Language: English
One of the first steps taken during the reverse engineering process is to recover as much context as possible from a given binary, including symbols, function signatures, classes and structures associated with statically linked code. This is especially important for modern compilers and linkers that embed a plethora of boilerplate that you don't want to spend time reverse engineering. Throughout this workshop we will explore recovering this information using multiple open source tools in Binary Ninja. Our target will be a real-world malware sample written in C++ that is used to terminate EDR and antivirus technologies. The sample contains multiple components, including user-mode and kernel-mode binaries that require symbol and type information recovery for accurate analysis.
The 3-hour workshop will contain the following sections:
- C++ Foundation (35 minutes): We begin by discussing core C++ concepts, such as Object Oriented Programming, Runtime Type Information and Virtual Function Tables. We will then recover RTTI and VTable information in an example binary in Binary Ninja.
- Malware Triage and Manual C++ Reverse Engineering (60 minutes): This section focuses on initial analysis of the target malware binary. We will identify the malware’s compiler and libraries using metadata like the Rich Header. Then we will manually reverse engineer C Runtime (CRT) boilerplate, argument parsing logic (
wmain,lstrcmpiW), and the "install" and "uninstall" execution paths for the malware. In addition we will analyze malware's techniques for establishing persistence, Windows service registration process and signal handling. - Automated Context Recovery with WARP (30 minutes): In contrast to the manual reversing process, you will learn how to use specialized tools for type identification and recovery. We will demonstrate how to identify standard C++ library functions (like those for
std::vectorand exception handling) and how to match the malware’s compilation environment to generate high-quality WARP analysis signatures based on C++ templates that automatically recover and rename these complex functions. - Fuzzy Function Matching with BinDiff (35 minutes): We conclude by leveraging binary diffing to fill the remaining gaps. You will see how the BinDiff tool and its fuzzy matching algorithms are used to compare the unknown malware against a known, clean reference binary. This technique allows more lenient matching of function names, data structures, and class types, allowing us to recover information that WARP has missed. We will also demonstrate porting missing types from the example compiled binary to the malware database using Binary Ninja type archives.
- Q&A and Resources (20 minutes): Final thoughts and time for questions on integrating these techniques into your professional workflow.
By the end of this session, you will learn robust, multi-faceted strategies for symbol and type recovery to assist with reverse engineering C++ malware in Binary Ninja with open source tools. All attendees will receive the workshop manual, slides, the sample binaries, pre-built WARP signatures, Bindiff files and a reference cheat sheet for the techniques covered.
Prerequisites & Preparation
Attendees should have basic familiarity with x86/x64 assembly and have Binary Ninja installed (a free license is sufficient). Prior malware analysis experience is helpful but not required. As we will be working with malware, please install Binary Ninja and BinDiff within a Virtual Machine for this workshop.