Overview
Malware code gets more and more sophisticated, requiring always more powerful tools to handle.

Metasm is a framework to manipulate binary code, and it is well adapted to work on this kind of programs. The framework is full-ruby, which means you can script, automate or replace any part of it. This course will introduce you to the basics of the framework, and will also introduce some advanced features, so that you are well armed to face binary protected code.

Agenda – Day 1

- Introduction to the framework
- General overview
- Metasm core classes – key features:
Assembly
Disassembly
Debugging

- Live session: Vulnerability analysis and exploitation (we’ll work on a simple challenge to get some hands-on experience)
- First approach of the target: disassembly
- Focusing on the vulnerability, understanding the flaw
Debug to catch the fault
Examination of the target, finding an exploitation vector

- Exploitation
Create/debug a shellcode

Agenda – Day 2

- Live session: Advanced binary analysis
- How to deal with code obfuscation:
- Ignoring it: use the debugger to trace the calls made by the program. (we’ll develop a script to dump text as it’s sent to a crypto library)

Covers:
Symbol loading
Automatic action on breakpoint hit
Debugger scripting

- Removing it:
We’ll write a Metasm plugin to revert the code to its pristine state
Covers:
Graph manipulation
Instruction reordering
Code replacement
Backtracking
Disassembler plugin writing
Static binary patching

Who Should Attend

IT security specialists
Reverse engineers
Incident response personnal
Individuals interested in this topic

Prerequisites

Knowledge x86 assembly basics

About the Trainers

Yoann Guillot and Alexandre Gazet work in the field of computer security for the french R&D lab of Sogeti/ESEC. They have given presentations on binary deobfuscation in a few ITsec conferences. Yoann is the main author of the Metasm framework.