Everyday Ghidra: Practical Windows Reverse Engineering

John McIntosh
Virtual Training | July 20 - 26 | 32 hours

BOOK NOW

Everyday Ghidra. Practical Windows Reverse Engineering

John McIntosh

Book Now - Early Bird Rate USD 4000

Reverse engineering is a technique to understand the workings of software or hardware, often applied to enhance security or compatibility. It is fun, rewarding, and always challenging, especially when dealing with modern Windows closed-source binaries. Enter Ghidra, a robust software reverse engineering framework created by the NSA for in-depth analysis of complex binaries. Ghidra can help you perform in-depth analysis of Windows binaries using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it.

This course provides a comprehensive guide to using Ghidra, covering fundamental operations to advanced techniques, with hands-on exercises on real-world Windows applications. It’s designed for those with foundational Windows and security knowledge, aiming to equip them with practical “everyday” reverse engineering skills using Ghidra.

ABSTRACT

Reverse engineering is the process of uncovering the principles, architecture, and internal structure of a piece of software or hardware. It can be used for various purposes, such as improving compatibility, enhancing security, understanding program behaviour, and even vulnerability research. However, reverse engineering is also be challenging, especially when dealing with complex and modern Windows binaries.

That’s why you need Ghidra, a powerful open-source software reverse engineering framework developed by the National Security Agency (NSA). Ghidra can help you perform in-depth analysis of Windows binaries using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it, and this course will guide your steps.

In this course, you will learn how to use Ghidra effectively to reverse engineer Windows binaries. You will start with the basics of Ghidra, such as creating projects, importing and analyzing binaries, and using Ghidra’s native tools. You will then learn how to customize Ghidra to suit your needs, such as building custom data types and configuring optimal analysis. From there, you will complete progressively challenging labs that will teach you to apply static and dynamic analysis techniques to dive deep into Windows application behavior using Ghidra’s Windows-specific features and scripts.

The course will also provide you with a series of “everyday” reversing examples, covering several aspects of Windows reverse engineering. Your journey will involve reversing Windows malware, debugging a Windows RPC server, and even learning how to root cause a recent Windows CVE. You will also learn how to use other Windows specific RE tools, such as WinDbg, RPCView, and System Informer to complement Ghidra’s functionality.

By the end of this course, you will have gained practical skills and experience in reverse engineering Windows binaries using Ghidra. You will be able to apply these skills to your own projects, research, or career in cybersecurity.

This course is rated intermediate but suitable for beginners with heart. It is assumed that students have a basic knowledge of Windows, security, and assembly language. No prior experience with Ghidra is required.

Practical Exercises:

  • Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior, such as persistence, network communication, and obfuscation.
  • Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows RPC server with Ghidra’s Debugger.
  • Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability. You will learn how to root cause the vulnerability and understand its exploitation.

INTENDED AUDIENCE

💡
- Cybersecurity professionals seeking to advance their skills in reverse engineering and malware analysis on the Windows platform.
- Software developers interested in deepening their understanding of Windows internals
- Vulnerability Researchers: This course will offer them in-depth knowledge and practical experience with Ghidra for uncovering and understanding vulnerabilities in Windows binaries

KEY LEARNING OBJECTIVES

  • Ghidra Proficiency: Gain comprehensive skills in using Ghidra for static and dynamic analysis of Windows binaries.
  • Tool Mastery: Master Ghidra’s primary tools—Code Browser, Debugger, and Version Tracking—to tackle diverse reverse engineering tasks.
  • Enhanced Analysis Techniques: Learn to create custom data types and leverage Ghidra’s PDB support to deepen analysis capabilities.
  • Malware Behavior Identification: Develop the ability to reverse engineer and analyze Windows malware, identifying key behaviors like persistence and network communication.
  • Vulnerability Assessment: Use Ghidra’s patch diffing feature to compare binary versions and pinpoint changes addressing modern vulnerabilities.
  • Dynamic Debugging: Acquire the skills to dynamically debug Windows applications, enhancing problem-solving techniques in live environments.

COURSE DETAILS

AGENDA

Part 1

  • Introduction to Reverse Engineering With Ghidra
    • Getting Started with Ghidra
    • Import, Analyze, Repeat
    • Windows Security Concepts
    • Managed vs Native Binaries
    • Ghidorah: Taming the 3-headed dragon
      • Code Browser
      • Debugger
      • Version Tracking

Part 2

  • Reverse Engineering Windows Binaries - Static
    • A Practical RE Workflow
    • Setting Reverse Engineering Goals
    • Binary Acquisition
    • Analysis Improvements
    • Building Custom Ghidra Data Types
    • Reversing Windows Malware

Part 3

  • Reverse Engineering Windows Binaries - Dynamic
    • Ghidra Debugger Overview
    • Debugging an Application
    • Pretending All Binaries Come with Source
    • Debugging a Windows RPC Service
    • Debugging a RPC call
    • Reversing Petitpotam ( NTLM Authentication Bypass ) Case Study
    • RPCview, NtObjectManager,System Informer, Sysinternals

Part 4

  • Patch Diffing and Root Cause Analysis of Windows CVE
    • Patch Diffing in Ghidra
    • Finding a CVE
    • Patch Diffing Windows Binaries
    • Hunting for the vulnerability
    • Finding the root cause
    • Building a trigger POC

KNOWLEDGE PREREQUISITES

  • Basic Knowledge of Windows: Familiarity with the Windows operating system and its core functionalities.
  • Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
  • Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.
  • Debugging: Experience debugging software applications

Related RE content from the instructor:

SYSTEM REQUIREMENTS

Hardware Requirements

Software Requirements

  • Virtual Box or VMware.

ABOUT THE INSTRUCTOR

John McIntosh (@clearbluejar) is a security researcher @clearseclabs, a company that offers hands-on training and consulting for reverse engineering and offensive security. He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He has created several open-source security tools and courses, which are available on his GitHub page. He regularly blogs about his research projects and experiments on his website (https://clearbluejar.github.io), where you can find detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security enthusiasts.