Abstract

This is a majority hands-on course on using Ghidra for reverse-engineering and vulnerability research. Exercises include Windows binaries, Linux binaries, and device firmware. Binaries will also be in a variety of architectures, including ARM, PowerPC, MIPS, x86, and x64. After completing this course, students will have the practical skills to use Ghidra in their day-to-day reversing tasks.

Course Topics

• Reversing Engineering With Ghidra
• Ghidra overview
• Project management
• Code navigation, manipulation
• Symbols, labels, bookmarks, searching
• Disassembler-decompiler interaction
• Patching
• Ghidra Expert Tools
• Decompiler deep dive
• Datatype management
• Memory management
• P-code
• Program flow
• Ghidra tools
• Plugin groups
• Automation with Ghidra
• Java/Jython refresher
• The Ghidra FlatAPI
• Development with Eclipse and the GhidraDev plugin
• Analysis in Ghidra headless mode
• Java-Jython interop
• Extending Ghidra with ExtensionPoint
• Loader, Decryptor, FileSystem
• BuiltInDataType, AbstractAnalyzer

Prerequisites

Students are expected to have experience with static and dynamic analysis, Linux, Windows, command line tools, shell scripting, C, and Python. Students should have the ability to do the following:

• Declare an array pointer in C
• Write a python script to XOR an encoded string
• Perform a function trace using a debugger
• Identify dead code using a disassembler

System Requirements

Students are expected to bring their own laptops. The laptops are required to run a 30GB virtual machine but will not perform any intensive computation. A recommended hardware configuration would have the following:

• 50 GB of free hard disk space
• 16 GB of RAM
• 4 Processor cores
• VMWare or Virtual Box to import an ova file