0

The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription.

COURSE IS SELF-PACED, AVAILABLE ON DEMAND

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

Whether you dissect malware or any other software, whether your goal is security testing or understanding how everything works, reverse engineering is the most effective method you can use. This course will hone your assembly language skills, go through how arguments get passed in registers, and land on analyzing sophisticated malware. All of this will be done using Ghidra, the free and open-source tool developed by the National Security Agency. 

Ghidra is one of the most powerful Reverse Engineering tools available in the market, and the course will not only teach you regular RE techniques, but will also show how to boost them using Ghidra’s advanced capabilities. All of this will be done hands-on, with CrackMe's and challenges to test your skills. 

Who is this course for? 

  • Beginners - you want to make sure you have this important skill in your bag when they look for cyber security as a career.
  • Developers - you want to learn how to check how a program works or at what point it fails.
  • Software security teams - you want to understand how you can find bugs in your software.
  • Threat Hunters -  you have just started with analyzing malware and want to learn more.
  • Exploit researchers/developers - you who want to find bugs in execution logic or underlying functions of target applications, and create your exploits accordingly.

Every day attackers target things that could affect your everyday life and work, from nuclear power plants to a simple washing machine in your house. As a security pro these are the problems you are facing right now, and it will only get more serious from now on. You need to keep up with malware to defend against it, and reverse engineering it with top-shelf tools is the best way to do it.

This course will introduce you to Ghidra, which is a reverse engineering tool with one of the most advanced decompilers available on the market. After this course it will be your go-to when you want to deconstruct malware. Let’s face it, malware analysis will not go away anytime soon, and malware authors have always been one step ahead of the security researchers. Why not face them armed with the best arsenal? 

Course benefits:

You will train to:

  • Level up your Assembly programming skills
  • Reveal the internals of software without access to source code
  • Approach and solve a problem with little to none prior information about it
  • Prepare for reverse engineering challenges in CTF competitions
  • Practice scripting in Ghidra
  • Extend your reverse engineering toolset with custom and modified tools. 

What will you learn about? 

  • x86/x86-64 assembly
  • Malware analysis 
  • Embedded firmware analysis
  • In-depth Ghidra usage

What tools will you use? 

  • Ghidra
  • Binwalk
  • Process Explorer
  • GDB
  • x64dbg

Course general information: 

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What to bring with you;

  • Hardware Requirements: Laptop running Windows (preferably Windows 10) as the host OS having at least 8GB of RAM.
  • Software Requirements: VirtualBox/VMware Workstation or Fusion with a clean install of Ubuntu 18.04 and Windows 7.

What should you know before you join? 

  • You are expected to have experience with Linux command line, C/C++ and any scripting language.
  • No prior experience with Windows internals is required.
  • Working knowledge of debuggers such as x64dbg, OllyDbg.

Your instructor: Ashish Gahlot

Ashish is a security researcher from India with an interest in low-level systems. He has previously worked at Smokescreen Technologies to build the endpoint deception agent and Faultline. Working there he has learned in-depth about windows internals and reverse engineering. Ashish has worked with IIT Kanpur to find vulnerabilities and has published multiple CVEs in Industrial Control Systems which included finding bugs both in PLC/RTU and SCADA software.

 

 

 

COURSE SYLLABUS

Introduction

Introduction to x86/x86-64 assembly:

  • Windows & Linux calling convention
  • Stack organization
  • Function prolog and epilog
  • Segmentation
  • Understanding loops in assembly

Module 1

Getting started with Ghidra

In this module, we will go through an introduction to assembly language that will act as a foundation for using Ghidra and in the future how malware works. We will also learn how an executable gets executed by the operating system and how the internals of the program differ from UNIX type operating systems and Windows.

Practical:

  • Setting up the lab environment
  • Getting started with Ghidra
  • Introduction to Windows tools
  • Analyzing Linux and Windows executables in Ghidra
  • Basics of GDB
  • Ghidra GDB bridge

Exercises:

  • Solve the given crackmes, based on topics from the Introduction as well as Module 1 practical part.
  • You will provide a report with a detailed analysis of your solution.
  • You will be graded on the basis of how well you have understood the problem, and not just a brute force solution.

Module 2

Windows internals and Introduction to Ghidra

In this module, we take a deep dive into the various executable format structures and some of the most commonly used Windows APIs and how they work. We then move on to analyze x64 bit executables in Ghidra and tackle various challenges of compiler optimization while debugging.

Practical:

  • Reverse engineering tools (CFF explorer, sysinternals)
  • Taking a look at Shadow stack in Ghidra and debugging x64 code
  • Shared vs Dynamic Linking
  • Basic bug classes
  • Reversing C++

Theory:

  • Executable file formats
  • ELF file format
  • PE internals
  • Gathering info from PE file
  • Imports and Exports
  • WinApi and its prefixes    
  • Undocumented functions

Exercises:

  1. Find information of the given binary.
  2. Hijack the control flow of the given executable.
  • You will reinforce the module by learning about heap exploitation, Return Oriented Programming and how to use it with latest mitigations in place.
  • The topics the exercises most correspond with is Executable file format, Imports and Exports, WinApi.
  • You will generate a report with the information about the binary and how control flow in executable was hijacked. 

Module 3

Scripting with Ghidra

In this module, we now move to some advanced capabilities that are available inside Ghidra. Ghidra is written in Java, and its plugins can be written in Java or Python.  The Python Interpreter interacts with Ghidra’s Java API through Jython. We will learn how we can utilise the scripting engine to find vulnerabilities in executable code.

Practical:

  • Introduction to firmware reversing
  • Setting up the Ghidra plugin Dev environment using Eclipse
  • Ghidra scripting 101
    • FlatProgramAPI
  • Using Ghidra p-code to find vulnerable functions
  • Ghidra headless mode
  • Using patch diffing to find CVE-2019-11932

Theory:

  • Scripting in Ghidra (python3 bridge)
  • Understanding Ghidra p-code
  • SLEIGH language format
  • Ghidra patch diffing

Exercises:

  1. Firmware reversing and Ghidra scripting.
  2. Find the vulnerable code in the given executable.
  • The topics that the exercise most corresponds with are Scripting with Ghidra, Firmware reversing and Patch diffing with Ghidra.
  • You will prepare a report with scripts and screenshots of vulnerable functions.

Module 4

Malware analysis using Ghidra

Packers are mainly used by malware authors to make the reverse engineering of malware more difficult and time consuming. In this module, we will have a look at different types of packers and how to unpack them. Also, we will learn how to evade anti-debugging techniques while analysing malware.

Practical:

  • Packed vs unpacked malware in Ghidra (Process Hollowing malware)
  • Credential stealing malware (having a look at Windows vault)
  • Unpacking Gandcrab ransomware
  • Static analysis of Trickbot dropper using Ghidra

Theory:

  • Common API Used in Malware
  • Process injection techniques
  • Anti-debugging Techniques
  • Understanding Packed Malware

Exercises:

  1. Reverse Engineering the Windows Vault System.
  2. Unpacking a malware sample.
  • You will prepare an in-depth explanation of how can one add credential to the Windows Vault with pseudo/source code.
  • You will also present how you unpacked the malware sample.
  • The topics that exercises correspond with are Common API used in malware, packed malware, Credential stealing malware.

Final exam

You will be asked to perform a detailed analysis of a malware sample using Ghidra and reverse engineering skills you mastered in the course. 

QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].

Course Reviews

4

4
2 ratings
  • 5 stars0
  • 4 stars2
  • 3 stars0
  • 2 stars0
  • 1 stars0
  1. d@em0nJuly 24, 2020 at 10:57 pmReply

    A great way to learn RE and Ghidra

    4

    I have to admit that I have some experience with RE but this course was still very fun and had some challenging exercises (my favorites were diffing to find a vulnerability and the final exam). Ashish does a wonderful job explaining the concepts and each module finishes up with an assessment to practice and test your understanding. Even though I had some prior experience it was good to review and practice the fundamentals, plus I learned some new techniques that I can use in future RE work. Highly recommend this course to anyone willing to learn RE and Ghidra.

  2. AshleyApril 22, 2020 at 1:13 pmReply

    Good introductory course for SRE, but does require external research on top of going through the course notes and videos

    4

    This course starts with the basics of assembly, and covers Ghidra use in detail as well as other static and dynamic analysis tools for Unix and Windows (it isn’t purely a Ghidra course). In my opinion, the course gets harder as it progresses.

    The assessments are a great way to consolidate learning from each module. The examples in the notes / videos are in my opinion however are much simpler than the assessments. All assessments are possible to complete fully but require external research, you cannot solve them purely from the notes and unless you are an expert I don’t think they can be solved that quickly.

    I also got responses to questions or marks from assignments back generally within 24 hours which I think is great.

    For info I am not new to SRE, I had been doing it for over a year when I signed up to this course.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
Please review your information and consent to the processing of your personal data.(Required)
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?
Please review your information and consent to the processing of your personal data.(Required)

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.