Tweet
Title: Introduction to Reverse Engineering With Ghidra
Instructor: Wesley McGrew & Tyler Holland
Abstract: The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.
The purpose of this workshop is to teach beginners, with no prior experience in software reverse engineering, about the analysis of software in the Ghidra disassembler. We'll cover the following major topics, with high degree of interaction between the instructors and students:
- Defining software reverse engineering terms
- Setting up an environment for Ghidra
- Ghidra configuration and usage
- Linking and Loading
- Data types
- C data types and constructs in assembly
- Simple anti-RE tricks and how to analyze them
- Methodology for approaching unknown programs (prioritization, analysis)
- Analysis exercise with a malware sample
Level: Beginner
Pre-Requisites: Students should have experience with at least one high-level programming language. C is preferred, but experience with any other language should provide you with the experience necessary to at least read C code. You will not be required to *write* code. No prior software reverse engineering experience is required.
Required Materials: Students that wish to "follow along" in Ghidra and participate in hands-on exercises should bring a laptop. Laptops should be running a 64-bit operating system (macOS, Windows, or Linux), and have at least 4GB RAM (more preferred, especially if you're using virtual machines). Before the workshop, please download and install OpenJDK and Ghidra as described in the instructions at https://ghidra-sre.org/ . We can troubleshoot installation problems in-class, but don't count on reliable/fast network access, so try to get it set up ahead of time.
We will be analyzing *live malware* provided to you on USB. You will need to have administrative capability on your laptop in order to disable or set exclusions on your AV software. While we will not be intentionally executing code (this course is limited to static analysis), you are expected to take whatever measures necessary to protect yourself, to include: bringing a "burner" laptop, having backups, virtualization, and/or common sense.
If you do not bring a laptop, you can still get some good exposure to reverse engineering with Ghidra! I'll be working in Ghidra most of the time on the projector, and you may coordinate with another student to collaboratively discuss what you're looking at on a shared laptop.
Instructor: Wesley McGrew & Tyler Holland
Abstract: The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.
The purpose of this workshop is to teach beginners, with no prior experience in software reverse engineering, about the analysis of software in the Ghidra disassembler. We'll cover the following major topics, with high degree of interaction between the instructors and students:
- Defining software reverse engineering terms
- Setting up an environment for Ghidra
- Ghidra configuration and usage
- Linking and Loading
- Data types
- C data types and constructs in assembly
- Simple anti-RE tricks and how to analyze them
- Methodology for approaching unknown programs (prioritization, analysis)
- Analysis exercise with a malware sample
Level: Beginner
Pre-Requisites: Students should have experience with at least one high-level programming language. C is preferred, but experience with any other language should provide you with the experience necessary to at least read C code. You will not be required to *write* code. No prior software reverse engineering experience is required.
Required Materials: Students that wish to "follow along" in Ghidra and participate in hands-on exercises should bring a laptop. Laptops should be running a 64-bit operating system (macOS, Windows, or Linux), and have at least 4GB RAM (more preferred, especially if you're using virtual machines). Before the workshop, please download and install OpenJDK and Ghidra as described in the instructions at https://ghidra-sre.org/ . We can troubleshoot installation problems in-class, but don't count on reliable/fast network access, so try to get it set up ahead of time.
We will be analyzing *live malware* provided to you on USB. You will need to have administrative capability on your laptop in order to disable or set exclusions on your AV software. While we will not be intentionally executing code (this course is limited to static analysis), you are expected to take whatever measures necessary to protect yourself, to include: bringing a "burner" laptop, having backups, virtualization, and/or common sense.
If you do not bring a laptop, you can still get some good exposure to reverse engineering with Ghidra! I'll be working in Ghidra most of the time on the projector, and you may coordinate with another student to collaboratively discuss what you're looking at on a shared laptop.
Comment