CanSecWest: Security Masters Dojo Vancouver
| Next Session Dates: | March 22-23 2010 |
| Venue: |
Sheraton Wall Center Vancouver, Canada |
| Duration: |
1 or 2 Day Courses. Sessions begin at 10:00 a.m. and go to 6 p.m. |
|
Registration Maximum: |
15 Students per course session. |
Metasm Training
Instructors:
Yoann Guillot, Sogeti/ESEC
Alexandre Gazet, Sogeti/ESEC
Register for this course.
Description
Malware code gets more and more sophisticated, requiring always more powerful tools to handle.
Metasm is a framework to manipulate binary code, and it is well adapted to work on this kind of targets. The framework is full-ruby, which means you can script, automate or replace any part of it.
This course will introduce you to the basics of the framework, and will also introduce some advanced features, so that you are well armed to face binary protected code.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Outline
Day 1
- Introduction to the framework
- General overview
- Metasm core classes
- Key features:
- Assembly
- Disassembly
- Debugging
- Live session: Vulnerability analysis and exploitation
We'll work on a simple challenge to get some hands-on experience - First approach of the target: disassembly
- Focusing on the vulnerability, understanding the flaw, Debug to catch the fault, Examination of the target, finding an exploitation vector
- Exploitation: Create/debug a shellcode
Day 2
- Live session: Advanced binary analysis
- How to deal with code obfuscation:
- Ignoring it: use the debugger to trace the calls made by the program.
We'll develop a script to dump text as it's sent to a crypto library
Covers:
- Symbol loading
- Automatic action on breakpoint hit
- Debugger scripting
- Removing it:
we'll write a Metasm plugin to revert the code to its pristine state
Covers:
- Graph manipulation
- Instruction reordering
- Code replacement
- Backtracking
- Disassembler plugin writing
- Static binary patching
- Ignoring it: use the debugger to trace the calls made by the program.
Who should attend:
- IT security specialists
- Reverse engineers
- Incident response staff
- Individuals interested in this topic
Prerequisites:
Attendees should be familiar with basic x86 assembly language.
The trainers:
Yoann Guillot and Alexandre Gazet work in the field of computer security for the french R&D lab of Sogeti/ESEC. They have given presentations on binary deobfuscation in a few ITsec conferences. Yoann is the main author of the Metasm framework.
