CanSecWest Vancouver 2011

Site menu:

Register | Conference | Dojo | Speakers | Agenda | Past Events | Hotel & Travel | Contact

Security Masters Dojo

Advanced and intermediate security training and technology enhancement for information security professionals.

Metasm Training

Instructors:
Yoann Guillot, Sogeti/ESEC
Alexandre Gazet, Sogeti/ESEC

Register for this course.

Description

Malware code gets more and more sophisticated, requiring always more powerful tools to handle.

Metasm is a framework to manipulate binary code, and it is well adapted to work on this kind of targets. The framework is full-ruby, which means you can script, automate or replace any part of it.

This course will introduce you to the basics of the framework, and will also introduce some advanced features, so that you are well armed to face binary protected code.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Outline

Day 1

• Introduction to the framework
• General overview
• Metasm core classes
• Key features:
  
  • Assembly
  • Disassembly
  • Debugging
• Live session: Vulnerability analysis and exploitation
  We'll work on a simple challenge to get some hands-on experience
• First approach of the target: disassembly
• Focusing on the vulnerability, understanding the flaw, Debug to catch the fault, Examination of the target, finding an exploitation vector
• Exploitation: Create/debug a shellcode

Day 2

• Live session: Advanced binary analysis
• How to deal with code obfuscation:
  
  • Ignoring it: use the debugger to trace the calls made by the program.
    We'll develop a script to dump text as it's sent to a crypto library
    Covers:
    
    • Symbol loading
    • Automatic action on breakpoint hit
    • Debugger scripting
  • Removing it:
    we'll write a Metasm plugin to revert the code to its pristine state
    Covers:
    
    • Graph manipulation
    • Instruction reordering
    • Code replacement
    • Backtracking
    • Disassembler plugin writing
    • Static binary patching

Who should attend:

• IT security specialists
• Reverse engineers
• Incident response staff
• Individuals interested in this topic

Prerequisites:

Attendees should be familiar with basic x86 assembly language.

The trainers:

Yoann Guillot and Alexandre Gazet work in the field of computer security for the french R&D lab of Sogeti/ESEC. They have given presentations on binary deobfuscation in a few ITsec conferences. Yoann is the main author of the Metasm framework.

Sponsors:

More Information:

Sponsorship Information | Valid XHTML | Valid CSS

Wise words:

"Sen Sen No Waza - to strike the opponent after he has formed the intention to attack and has committed to a specific motion."

Copyright © dragostech.com inc. All Rights Reserved.