Introduction to WebAssembly Reverse Engineering and Dynamic Analysis

Learn how to reverse WebAssembly modules, analyze their behavior, create cryptominer detection rules and perform dynamic analysis.

Training starting at

$1,800.00

with one of our subscriptions

Language

English

WebAssembly (wasm) is a new binary format developed and supported by all major browsers including Firefox, Chrome, Safari and Microsoft Edge through the W3C. This new format have been designed to be efficient, fast, debuggable and safe.

WebAssembly is being used everywhere, for example:

  • Web-browsers (Desktop & Mobile)
  • Cryptojacking (Coinhive, Cryptoloot)
  • Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)
  • Video games (Unity, UE4)
  • Blockchain platforms (EOS, Ethereum, Dfinity)
  • Linux Kernel (Cervus, Nebulet)
  • ... and more

This course will provides all the prerequisites to understand WebAssembly ecosystem from binary modules to the associated virtual machine runtime. After completing this class, participants will be able reverse statically WebAssembly modules, analyze their behavior, create cryptominer detection rules and perform dynamic analysis.

As part of this training, participants will be provided numerous hands-on exercises allowing them to internalize concepts and techniques taught in class.

Topics Covered during this Course

  • Introduction to WebAssembly ecosystem
  • WebAssembly compilation and toolchain
  • Instructions set and Debugging WebAssembly module
  • WebAssembly binary and Text Format
  • WebAssembly Module reversing
  • CFG & Call Graph reconstruction
  • Data Flow Graph analysis
  • Modules Instructions analytics/metrics
  • Cryptominers analysis and Pattern detection signatures
  • Dynamic Binary Instrumentation
  • Bytecode (De)-Obfuscation techniques
  • Static Single Assignment & Decompilation
  • Hacking WebAssembly video game

Day 1: Basis of WebAssembly Reverse Engineering

The first day focuses on the basics of WebAssembly and its ecosystem. Students will learn how to reverse-engineer and analyze real-life modules using both the binary format and the text representation. Students will have the opportunity to apply much of the theory in practice over small hands-on assignments to highlight aspects of working with WebAssembly.

Assignment 1: WebAssembly compilation
  • Compile C/C++/Rust code into WebAssembly.
  • Observe how Javascript interact with wasm module.
  • Discover how Emscripten works and why it is useful.
Assignment 2: WebAssembly text format and debugging
  • Convert binary module into wasm text format representation.
  • Debug module execution step-by-step using browsers.
  • Analyze WebAssembly instructions to understand module logic.
Assignment 3: Real-World: Browser addons analysis
  • Learn how wasm module can be stored inside browser addons.
  • Identify module entrypoints and architecture.
  • Determine module behaviors and origins.
Assignment 4: WebAssembly reverse engineering
  • Disassemble and analyze module instructions.
  • Generate functions Control and Data flow graph (CFG and DFG).
  • Extract and modify wasm modules to solve challenges.

Day 2: Dynamic Modules Analysis

This second day is more focus on Real World module analysis using both static and dynamic techniques. Students will analyze famous WebAssembly cryptominers and discover how to perform dynamic binary instrumentation of wasm module. Then, they will learn which anti-debugging and obfuscation techniques exist for WebAssembly and how to bypass them. Finally, student will hack some video games compiled to WebAssembly and create cheats.

Assignment 5: Real-World: Cryptominers analysis
  • Analyze instructions analytics/metrics to find interesting functions.
  • Compare call graph of different miners to find similarities.
  • Create YARA detection rules specific for WebAssembly cryptominers.
Assignment 6: Tracing and Dynamic Binary instrumentation
  • Trace module execution dynamically
  • Modify wasm module to hook functions and instructions.
  • Create DBI analysis script to solve challenges.
Assignment 7: Anti-debugging and (De)-Obfuscation
  • Learn how to detect debugger using Javascript and WebAssembly.
  • Implement some obfuscation techniques into wasm module.
  • Decompile and remove automatically obfuscation inside wasm codes.
Assignment 8: Real-World: Hacking WebAssembly games
  • Discover how advanced modules like video games works.
  • Explore running memory and find interesting values.
  • Create cheating patch for different targets.

Class requirements

Participants should have some familiarity with scripting languages (Python, Bash). This course is suitable for people that are new to WebAssembly. All the theory and concepts related to reverse engineering, static and dynamic analysis will be explained during the course.

Hardware Requirements
  • A working laptop capable of running virtual machines.
  • 4GB RAM required, at a minimum.
  • 40 GB free Hard disk space.
  • Minimum software to install
  • Virtualbox or VMware Player, VMware Workstation, VMware Fusion.
Training by Patrick Ventuzelo

Patrick is a security researcher focused on fuzzing, reverse engineering and vulnerability research targeting WebAssembly and Rust security.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.