Everyday Ghidra: Practical Windows Reverse Engineering
John McIntosh

A comprehensive guide to using Ghidra, covering fundamental operations to advanced techniques, with hands-on exercises on real-world Windows applications.

Everyday Ghidra: Practical Windows Reverse Engineering // John McIntosh

Virtual | March 9-15 | 32 Hours

BOOK NOW

ABSTRACT

Reverse engineering is a technique to understand the workings of software or hardware, often applied to enhance security or compatibility. It is fun, rewarding, and always challenging, especially when dealing with modern Windows closed-source binaries. Enter Ghidra, a robust software reverse engineering framework created by the NSA for in-depth analysis of complex binaries. Ghidra can help you perform in-depth analysis of Windows binaries using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it.

This course provides a comprehensive guide to using Ghidra, covering fundamental operations to advanced techniques, with hands-on exercises on real-world Windows applications. It’s designed for those with foundational Windows and security knowledge, aiming to equip them with practical “everyday” reverse engineering skills using Ghidra.

Everyday Ghidra: Practical Windows Reverse Engineering // John McIntosh

Virtual | March 9-15 | 32 Hours

BOOK NOW

INTENDED AUDIENCE

  • Cybersecurity professionals seeking to advance their skills in reverse engineering and malware analysis on the Windows platform.
  • Software developers interested in deepening their understanding of Windows internals
  • Vulnerability Researchers: This course will offer them in-depth knowledge and practical experience with Ghidra for uncovering and understanding vulnerabilities in Windows binaries

KEY LEARNING OBJECTIVES

  • Ghidra Proficiency: Gain comprehensive skills in using Ghidra for static and dynamic analysis of Windows binaries.
  • Tool Mastery: Master Ghidra’s primary tools—Code Browser, Debugger, and Version Tracking—to tackle diverse reverse engineering tasks.
  • Enhanced Analysis Techniques: Learn to create custom data types and leverage Ghidra’s PDB support to deepen analysis capabilities.
  • Malware Behavior Identification: Develop the ability to reverse engineer and analyze Windows malware, identifying key behaviors like persistence and network communication.
  • Vulnerability Assessment: Use Ghidra’s patch diffing feature to compare binary versions and pinpoint changes addressing modern vulnerabilities.
  • Dynamic Debugging: Acquire the skills to dynamically debug Windows applications, enhancing problem-solving techniques in live environments.

Practical Exercises:

  • Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior, such as persistence, network communication, and obfuscation.
  • Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows RPC server with Ghidra’s Debugger.
  • Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability. You will learn how to root cause the vulnerability and understand its exploitation.

COURSE DETAILS

Part 1: Introduction to Reverse Engineering With Ghidra

  • Getting Started with Ghidra
  • Import, Analyze, Repeat
  • Windows Security Concepts
  • Managed vs Native Binaries
  • Ghidorah: Taming the 3-headed dragon
    • Code Browser
    • Debugger
    • Version Tracking

Part 2: Reverse Engineering Windows Binaries - Static

  • A Practical RE Workflow
  • Setting Reverse Engineering Goals
  • Binary Acquisition
  • Analysis Improvements
  • Building Custom Ghidra Data Types
  • Reversing Windows Malware

Part 3: Reverse Engineering Windows Binaries - Dynamic

  • Ghidra Debugger Overview
  • Debugging an Application
  • Pretending All Binaries Come with Source
  • Debugging a Windows RPC Service
  • Debugging a RPC call
  • Reversing Petitpotam ( NTLM Authentication Bypass ) Case Study
  • RPCview, NtObjectManager,System Informer, Sysinternals

Part 4: Patch Diffing and Root Cause Analysis of Windows CVE

  • Patch Diffing in Ghidra
  • Finding a CVE
  • Patch Diffing Windows Binaries
  • Hunting for the vulnerability
  • Finding the root cause
  • Building a trigger POC

Knowledge Prequisites

  • Basic Knowledge of Windows: Familiarity with the Windows operating system and its core functionalities.
  • Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
  • Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.
  • Debugging: Experience debugging software applications

System Requirements

Hardware

Intel 64-bit i7+ (or equivalent) Laptop with 16GB+ RAM

Software

  • VirtualBox or VMware Workstation (Free version will suffice)
Laptops with Apple Silicon are NOT supported in this class. Please ensure that your laptop has an Intel or equivalent x86-64 processor.

YOUR INSTRUCTOR: John McIntosh

John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.

Ringzer0’s Virtual Training Experience & FAQ
What can I expect from a virtual training delivered by Ringzer0, and answers to frequently asked questions.
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated