WebAssembly (wasm) is a new binary format developed and supported by all major browsers including Firefox, Chrome, Safari and Microsoft Edge through the W3C. This new format have been designed to be efficient, fast, debuggable and safe.
WebAssembly is being used everywhere, for example:
- Web-browsers (Desktop & Mobile)
- Cryptojacking (Coinhive, Cryptoloot)
- Servers/Website (Nodejs, React, Qt, Electron, Cloudflare workers)
- Video games (Unity, UE4)
- Blockchain platforms (EOS, Ethereum, Dfinity)
- Linux Kernel (Cervus, Nebulet)
- ... and more
This course will provides all the prerequisites to understand WebAssembly ecosystem from binary modules to the associated virtual machine runtime. After completing this class, participants will be able reverse statically WebAssembly modules, analyze their behavior, create cryptominer detection rules and perform dynamic analysis.
As part of this training, participants will be provided numerous hands-on exercises allowing them to internalize concepts and techniques taught in class.
- Introduction to WebAssembly ecosystem
- WebAssembly compilation and toolchain
- Instructions set and Debugging WebAssembly module
- WebAssembly binary and Text Format
- WebAssembly Module reversing
- CFG & Call Graph reconstruction
- Data Flow Graph analysis
- Modules Instructions analytics/metrics
- Cryptominers analysis and Pattern detection signatures
- Dynamic Binary Instrumentation
- Bytecode (De)-Obfuscation techniques
- Static Single Assignment & Decompilation
- Hacking WebAssembly video game
The first day focuses on the basics of WebAssembly and its ecosystem. Students will learn how to reverse-engineer and analyze real-life modules using both the binary format and the text representation. Students will have the opportunity to apply much of the theory in practice over small hands-on assignments to highlight aspects of working with WebAssembly.
- Compile C/C++/Rust code into WebAssembly.
- Discover how Emscripten works and why it is useful.
- Convert binary module into wasm text format representation.
- Debug module execution step-by-step using browsers.
- Analyze WebAssembly instructions to understand module logic.
- Learn how wasm module can be stored inside browser addons.
- Identify module entrypoints and architecture.
- Determine module behaviors and origins.
- Disassemble and analyze module instructions.
- Generate functions Control and Data flow graph (CFG and DFG).
- Extract and modify wasm modules to solve challenges.
This second day is more focus on Real World module analysis using both static and dynamic techniques. Students will analyze famous WebAssembly cryptominers and discover how to perform dynamic binary instrumentation of wasm module. Then, they will learn which anti-debugging and obfuscation techniques exist for WebAssembly and how to bypass them. Finally, student will hack some video games compiled to WebAssembly and create cheats.
- Analyze instructions analytics/metrics to find interesting functions.
- Compare call graph of different miners to find similarities.
- Create YARA detection rules specific for WebAssembly cryptominers.
- Trace module execution dynamically
- Modify wasm module to hook functions and instructions.
- Create DBI analysis script to solve challenges.
- Implement some obfuscation techniques into wasm module.
- Decompile and remove automatically obfuscation inside wasm codes.
- Discover how advanced modules like video games works.
- Explore running memory and find interesting values.
- Create cheating patch for different targets.
Participants should have some familiarity with scripting languages (Python, Bash). This course is suitable for people that are new to WebAssembly. All the theory and concepts related to reverse engineering, static and dynamic analysis will be explained during the course.
- A working laptop capable of running virtual machines.
- 4GB RAM required, at a minimum.
- 40 GB free Hard disk space.
- Minimum software to install
- Virtualbox or VMware Player, VMware Workstation, VMware Fusion.