Whether you dissect malware or any other software, whether your goal is security testing or understanding how everything works, reverse engineering is the most effective method you can use. This course will hone your assembly language skills, go through how arguments get passed in registers, and land on analyzing sophisticated malware. All of this will be done using Ghidra, the free and open-source tool developed by the National Security Agency.

Ghidra is one of the most powerful Reverse Engineering tools available in the market, and the course will not only teach you regular RE techniques, but will also show how to boost them using Ghidra’s advanced capabilities. All of this will be done hands-on, with CrackMe's and challenges to test your skills.

Why you?

Why now?

Why this course? Who is this course for? Beginners - you want to make sure you have this important skill in your bag when they look for cyber security as a career.

Developers - you want to learn how to check how a program works or at what point it fails.

Software security teams - you want to understand how you can find bugs in your software.

Threat Hunters - you have just started with analyzing malware and want to learn more.

Exploit researchers/developers - you who want to find bugs in execution logic or underlying functions of target applications, and create your exploits accordingly. Every day attackers target things that could affect your everyday life and work, from nuclear power plants to a simple washing machine in your house. As a security pro these are the problems you are facing right now, and it will only get more serious from now on. You need to keep up with malware to defend against it, and reverse engineering it with top-shelf tools is the best way to do it. This course will introduce you to Ghidra, which is a reverse engineering tool with one of the most advanced decompilers available on the market. After this course it will be your go-to when you want to deconstruct malware. Let’s face it, malware analysis will not go away anytime soon, and malware authors have always been one step ahead of the security researchers. Why not face them armed with the best arsenal?

Course benefits:

Skills

Knowledge

Tools You will train to: Level up your Assembly programming skills

Reveal the internals of software without access to source code

Approach and solve a problem with little to none prior information about it

Prepare for reverse engineering challenges in CTF competitions

Practice scripting in Ghidra

Extend your reverse engineering toolset with custom and modified tools. What will you learn about? x86/x86-64 assembly

Malware analysis

Embedded firmware analysis

In-depth Ghidra usage

Course general information:

How this works

Lab setup

Prerequisites COURSE IS SELF-PACED, AVAILABLE ON DEMAND DURATION: 18 hours CPE POINTS: On completion you get a certificate granting you 18 CPE points. Course format: Self-paced

Pre-recorded

Accessible even after you finish the course

No preset deadlines

Materials are video, labs, and text

All videos captioned What to bring with you; Hardware Requirements: Laptop running Windows (preferably Windows 10) as the host OS having at least 8GB of RAM.

Software Requirements: VirtualBox/VMware Workstation or Fusion with a clean install of Ubuntu 18.04 and Windows 7. What should you know before you join? You are expected to have experience with Linux command line, C/C++ and any scripting language.

No prior experience with Windows internals is required.

Working knowledge of debuggers such as x64dbg, OllyDbg.

Your instructor: Ashish Gahlot

Ashish is a security researcher from India with an interest in low-level systems. He has previously worked at Smokescreen Technologies to build the endpoint deception agent and Faultline. Working there he has learned in-depth about windows internals and reverse engineering. Ashish has worked with IIT Kanpur to find vulnerabilities and has published multiple CVEs in Industrial Control Systems which included finding bugs both in PLC/RTU and SCADA software.

COURSE SYLLABUS

Introduction

Topics Introduction to x86/x86-64 assembly: Windows & Linux calling convention

Stack organization

Function prolog and epilog

Segmentation

Understanding loops in assembly

Module 1

Getting started with Ghidra

In this module, we will go through an introduction to assembly language that will act as a foundation for using Ghidra and in the future how malware works. We will also learn how an executable gets executed by the operating system and how the internals of the program differ from UNIX type operating systems and Windows.

Practical

Assignment Practical: Setting up the lab environment

Getting started with Ghidra

Introduction to Windows tools

Analyzing Linux and Windows executables in Ghidra

Basics of GDB

Ghidra GDB bridge Exercises: Solve the given crackmes, based on topics from the Introduction as well as Module 1 practical part.

You will provide a report with a detailed analysis of your solution.

You will be graded on the basis of how well you have understood the problem, and not just a brute force solution.

Module 2

Windows internals and Introduction to Ghidra

In this module, we take a deep dive into the various executable format structures and some of the most commonly used Windows APIs and how they work. We then move on to analyze x64 bit executables in Ghidra and tackle various challenges of compiler optimization while debugging.

Practical

Theory

Assignment Practical: Reverse engineering tools (CFF explorer, sysinternals)

Taking a look at Shadow stack in Ghidra and debugging x64 code

Shared vs Dynamic Linking

Basic bug classes

Reversing C++ Theory: Executable file formats

ELF file format

PE internals

Gathering info from PE file

Imports and Exports

WinApi and its prefixes

Undocumented functions Exercises: Find information of the given binary. Hijack the control flow of the given executable. You will reinforce the module by learning about heap exploitation, Return Oriented Programming and how to use it with latest mitigations in place.

The topics the exercises most correspond with is Executable file format, Imports and Exports, WinApi.

You will generate a report with the information about the binary and how control flow in executable was hijacked.

Module 3

Scripting with Ghidra

In this module, we now move to some advanced capabilities that are available inside Ghidra. Ghidra is written in Java, and its plugins can be written in Java or Python. The Python Interpreter interacts with Ghidra’s Java API through Jython. We will learn how we can utilise the scripting engine to find vulnerabilities in executable code.

Practical

Theory

Assignment Practical: Introduction to firmware reversing

Setting up the Ghidra plugin Dev environment using Eclipse

Ghidra scripting 101 FlatProgramAPI

Using Ghidra p-code to find vulnerable functions

Ghidra headless mode

Using patch diffing to find CVE-2019-11932 Theory: Scripting in Ghidra (python3 bridge)

Understanding Ghidra p-code

SLEIGH language format

Ghidra patch diffing Exercises: Firmware reversing and Ghidra scripting. Find the vulnerable code in the given executable. The topics that the exercise most corresponds with are Scripting with Ghidra, Firmware reversing and Patch diffing with Ghidra.

You will prepare a report with scripts and screenshots of vulnerable functions.

Module 4

Malware analysis using Ghidra

Packers are mainly used by malware authors to make the reverse engineering of malware more difficult and time consuming. In this module, we will have a look at different types of packers and how to unpack them. Also, we will learn how to evade anti-debugging techniques while analysing malware.

Practical

Theory

Assignment Practical: Packed vs unpacked malware in Ghidra (Process Hollowing malware)

Credential stealing malware (having a look at Windows vault)

Unpacking Gandcrab ransomware

Static analysis of Trickbot dropper using Ghidra Theory: Common API Used in Malware

Process injection techniques

Anti-debugging Techniques

Understanding Packed Malware Exercises: Reverse Engineering the Windows Vault System. Unpacking a malware sample. You will prepare an in-depth explanation of how can one add credential to the Windows Vault with pseudo/source code.

You will also present how you unpacked the malware sample.

The topics that exercises correspond with are Common API used in malware, packed malware, Credential stealing malware.

Final exam

You will be asked to perform a detailed analysis of a malware sample using Ghidra and reverse engineering skills you mastered in the course.

QUESTIONS?

If you have any questions, please contact our eLearning Manager Marta at [email protected].