No announcement yet.

Course Information: Intro to RE With Ghidra

  • Filter
  • Time
  • Show
Clear All
new posts

  • Course Information: Intro to RE With Ghidra

    Hi all. I'm the instructor for this workshop and I'm looking forward to seeing you there! I noticed the subforum created for it here, so I'm adding the latest course information, as submitted to the DEF CON staff. I'm happy to answer any questions about the course, as well!

    Course Description

    The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.

    The purpose of this workshop is to teach beginners, with no prior experience in software reverse engineering, about the analysis of software in the Ghidra disassembler. We'll cover the following major topics, with high degree of interaction between the instructors and students:
    • Defining software reverse engineering terms
    • Setting up an environment for Ghidra
    • Ghidra configuration and usage
    • Linking and Loading
    • Data types
    • C data types and constructs in assembly
    • Simple anti-RE tricks and how to analyze them
    • Methodology for approaching unknown programs (prioritization, analysis)
    • Analysis exercise with a malware sample

    Students should have experience with at least one high-level programming language. C is preferred, but experience with any other language should provide you with the experience necessary to at least read C code. You will not be required to *write* code. No prior software reverse engineering experience is required.

    What to Bring:

    Students that wish to "follow along" in Ghidra and participate in hands-on exercises should bring a laptop. Laptops should be running a 64-bit operating system (macOS, Windows, or Linux), and have at least 4GB RAM (more preferred, especially if you're using virtual machines). Before the workshop, please download and install OpenJDK and Ghidra as described in the instructions at . We can troubleshoot installation problems in-class, but don't count on reliable/fast network access, so try to get it set up ahead of time.

    We will be analyzing *live malware* provided to you on USB. You will need to have administrative capability on your laptop in order to disable or set exclusions on your AV software. While we will not be intentionally executing code (this course is limited to static analysis), you are expected to take whatever measures necessary to protect yourself, to include: bringing a "burner" laptop, having backups, virtualization, and/or common sense.

    If you do not bring a laptop, you can still get some good exposure to reverse engineering with Ghidra! I'll be working in Ghidra most of the time on the projector, and you may coordinate with another student to collaboratively discuss what you're looking at on a shared laptop.

    Trainer Bios:

    As Director of Cyber Operations at HORNE Cyber, Wesley McGrew oversees and participates in offense-oriented services for clients in many areas, including finance, healthcare, manufacturing, and national critical infrastructure. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

    Tyler Holland is an Operative-Analyst at HORNE Cyber, where he conducts penetration testing, red teaming, and application security engagements. Tyler is an expert in reverse engineering malicious software in support of incident handling engagements.