Reverse Engineering Roadmap

Category: Uncategorized

  • Operating System (OS) processes

    What is a Process in an Operating System?

    A process is an instance of a program in execution. It includes:

    • The executable program code.
    • Current activity (Program Counter, registers).
    • Stack (temporary data like function parameters).
    • Heap (dynamically allocated memory).
    • Data section (global/static variables).
    • OS context (such as process ID, priority, state).

    WINDOWS PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • Process creation: Via CreateProcess() API.
    • Each process has a unique process ID.
    • Each has its own virtual address space, handle table, security context, and environment block.
    • Thread-based: Windows processes contain one or more threads.

    32-bit Windows (x86)

    Memory Layout

    • 4 GB virtual address space per process.
      • 2 GB for user mode (default).
      • 2 GB for kernel mode.
      • Can be configured to 3 GB user / 1 GB kernel with /3GB switch in boot.ini.

    Process Constraints

    • Limited address space (important for memory-heavy apps).
    • Can only load 32-bit DLLs.
    • Cannot run 64-bit code.

    64-bit Windows (x64)

    Memory Layout

    • Theoretically supports 16 TB of virtual memory.
      • Usually 8 TB user space / 8 TB kernel space.
    • Can run both 32-bit and 64-bit processes using WoW64 (Windows-on-Windows 64-bit) subsystem.

    Advantages

    • Larger address space (important for large databases, CAD tools).
    • ASLR (Address Space Layout Randomization) is more effective.
    • Improved DEP (Data Execution Prevention) support.
    • Can load both 32-bit and 64-bit executables (32-bit through WoW64).

    Tools & Commands

    • Task Manager (Ctrl + Shift + Esc)
    • tasklist / taskkill
    • Process Explorer (Sysinternals)
    • wmic process (deprecated in latest Windows)
    • Get-Process (PowerShell)

    LINUX PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • Created via fork() / exec() system calls.
    • Represented in the kernel as task_struct.
    • Each has its own PID, UID, memory space, and open file descriptors.
    • Process hierarchy is maintained (e.g., parent-child relationships).

    32-bit Linux (x86)

    Memory Layout

    • Typically 4 GB virtual address space.
      • 3 GB user space / 1 GB kernel space (default).
      • Can vary depending on kernel config.

    Constraints

    • Limited to ~3 GB memory per process.
    • Cannot access 64-bit registers (limits performance and addressability).
    • Cannot run 64-bit binaries.

    64-bit Linux (x86_64)

    Memory Layout

    • Theoretically supports 256 TB virtual address space.
      • Actual user/kernel split may vary.
    • Can run both 32-bit and 64-bit binaries (if multilib is enabled).
    • Uses ELF64 format for binaries.

    Features

    • Larger address space.
    • Supports native 64-bit instructions.
    • Can address more RAM (beyond 4 GB).
    • Kernel uses task_struct to manage process information.
    • Can access high-performance features like HugePages, NUMA, and ASLR enhancements.

    Tools & Commands

    • ps, top, htop, pidstat
    • kill, nice, renice, killall
    • /proc/<pid>/ – contains full process metadata
    • strace, lsof, gdb – for deeper inspection

    MAC OS PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • macOS is based on XNU kernel (hybrid of Mach and BSD).
    • Process creation through fork(), exec(), and posix_spawn().
    • Uses Mach tasks and threads under the hood.
    • All applications are 64-bit as of macOS Catalina (10.15).

    32-bit macOS (pre-10.15)

    Memory Layout

    • Standard 4 GB address space per process.
    • System-wide transition to 64-bit started around OS X Leopard (10.5).
    • Could run both 32-bit and 64-bit apps on Intel Macs (with proper compatibility frameworks).

    Constraints

    • Memory limitations (especially for media apps).
    • Deprecated by Apple.
    • Many newer libraries and APIs are 64-bit only.

    64-bit macOS (10.7+)

    Memory Layout

    • Full support for 64-bit processes and system libraries.
    • As of macOS Catalina, 32-bit apps are no longer supported.
    • Uses Mach-O 64 binary format.
    • System frameworks (AppKit, Cocoa) all require 64-bit compliance.

    Features

    • ASLR, SIP (System Integrity Protection), DEP, sandboxing.
    • Robust thread/process control via launchd, Activity Monitor, or ps.
    • Uses dyld for dynamic library loading (like Linux’s ld.so).

    Tools & Commands

    • Activity Monitor (GUI)
    • ps, top, htop (CLI)
    • launchctl – for managing services/processes
    • dtruss, fs_usage, vmmap, sample – debugging tools
    • /proc/ is not present; uses sysctl, /usr/bin/stat, and other BSD-style tools.

  • Reverse Engineering Roadmap

    Prerequisites (Foundational Knowledge)

    Operating Systems & Computer Architecture

    • Learn how OS works: processes, memory, system calls, file systems
    • Study computer architecture (x86/x86_64/ARM):
      • Registers, flags, stack, heap
    • Recommended:
      • “Computer Systems: A Programmer’s Perspective”
      • “Operating Systems: Three Easy Pieces”

    Programming Skills

    • C and C++ (you’ll need this to understand compiled binaries)
    • Assembly Language:
      • x86 and x86-64 at minimum
      • ARM if you’re interested in mobile/IoT RE
    • Scripting: Python (for automating RE tasks)

    Introduction to Reverse Engineering

    Learn Basic RE Concepts:

    • What is disassembly, decompilation?
    • Static vs Dynamic Analysis
    • Understanding binary formats: PE (Windows), ELF (Linux), Mach-O (macOS)

    Tools:

    • IDA Free / Ghidra / Binary Ninja (Disassemblers & Decompilers)
    • x64dbg / OllyDbg / WinDbg (Windows Debuggers)
    • radare2 / GDB / pwndbg (Linux Debuggers)
    • Cutter (GUI frontend for radare2)

    Static Analysis Skills

    • Learn to read and interpret disassembled code
    • Recognize standard library functions (e.g., strcmp, printf)
    • Understand control flow graphs (CFGs), function prologues/epilogues

    Focus Areas:

    • String references
    • API calls
    • Code obfuscation techniques

    Dynamic Analysis Skills

    • Set breakpoints, step through code
    • Modify registers, memory at runtime
    • Trace system/API calls (e.g., with Procmon, strace, ltrace)
    • Use frida, Valgrind, or unicorn for advanced instrumentation

    Software Modifying

    • Learn how to:
      • Bypass checks or popup dialogs
      • Modify control flow in binaries
      • Patch binaries (with tools like Hiew, LordPE, or 010 Editor)
    • Understand:
      • Software protection mechanisms (packing, obfuscation)
      • Anti-debugging techniques and how to bypass them