Everyday Ghidra: Intro to Windows Reverse Engineering and Vulnerability Research // John McIntosh

In-Person | Nov 3-6 | 4 Days

BOOK NOW

ABSTRACT

In this course, you will learn how to use Ghidra effectively to reverse engineer Windows binaries. You will start with easy-to-follow steps—like creating projects, importing programs, and using essential tools—before moving on to exciting hands-on labs that let you explore real-world Windows applications. You will then learn how to customize Ghidra to suit your needs, such as building custom data types and configuring optimal analysis. From there, you will complete progressively challenging labs that will teach you to apply static and dynamic analysis techniques to dive deep into Windows application behavior using Ghidra’s Windows-specific features and scripts.

The course will also provide you with a series of practical, "everyday" reverse engineering examples focused on Windows binaries. Your hands-on experience will include reversing various binaries, from Windows services to malware, debugging a Windows RPC server, and analyzing the underlying behavior of modern applications. The course will also teach foundational vulnerability research by conducting patch diffing and root cause analysis of Windows CVEs, learning how security fixes are implemented and how to identify potential vulnerabilities yourself. Throughout the course, you will also explore how to integrate and utilize other valuable Windows-specific reverse engineering tools, such as System Informer, and several Sysinternals tools, to enhance your analysis alongside Ghidra.

You will learn how to build and configure a local AI Ghidra automation stack to perform AI-assisted analysis, or 'vibe reversing', on Windows applications, gaining a practical understanding of the potential benefits and current limitations of using AI in your RE workflow.

By the end of this course, you will have gained practical skills and experience in reverse engineering Windows binaries using Ghidra. You will be able to apply these skills to your own projects, research, or career in cybersecurity.

Everyday Ghidra: Intro to Windows Reverse Engineering and Vulnerability Research // John McIntosh

In-Person | Nov 3-6 | 4 Days

BOOK NOW

INTENDED AUDIENCE

• Cybersecurity professionals seeking to advance their skills in reverse engineering and malware analysis on the Windows platform.
• Software developers interested in deepening their understanding of Windows internals
• Vulnerability Researchers hoping to gain practical experience with Ghidra for uncovering and understanding vulnerabilities in Windows binaries
• Those aspiring to be any of the above.

KEY LEARNING OBJECTIVES

• Ghidra Proficiency: Gain comprehensive skills in using Ghidra for static and dynamic analysis of Windows binaries.
• Tool Mastery: Master Ghidra’s primary tools—Code Browser, Debugger, and Version Tracking—to tackle diverse reverse engineering tasks.
• Enhanced Analysis Techniques: Learn to create custom data types and leverage Ghidra’s PDB support to deepen analysis capabilities.
• Malware Behavior Identification: Develop the ability to reverse engineer and analyze Windows malware, identifying key behaviors like persistence and network communication.
• Vulnerability Assessment: Use Ghidra’s patch diffing feature to compare binary versions and pinpoint changes addressing modern vulnerabilities.
• Dynamic Debugging: Acquire the skills to dynamically debug Windows applications, enhancing problem-solving techniques in live environments.
• Ghidra Scripting: Learn how to extend Ghidra’s core library to automate several aspects of reverse engineering.
• Explore AI-Assisted Reverse Engineering: Build and configure a local AI Ghidra automation stack to enhance reverse engineering workflows. Gain practical insights into AI-assisted analysis—'vibe reversing'—for Windows applications, exploring both the advantages and limitations of integrating AI into reverse engineering.

Practical Exercises:

• Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior, such as persistence, network communication, and obfuscation.
• Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows RPC server with Ghidra’s Debugger.
• Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability. You will learn how to root cause the vulnerability and understand its exploitation.

COURSE OUTLINE

Part 1: Introduction to Reverse Engineering With Ghidra

• Getting Started with Ghidra
• Import, Analyze, Repeat
• Windows Security Concepts
• Managed vs Native Binaries
• Ghidorah: Taming the 3-headed dragon
  • Code Browser
  • Debugger
  • Version Tracking
• Ghidra Scripting

Part 2: Reverse Engineering Windows Binaries - Static

• A Practical RE Workflow
• Setting Reverse Engineering Goals
• Binary Acquisition
• Analysis Improvements
• Building Custom Ghidra Data Types
• Reversing Windows Malware

Part 3: Reverse Engineering Windows Binaries - Dynamic

• Ghidra Debugger Overview
• Debugging an Application
• Debuggers: Windbg, Visual Studio, Ghidra
• Pretending All Binaries Come with Source
• Debugging a Windows RPC Service
• Debugging a RPC call
• Reversing Petitpotam ( NTLM Authentication Bypass ) Case Study
• RPCview, NtObjectManager,System Informer, Sysinternals

Part 4: Patch Diffing and Root Cause Analysis of Windows CVE

• Patch Diffing in Ghidra
• Finding a CVE
• Patch Diffing Windows Binaries
• Hunting for the vulnerability
• Finding the root cause
• Building a trigger POC

Part 5: Explore AI-Assisted Reverse Engineering (Vibe Reversing)

• Introduction to LLMs and Reverse Engineering
• Deploying Your Own Local LLM for RE
• Interacting with LLMs: Capabilities & Constraints
• GhidraMCP - The Model Context Protocol (MCP)
• Setting Up the Ghidra-LLM Integration Stack
• Tool Calling for Ghidra Automation
• Practical AI-Assisted Analysis

Student Requirements

This course is crafted for both beginners and those with more experience, making it a valuable next step on your reverse engineering journey. While a basic familiarity with the Windows operating system, fundamental cybersecurity concepts, and an introductory exposure to assembly language will be beneficial, you do not need any previous experience with Ghidra. We'll start from the very basics and guide you step-by-step through every essential tool and technique.

Suggested Prequisites

• Basic Knowledge of Windows: Familiarity with the Windows operating system and its core functionalities.
• Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
• Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.

What Students Will Be Provided With

• Course slides / Training materials
• Virtual machines with all the labs
• Resources for further learning
• Access to course CTF server during and beyond the course
• Access to instructor(s) via Discord during the course and beyond

Laptop Requirements

• Intel 64-bit i7+ (or equivalent) Laptop with 16GB+ RAM
• 80 GB disk space
• Ability to run Intel based VM similar to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
• VirtualBox or VMware Workstation (Free version will suffice)

Related RE content from the instructor:

• https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
• https://clearbluejar.github.io/posts/callgraphs-with-ghidra-pyhidra-and-jpype/
• https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code/
• https://cve-north-stars.github.io/

YOUR INSTRUCTOR: John McIntosh

John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.

• https://www.clearseclabs.com/
• https://clearbluejar.github.io/