <p>Compilers 11</p> <p>Virtual Machines and Bytecodes 12</p> <p>Operating Systems 13</p> <p>The Reversing Process 13</p> <p>System-Level Reversing 14</p> <p>Code-Level Reversing 14</p> <p>The Tools 14</p> <p>System-Monitoring Tools 15</p> <p>Disassemblers 15</p> <p>Debuggers 15</p> <p>Decompilers 16</p> <p>Is Reversing Legal? 17</p> <p>Interoperability 17</p> <p>Competition 18</p> <p>Copyright Law 19</p> <p>Trade Secrets and Patents 20</p> <p>The Digital Millenium Copyright Act 20</p> <p>DMCA Cases 22</p> <p>License Agreement Considerations 23</p> <p>Code Samples & Tools 23</p> <p>Conclusion 23</p> <p><b>Chapter 2 Low-Level Software 25</b></p> <p>High-Level Perspectives 26</p> <p>Program Structure 26</p> <p>Modules 28</p> <p>Common Code Constructs 28</p> <p>Data Management 29</p> <p>Variables 30</p> <p>User-Defined Data Structures 30</p> <p>Lists 31</p> <p>Control Flow 32</p> <p>High-Level Languages 33</p> <p>C 34</p> <p>C++ 35</p> <p>Java 36</p> <p>C# 36</p> <p>Low-Level Perspectives 37</p> <p>Low-Level Data Management 37</p> <p>Registers 39</p> <p>The Stack 40</p> <p>Heaps 42</p> <p>Executable Data Sections 43</p> <p>Control Flow 43</p> <p>Assembly Language 101 44</p> <p>Registers 44</p> <p>Flags 46</p> <p>Instruction Format 47</p> <p>Basic Instructions 48</p> <p>Moving Data 49</p> <p>Arithmetic 49</p> <p>Comparing Operands 50</p> <p>Conditional Branches 51</p> <p>Function Calls 51</p> <p>Examples 52</p> <p>A Primer on Compilers and Compilation 53</p> <p>Defining a Compiler 54</p> <p>Compiler Architecture 55</p> <p>Front End 55</p> <p>Intermediate Representations 55</p> <p>Optimizer 56</p> <p>Back End 57</p> <p>Listing Files 58</p> <p>Specific Compilers 59</p> <p>Execution Environments 60</p> <p>Software Execution Environments (Virtual Machines) 60</p> <p>Bytecodes 61</p> <p>Interpreters 61</p> <p>Just-in-Time Compilers 62</p> <p>Reversing Strategies 62</p> <p>Hardware Execution Environments in Modern Processors 63</p> <p>Intel NetBurst 65</p> <p>µops (Micro-Ops) 65</p> <p>Pipelines 65</p> <p>Branch Prediction 67</p> <p>Conclusion 68</p> <p><b>Chapter 3 Windows Fundamentals 69</b></p> <p>Components and Basic Architecture 70</p> <p>Brief History 70</p> <p>Features 70</p> <p>Supported Hardware 71</p> <p>Memory Management 71</p> <p>Virtual Memory and Paging 72</p> <p>Paging 73</p> <p>Page Faults 73</p> <p>Working Sets 74</p> <p>Kernel Memory and User Memory 74</p> <p>The Kernel Memory Space 75</p> <p>Section Objects 77</p> <p>VAD Trees 78</p> <p>User-Mode Allocations 78</p> <p>Memory Management APIs 79</p> <p>Objects and Handles 80</p> <p>Named objects 81</p> <p>Processes and Threads 83</p> <p>Processes 84</p> <p>Threads 84</p> <p>Context Switching 85</p> <p>Synchronization Objects 86</p> <p>Process Initialization Sequence 87</p> <p>Application Programming Interfaces 88</p> <p>The Win32 API 88</p> <p>The Native API 90</p> <p>System Calling Mechanism 91</p> <p>Executable Formats 93</p> <p>Basic Concepts 93</p> <p>Image Sections 95</p> <p>Section Alignment 95</p> <p>Dynamically Linked Libraries 96</p> <p>Headers 97</p> <p>Imports and Exports 99</p> <p>Directories 99</p> <p>Input and Output 103</p> <p>The I/O System 103</p> <p>The Win32 Subsystem 104</p> <p>Object Management 105</p> <p>Structured Exception Handling 105</p> <p>Conclusion 107</p> <p><b>Chapter 4 Reversing Tools 109</b></p> <p>Different Reversing Approaches 110</p> <p>Offline Code Analysis (Dead-Listing) 110</p> <p>Live Code Analysis 110</p> <p>Disassemblers 110</p> <p>IDA Pro 112</p> <p>ILDasm 115</p> <p>Debuggers 116</p> <p>User-Mode Debuggers 118</p> <p>OllyDbg 118</p> <p>User Debugging in WinDbg 119</p> <p>IDA Pro 121</p> <p>PEBrowse Professional Interactive 122</p> <p>Kernel-Mode Debuggers 122</p> <p>Kernel Debugging in WinDbg 123</p> <p>Numega SoftICE 124</p> <p>Kernel Debugging on Virtual Machines 127</p> <p>Decompilers 129</p> <p>System-Monitoring Tools 129</p> <p>Patching Tools 131</p> <p>Hex Workshop 131</p> <p>Miscellaneous Reversing Tools 133</p> <p>Executable-Dumping Tools 133</p> <p>DUMPBIN 133</p> <p>PEView 137</p> <p>PEBrowse Professional 137</p> <p>Conclusion 138</p> <p><b>Part II Applied Reversing 139</b></p> <p><b>Chapter 5 Beyond the Documentation 141</b></p> <p>Reversing and Interoperability 142</p> <p>Laying the Ground Rules 142</p> <p>Locating Undocumented APIs 143</p> <p>What Are We Looking For? 144</p> <p>Case Study: The Generic Table API in NTDLL.DLL 145</p> <p>RtlInitializeGenericTable 146</p> <p>RtlNumberGenericTableElements 151</p> <p>RtlIsGenericTableEmpty 152</p> <p>RtlGetElementGenericTable 153</p> <p>Setup and Initialization 155</p> <p>Logic and Structure 159</p> <p>Search Loop 1 161</p> <p>Search Loop 2 163</p> <p>Search Loop 3 164</p> <p>Search Loop 4 165</p> <p>Reconstructing the Source Code 165</p> <p>RtlInsertElementGenericTable 168</p> <p>RtlLocateNodeGenericTable 170</p> <p>RtlRealInsertElementWorker 178</p> <p>Splay Trees 187</p> <p>RtlLookupElementGenericTable 188</p> <p>RtlDeleteElementGenericTable 193</p> <p>Putting the Pieces Together 194</p> <p>Conclusion 196</p> <p><b>Chapter 6 Deciphering File Formats 199</b></p> <p>Cryptex 200</p> <p>Using Cryptex 201</p> <p>Reversing Cryptex 202</p> <p>The Password Verification Process 207</p> <p>Catching the “Bad Password” Message 207</p> <p>The Password Transformation Algorithm 210</p> <p>Hashing the Password 213</p> <p>The Directory Layout 218</p> <p>Analyzing the Directory Processing Code 218</p> <p>Analyzing a File Entry 223</p> <p>Dumping the Directory Layout 227</p> <p>The File Extraction Process 228</p> <p>Scanning the File List 234</p> <p>Decrypting the File 235</p> <p>The Floating-Point Sequence 236</p> <p>The Decryption Loop 238</p> <p>Verifying the Hash Value 239</p> <p>The Big Picture 239</p> <p>Digging Deeper 241</p> <p>Conclusion 242</p> <p><b>Chapter 7 Auditing Program Binaries 243</b></p> <p>Defining the Problem 243</p> <p>Vulnerabilities 245</p> <p>Stack Overflows 245</p> <p>A Simple Stack Vulnerability 247</p> <p>Intrinsic Implementations 249</p> <p>Stack Checking 250</p> <p>Nonexecutable Memory 254</p> <p>Heap Overflows 255</p> <p>String Filters 256</p> <p>Integer Overflows 256</p> <p>Arithmetic Operations on User-Supplied Integers 258</p> <p>Type Conversion Errors 260</p> <p>Case-Study: The IIS Indexing Service Vulnerability 262</p> <p>CVariableSet::AddExtensionControlBlock 263</p> <p>DecodeURLEscapes 267</p> <p>Conclusion 271</p> <p><b>Chapter 8 Reversing Malware 273</b></p> <p>Types of Malware 274</p> <p>Viruses 274</p> <p>Worms 274</p> <p>Trojan Horses 275</p> <p>Backdoors 276</p> <p>Mobile Code 276</p> <p>Adware/Spyware 276</p> <p>Sticky Software 277</p> <p>Future Malware 278</p> <p>Information-Stealing Worms 278</p> <p>BIOS/Firmware Malware 279</p> <p>Uses of Malware 280</p> <p>Malware Vulnerability 281</p> <p>Polymorphism 282</p> <p>Metamorphism 283</p> <p>Establishing a Secure Environment 285</p> <p>The Backdoor.Hacarmy.D 285</p> <p>Unpacking the Executable 286</p> <p>Initial Impressions 290</p> <p>The Initial Installation 291</p> <p>Initializing Communications 294</p> <p>Connecting to the Server 296</p> <p>Joining the Channel 298</p> <p>Communicating with the Backdoor 299</p> <p>Running SOCKS4 Servers 303</p> <p>Clearing the Crime Scene 303</p> <p>The Backdoor.Hacarmy.D: A Command Reference 304</p> <p>Conclusion 306</p> <p><b>Part III Cracking 307</b></p> <p><b>Chapter 9 Piracy and Copy Protection 309</b></p> <p>Copyrights in the New World 309</p> <p>The Social Aspect 310</p> <p>Software Piracy 310</p> <p>Defining the Problem 311</p> <p>Class Breaks 312</p> <p>Requirements 313</p> <p>The Theoretically Uncrackable Model 314</p> <p>Types of Protection 314</p> <p>Media-Based Protections 314</p> <p>Serial Numbers 315</p> <p>Challenge Response and Online Activations 315</p> <p>Hardware-Based Protections 316</p> <p>Software as a Service 317</p> <p>Advanced Protection Concepts 318</p> <p>Crypto-Processors 318</p> <p>Digital Rights Management 319</p> <p>DRM Models 320</p> <p>The Windows Media Rights Manager 321</p> <p>Secure Audio Path 321</p> <p>Watermarking 321</p> <p>Trusted Computing 322</p> <p>Attacking Copy Protection Technologies 324</p> <p>Conclusion 324</p> <p><b>Chapter 10 Antireversing Techniques 327</b></p> <p>Why Antireversing? 327</p> <p>Basic Approaches to Antireversing 328</p> <p>Eliminating Symbolic Information 329</p> <p>Code Encryption 330</p> <p>Active Antidebugger Techniques 331</p> <p>Debugger Basics 331</p> <p>The IsDebuggerPresent API 332</p> <p>SystemKernelDebuggerInformation 333</p> <p>Detecting SoftICE Using the Single-Step Interrupt 334</p> <p>The Trap Flag 335</p> <p>Code Checksums 335</p> <p>Confusing Disassemblers 336</p> <p>Linear Sweep Disassemblers 337</p> <p>Recursive Traversal Disassemblers 338</p> <p>Applications 343</p> <p>Code Obfuscation 344</p> <p>Control Flow Transformations 346</p> <p>Opaque Predicates 346</p> <p>Confusing Decompilers 348</p> <p>Table Interpretation 348</p> <p>Inlining and Outlining 353</p> <p>Interleaving Code 354</p> <p>Ordering Transformations 355</p> <p>Data Transformations 355</p> <p>Modifying Variable Encoding 355</p> <p>Restructuring Arrays 356</p> <p>Conclusion 356</p> <p><b>Chapter 11 Breaking Protections 357</b></p> <p>Patching 358</p> <p>Keygenning 364</p> <p>Ripping Key-Generation Algorithms 365</p> <p>Advanced Cracking: Defender 370</p> <p>Reversing Defender’s Initialization Routine 377</p> <p>Analyzing the Decrypted Code 387</p> <p>SoftICE’s Disappearance 396</p> <p>Reversing the Secondary Thread 396</p> <p>Defeating the “Killer” Thread 399</p> <p>Loading KERNEL32.DLL 400</p> <p>Reencrypting the Function 401</p> <p>Back at the Entry Point 402</p> <p>Parsing the Program Parameters 404</p> <p>Processing the Username 406</p> <p>Validating User Information 407</p> <p>Unlocking the Code 409</p> <p>Brute-Forcing Your Way through Defender 409</p> <p>Protection Technologies in Defender 415</p> <p>Localized Function-Level Encryption 415</p> <p>Relatively Strong Cipher Block Chaining 415</p> <p>Reencrypting 416</p> <p>Obfuscated Application/Operating System Interface 416</p> <p>Processor Time-Stamp Verification Thread 417</p> <p>Runtime Generation of Decryption Keys 418</p> <p>Interdependent Keys 418</p> <p>User-Input-Based Decryption Keys 419</p> <p>Heavy Inlining 419</p> <p>Conclusion 419</p> <p><b>Part IV Beyond Disassembly 421</b></p> <p><b>Chapter 12 Reversing .NET 423</b></p> <p>Ground Rules 424</p> <p>.NET Basics 426</p> <p>Managed Code 426</p> <p>.NET Programming Languages 428</p> <p>Common Type System (CTS) 428</p> <p>Intermediate Language (IL) 429</p> <p>The Evaluation Stack 430</p> <p>Activation Records 430</p> <p>IL Instructions 430</p> <p>IL Code Samples 433</p> <p>Counting Items 433</p> <p>A Linked List Sample 436</p> <p>Decompilers 443</p> <p>Obfuscators 444</p> <p>Renaming Symbols 444</p> <p>Control Flow Obfuscation 444</p> <p>Breaking Decompilation and Disassembly 444</p> <p>Reversing Obfuscated Code 445</p> <p>XenoCode Obfuscator 446</p> <p>DotFuscator by Preemptive Solutions 448</p> <p>Remotesoft Obfuscator and Linker 451</p> <p>Remotesoft Protector 452</p> <p>Precompiled Assemblies 453</p> <p>Encrypted Assemblies 453</p> <p>Conclusion 455</p> <p><b>Chapter 13 Decompilation 457</b></p> <p>Native Code Decompilation: An Unsolvable Problem? 457</p> <p>Typical Decompiler Architecture 459</p> <p>Intermediate Representations 459</p> <p>Expressions and Expression Trees 461</p> <p>Control Flow Graphs 462</p> <p>The Front End 463</p> <p>Semantic Analysis 463</p> <p>Generating Control Flow Graphs 464</p> <p>Code Analysis 466</p> <p>Data-Flow Analysis 466</p> <p>Single Static Assignment (SSA) 467</p> <p>Data Propagation 468</p> <p>Register Variable Identification 470</p> <p>Data Type Propagation 471</p> <p>Type Analysis 472</p> <p>Primitive Data Types 472</p> <p>Complex Data Types 473</p> <p>Control Flow Analysis 475</p> <p>Finding Library Functions 475</p> <p>The Back End 476</p> <p>Real-World IA-32 Decompilation 477</p> <p>Conclusion 477</p> <p>Appendix A Deciphering Code Structures 479</p> <p>Appendix B Understanding Compiled Arithmetic 519</p> <p>Appendix C Deciphering Program Data 537</p> <p>Appendix D Citations 561</p> <p>Index 567</p>
<p><b>Eldad Eilam</b> is a consultant in the field of reverse engineering. He assists clients with operating system and in-depth software reverse engineering, and has devoted several years to developing advanced reverse engineering techniques.
<p><b>Sometimes, the best way to advance</b><i> is in reverse</i> <p>If you want to know how something works, you take it apart very carefully. That's exactly what this book shows you—how to deconstruct software in a way that reveals design and implementation details, sometimes even source code. Why? Because reversing reveals weak spots, so you can target your security efforts. Because you can reverse- engineer malicious code in order to neutralize it. Because understanding what makes a program work lets you build a better one. You'll learn how here. <ul> <li><b>Learn to read compiler-generated assembly language code for IA-32 compatible processors</b></li> <li><b>Decipher an undocumented file format or network protocol</b></li> <li><b>Understand when reverse engineering is legal, and when —and why—it may not be</b></li> <li><b>See how hackers use reversing to defeat copy protection technology</b></li> <li><b>Find out how to pull the plug on malicious code</b></li> <li><b>Determine how to prevent others from reversing your code, and find out how effective such steps can be</b></li> <li><b>Explore reverse engineering on the .NET platform and its assembly language, MSIL</b></li> <li><b>Observe the dissection of a real-world malicious program and see how the attacker used it to control infected systems</b></li> </ul> <p><b>Companion Web site</b></br> Visit www.wiley.com/go/eeilam for a complete list of the sample programs in the book and links to valuable papers and products.
Diese Produkte könnten Sie auch interessieren:
