Reverse engineering in cybersecurity involves analysing software, systems, or hardware to understand their design, functionality and behaviour. The goal is often to uncover vulnerabilities, analyse malware, or understand proprietary systems for security research and defence.
Key Concepts
- Disassembly: Converts machine code (binary) into assembly language, we can do this using tools like Ghidra, IDA Pro and Radare2
- Decompilation: Converts binary code back into high-level code, more abstract and easier to understand than assembly.
- Static analysis: Examining code without executing it, used to understand the structure, flow and data handling in the software.
- Dynamic analysis: Involves running the code and observing its behaviour, using tools like x64dbg, OllyDbg, GDB, used to understand runtime behaviour, memory usage and interactions with the system.
- Binary and File Format Analysis: This involves analysing binary files to understand their structure and contents with the help of tools like 010 Editor and Binwalk, this helps to identify potential vulnerabilities or malicious code within files.
- Network Traffic Analysis: Capture and analyse traffic to understand communication patterns and data exchanges using tools like Wireshark and tcpdump, important for identifying malicious network activity or data exfiltration.
- Malware Analysis: Specific form of reverse engineering focusing on understanding and mitigating malicious software, involves both static and dynamic analysis techniques with sandbox usage.
Tools
Disassemblers/Decompilers: Ghidra, IDA Pro, Radare2
Debuggers: x64dbg, OllyDBG, GDB
Network Analysers: Wireshark, tcpdump
Binary Analysis Tools: Binwalk, 010 Editor
Sandboxes: Cuckoo, CAPE, Any.run, Intezer, hybrid-analysis, joesecurity