retoolkit scripting based reverse engineering toolkit n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Retoolkit scripting-based reverse engineering toolkit PowerPoint Presentation
Download Presentation
Retoolkit scripting-based reverse engineering toolkit

Loading in 2 Seconds...

play fullscreen
1 / 10

Retoolkit scripting-based reverse engineering toolkit - PowerPoint PPT Presentation


  • 217 Views
  • Uploaded on

Retoolkit scripting-based reverse engineering toolkit. James Leskovar 16 february 2010. Outline. Reverse engineering Hooks and DLL Injection Retoolkit Motivation Architecture Scripting for Agility Sample. Reverse engineering. Types of reverse engineering.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Retoolkit scripting-based reverse engineering toolkit' - talen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Reverse engineering
  • Hooks and DLL Injection
  • Retoolkit Motivation
  • Architecture
  • Scripting for Agility
  • Sample
reverse engineering
Reverse engineering
  • Types of reverse engineering.
    • Passive: Discerning the behaviour of a program in the absence of source code.
    • Active: Observing and potentially modifying the behaviour of a running process.
hooks and dll injection
Hooks and DLL Injection
  • What is a Dll?
    • Dynamic-link library (shared library).
    • Binary containing position-independent code
    • Can be loaded by processes at runtime, or linked to a program as a dependency at compile-time.
    • Exports functions which can be referenced and called by name.
slide5
DLL
  • DLL dependencies of notepad.exe
dll injection
DLL Injection
  • Forcing a running process to load a DLL we’ve written.
  • Why would we want to do this?
    • Our DLL lives within the address space of the host process
    • Can directly read and write process memory.
    • Can directly call code within the process
    • Ability to hook the host process’s code
hooks
Hooks
  • What is a hook?
    • Modifying the host process’s code in such a way so that it executes our own.
    • E.g. hooking the “send” function from the winsock library in order to be notified when any code sends data over sockets.
motivation for retoolkit
Motivation for Retoolkit
  • Reverse engineering typically not agile:
  • Find source code for injector
  • Write injector
  • Find source code for function hooking
  • Start a new dll project in IDE of choice
  • Paste source code, hope it works
  • Find addresses you want to hook
  • Write code to install hooks, do something interesting with information
  • Repeat steps 4-7 for each new process you want to look at
motivation for retoolkit1
Motivation for Retoolkit
  • Enter, Retoolkit
    • Framework for simplifying a lot of the cruft involved in RE work.
retoolkit architecture
Retoolkit Architecture
  • Reverse engineering toolkit for Windows
    • Comes in two parts:
    • 1) native injector program
    • 2) .NET retoolkit scripting IDE,