1 / 10

Retoolkit scripting-based reverse engineering toolkit

Retoolkit scripting-based reverse engineering toolkit. James Leskovar 16 february 2010. Outline. Reverse engineering Hooks and DLL Injection Retoolkit Motivation Architecture Scripting for Agility Sample. Reverse engineering. Types of reverse engineering.

talen
Télécharger la présentation

Retoolkit scripting-based reverse engineering toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Retoolkitscripting-based reverse engineering toolkit James Leskovar 16 february 2010

  2. Outline • Reverse engineering • Hooks and DLL Injection • Retoolkit Motivation • Architecture • Scripting for Agility • Sample

  3. Reverse engineering • Types of reverse engineering. • Passive: Discerning the behaviour of a program in the absence of source code. • Active: Observing and potentially modifying the behaviour of a running process.

  4. Hooks and DLL Injection • What is a Dll? • Dynamic-link library (shared library). • Binary containing position-independent code • Can be loaded by processes at runtime, or linked to a program as a dependency at compile-time. • Exports functions which can be referenced and called by name.

  5. DLL • DLL dependencies of notepad.exe

  6. DLL Injection • Forcing a running process to load a DLL we’ve written. • Why would we want to do this? • Our DLL lives within the address space of the host process • Can directly read and write process memory. • Can directly call code within the process • Ability to hook the host process’s code

  7. Hooks • What is a hook? • Modifying the host process’s code in such a way so that it executes our own. • E.g. hooking the “send” function from the winsock library in order to be notified when any code sends data over sockets.

  8. Motivation for Retoolkit • Reverse engineering typically not agile: • Find source code for injector • Write injector • Find source code for function hooking • Start a new dll project in IDE of choice • Paste source code, hope it works • Find addresses you want to hook • Write code to install hooks, do something interesting with information • Repeat steps 4-7 for each new process you want to look at

  9. Motivation for Retoolkit • Enter, Retoolkit • Framework for simplifying a lot of the cruft involved in RE work.

  10. Retoolkit Architecture • Reverse engineering toolkit for Windows • Comes in two parts: • 1) native injector program • 2) .NET retoolkit scripting IDE,

More Related