dante wrote:Packers, protectors, anti-reversing techniques are discussed only in exploit development. In my opinion, its better to start with the exploit development.
Whoa nelly slow down. Packers and anti-reversing is exposed and highly effective in malware analysis. Not "only" exploit development. To be honest, "packers" are usually used for covertness when someone doesn't want another visibly seeing what they're doing. Most shellcode exploits are fully visible across the board.
For example, when in Canvas, Core or Metasploit, I can open, modify and save exploits in ALL applications across the board. If they were packed and or encrypted and THEN packed, there would be an issue of trust within the security community and companies buying applications like Canvas, Core and Metasploit Pro.
Granted there is a LOT more overlap, I actually recommend the reverse, learn MALWARE analysis before exploitation. Even if you DO start learning exploitation, unless you plan on doing something sketchy, there is usually NO NEED to pack anything - again unless you plan on doing something sketchy.
By understanding malware analysis, from a professional level, you're liable to make more headway in the industry. This can be confirmed by visiting employment websites like Dice, Monster, etc., do a quick search for say "malware analyst" versus "exploit developer." You CAN make some serious cash with sites like say Zero Day Initiative, iDefense, etc., but the likelihood of you gaining a foothold in a comfortable solidly grounded company like say BT, Raytheon, etc., is low.
Exploit Development = good for bookoo bucks selling exploits ... Many companies won't care that you can exploit someone elses stuff
Malware Analysis - companies care that you can analyze (incident response, forensics, CERT/SERT/PSIRT) what is causing chaos on their network.
Malware analysis is a lot more simplified than wanting to yank your hair out over say DEP and ASLR. In a MA environment, you're usually going to create your labs, infect yourself, analyze the post and pre states of the machine that is now infected. What did the malware do, how did it do it, what did it affect, where did it try to connect, HOW did it try to connect, how did it try to bypass protections.
In an exploit development scenario, you're trying to disassemble/decompile thousands of lines of code looking for something that triggers an anomaly. WHAT can you do with that anomaly. That's fine and dandy. Now that you did it on ONE machine, replicate it across the board.
For those who've seen my mushroomcloud exploit, this was a classic clusterfsck of epic proportions. (Replication). I spent who knows how many hours going back and forth on machine to machine to machine trying to get it right across the board. I had others (thanks phenolit if you stumble upon here) who helped me iron out the kinks... At the end of the day, it turned out to be an NDIS driver issue via way of TREND MICRO causing VMWare to implode. Bottom line, anyone who DIDN'T use Trend Micro weren't affected by MushroomCloud. Those who did, sayanora. So from the exploit development side, how much do you think a company would find an exploit like this to be worth? How much total time did I spend on the exploit, analysis (pre and post mortem)? 3 months. This included time spent with VMWare engineers on the phone, time spent with friends, coworkers and other security pros on conference calls and email, time spent trying to get Trend Micro to understand it all.
End of the day? If I *tried* to even shop it around on say ZDI, iDefense, or others, it would be pointless. It's not replicable outside of unique instances. This is a nightmare in the windows exploitation development world. And THAT is where the money is, in Windows exploitation. Linux, BSD, Solaris, tends to be more for "bragging rights." If you think for a moment any one of those mentioned would even care financially about the potential damage from you 'sploit' think again. Whereas MS is used by millions of business, they're liable to be more visible hence the need for them to respond quickly.
Now I've had my share of exploit development and analysis of malware and or viruses throughout the years. From my POV, malware analysis is where the CAREER is at. Exploit Development is where bragging rights are... It is also where headaches and gray hair is made.
Anyway my two cents