Reverse engineering of file formats and network protocols using Kaitai Struct

Presented at REcon Brussels 2017, Jan. 29, 2017, 11 a.m. (60 minutes)

Kaitai Struct is the new declarative language and a free/open sourcetoolset to aid “black box” reverse engineering of unknown fileformats, network protocols and basically all other forms of binarydata.The basic idea is simple: a reverse engineer creates declarativeformat spec in Kaitai Struct language (.ksy), which can be rapidlychecked against target binary files (or network captures) using ourvisualization tools. This enables the engineer to bring forth lots ofconjectures and check them quickly, concentrating only on those thatwill prove to be valid. When the job is done, .ksy spec can becompiled to a ready-made parsing library in one of 8 supported targetlanguages: C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby, orconverted into human-readable format diagram (powered by GraphViz).Kaitai Struct language is pretty powerful: it can be used to describefairly complex data structures like file systems, data containers,media formats, disassemble bytecode, and do lots more.The presentation will cover origin of the idea, compare variousexisting approaches to file format reversing problem, explain pros andcons, and give introduction to Kaitai Struct language, showcasing somereverse engineering techniques using it.



Similar Presentations: