Abstract
This course teaches students to automate Ghidra with Java and Python for malware analysis, vulnerability research, and general reverse engineering. Students will script the most common reversing tasks like identifying vulnerable functions, extracting signatures, and string deobfuscation. Students also learn to extend Ghidra by developing custom modules. Newly developed capabilities will then be applied to Windows binaries, Linux binaries, and device firmware. After completing this course, students will have the practical skills to automate and extend Ghidra with scripts and modules.
SUGGESTED COMBO: REVERSE ENGINEERING WITH GHIDRA
Course Topics
Introduction
- Ghidra overview
- Python, Jython, and Java refresher
- Java-Jython interoperability
- Development environment
Automation Interfaces
- Python prompt
- Script Manager
- Remote Jython console
- Headless mode
- Eclipse GhidraDev Extension
- Jupyter Ghidra Jython Kernel
Automation Granularity
- currentProgram object
- FlatAPI
- Modules
- Tools
- Extensions
SPECIAL TOPICS
- Ghidra's P-Code Emulator
- SLEIGH
- Scripting Ghidra and GDB together
- Analysis and graphing of large datasets
Prerequisites
Students are expected to have experience with Ghidra and be proficient in navigating and manipulating code in the disassembly and decompiled views.
Software requirements
Students are expected to have their own computers which can run a 30GB virtual machine. A recommended hardware configuration is the following:
- 50 GB of free hard disk space
- 16 GB of RAM
- 4 Processor cores
- VMWare or Virtual Box to import an ova file