I am very excited to share that I will be offering my Ghidra training course at Black Hat USA 2021. As an online event, this is the perfect opportunity for Black Hat caliber training without hotel and airfare costs. Registration for "A Beginner’s Guide to Reversing with Ghidra "on July 31 and August 1 2021 is now available via the Black Hat web site.
With the public release of Ghidra, NSA has democratized access to advanced reverse engineering capabilities. Foremost among these features is that Ghidra has a decompiler rivaling the capabilities of commercial software many of us have spent a small fortune on over the years. Join me to learn how to navigate Ghidra and customize it to suit your workflow. As a student, you will gain hands-on experience using Ghidra to analyze crackme binaries as well as real-world software including an obfuscated IoT malware sample.
Ghidra in the Classroom
On the first day of class, we will systematically explore all of Ghidra’s core features with periodic breaks to run through unit exercises. Beyond simply introducing the features of Ghidra, I will show you the nuances of interacting with it so you can hit the ground running. We will use crackme challenges to apply and reinforce the new skills.
By Day 2, we will be ready to start extending functionality with Ghidra’s Python 2.7 interpreter to access the underlying API. We will author Python scripts to perform custom reversing tasks and then integrate these scripts into the Ghidra CodeBrowser tool. Ultimately, we will be able to dissect a sample of Mirai, identify obfuscated functionality and implement scripts to dump an encryption key and enumerate the bot net configuration parameters. Students will also have the opportunity to analyze a simulated ransomware sample which can be used to recover encrypted files.
Leading up to this, we will explore common obfuscations which have been used to protect proprietary applications or obscure malicious functionality. Although the class will not focus on finding vulnerabilities through reverse engineering, rest assured that we will take some time to analyze code vulnerabilities for perspective on how these present within disassembled or decompiled code. We will also learn how to recognize common confounding issues and work through them to achieve objectives.
Throughout each day, I will introduce topical challenges which you can tackle independently or with the aid of an illustrated guide before I walk through my solution for each challenge. To get the most out of this class, it is best to already be comfortable with basic Python scripting. Familiarity with computer architecture concepts (like stack vs. heap memory) and prior exposure to C programming is also recommended but not strictly required to succeed in this class.
Whether you are just getting into reverse engineering or just looking to upgrade your toolkit, this class will provide the fundamentals you need to succeed when analyzing code in Ghidra.
In the meantime, please have a look at my recent Ghidra 101 posts and perhaps let me know on Twitter what topics you’d like to see next: