Automated Vulnerability Research with Ghidra

VIRTUAL 32 CPE HOURS TRAINING: AUGUST 2022 * WEEK 2: AUG 15-20
Kayla Afanador
Kayla Afanador

Automated VR with Ghidra

This course teaches students methods to automate Ghidra in support of large-scale vulnerability analysis and general reverse engineering tasks. Students will develop scripts in Python, Kotlin, and Java to automate the extraction of data (e.g., strings, mnemonic frequency, function signatures, block sizes, cyclomatic complexity) from an arbitrary number of binaries across different architectures. After completing this course, students will have the practical skills to automate and extend Ghidra with scripts and modules.

Course Topics

Introduction:

  • Ghidra overview
  • Reversing refresher
  • Development environment

Automation Interfaces:

  • Python prompt
  • Script Manager
  • Remote Ghidra+Python+Jupyter console
  • Remote Ghidra+Kotlin+Jupyter console
  • Eclipse GhidraDev Extension
  • Headless mode

Automation Granularity:

  • currentProgram object
  • FlatAPI
  • Modules
  • Tools
  • Extensions

Special Topics:

  • Data extraction (e.g., strings, mnemonic frequency, function signatures, block sizes, cyclomatic complexity)
  • Batch analysis
  • Cross-architecture analysis
  • Binary Similarity analysis
  • Analysis and graphing of large datasets

Prerequisites

Students are expected to have experience with Ghidra and be proficient in navigating and manipulating code in the disassembly and decompiled views.

Software requirements

Students are expected to have their own computers which can run a 30GB virtual machine. A recommended hardware configuration is the following:

  • 50 GB of free hard disk space
  • 16 GB of RAM
  • 4 Processor cores
  • VMWare or Virtual Box to import an ova file
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated