Everyday Ghidra: Practical Windows Reverse Engineering // John McIntosh
Virtual | March 9-15 | 32 Hours
BOOK NOWABSTRACT
Reverse engineering is a technique to understand the workings of software or hardware, often applied to enhance security or compatibility. It is fun, rewarding, and always challenging, especially when dealing with modern Windows closed-source binaries. Enter Ghidra, a robust software reverse engineering framework created by the NSA for in-depth analysis of complex binaries. Ghidra can help you perform in-depth analysis of Windows binaries using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it.
This course provides a comprehensive guide to using Ghidra, covering fundamental operations to advanced techniques, with hands-on exercises on real-world Windows applications. It’s designed for those with foundational Windows and security knowledge, aiming to equip them with practical “everyday” reverse engineering skills using Ghidra.
Everyday Ghidra: Practical Windows Reverse Engineering // John McIntosh
Virtual | March 9-15 | 32 Hours
INTENDED AUDIENCE
- Cybersecurity professionals seeking to advance their skills in reverse engineering and malware analysis on the Windows platform.
- Software developers interested in deepening their understanding of Windows internals
- Vulnerability Researchers: This course will offer them in-depth knowledge and practical experience with Ghidra for uncovering and understanding vulnerabilities in Windows binaries
KEY LEARNING OBJECTIVES
- Ghidra Proficiency: Gain comprehensive skills in using Ghidra for static and dynamic analysis of Windows binaries.
- Tool Mastery: Master Ghidra’s primary tools—Code Browser, Debugger, and Version Tracking—to tackle diverse reverse engineering tasks.
- Enhanced Analysis Techniques: Learn to create custom data types and leverage Ghidra’s PDB support to deepen analysis capabilities.
- Malware Behavior Identification: Develop the ability to reverse engineer and analyze Windows malware, identifying key behaviors like persistence and network communication.
- Vulnerability Assessment: Use Ghidra’s patch diffing feature to compare binary versions and pinpoint changes addressing modern vulnerabilities.
- Dynamic Debugging: Acquire the skills to dynamically debug Windows applications, enhancing problem-solving techniques in live environments.
Practical Exercises:
- Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior, such as persistence, network communication, and obfuscation.
- Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows RPC server with Ghidra’s Debugger.
- Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability. You will learn how to root cause the vulnerability and understand its exploitation.
COURSE DETAILS
Part 1: Introduction to Reverse Engineering With Ghidra
- Getting Started with Ghidra
- Import, Analyze, Repeat
- Windows Security Concepts
- Managed vs Native Binaries
- Ghidorah: Taming the 3-headed dragon
- Code Browser
- Debugger
- Version Tracking
Part 2: Reverse Engineering Windows Binaries - Static
- A Practical RE Workflow
- Setting Reverse Engineering Goals
- Binary Acquisition
- Analysis Improvements
- Building Custom Ghidra Data Types
- Reversing Windows Malware
Part 3: Reverse Engineering Windows Binaries - Dynamic
- Ghidra Debugger Overview
- Debugging an Application
- Pretending All Binaries Come with Source
- Debugging a Windows RPC Service
- Debugging a RPC call
- Reversing Petitpotam ( NTLM Authentication Bypass ) Case Study
- RPCview, NtObjectManager,System Informer, Sysinternals
Part 4: Patch Diffing and Root Cause Analysis of Windows CVE
- Patch Diffing in Ghidra
- Finding a CVE
- Patch Diffing Windows Binaries
- Hunting for the vulnerability
- Finding the root cause
- Building a trigger POC
Knowledge Prequisites
- Basic Knowledge of Windows: Familiarity with the Windows operating system and its core functionalities.
- Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
- Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.
- Debugging: Experience debugging software applications
Related RE content from the instructor:
- https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
- https://clearbluejar.github.io/posts/callgraphs-with-ghidra-pyhidra-and-jpype/
- https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code/
- https://cve-north-stars.github.io/
System Requirements
Hardware
Intel 64-bit i7+ (or equivalent) Laptop with 16GB+ RAM
- 60 GB disk space
- Ability to run Intel based VM similar to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Software
- VirtualBox or VMware Workstation (Free version will suffice)
YOUR INSTRUCTOR: John McIntosh
John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.
Ringzer0