Whether you dissect malware or any other software, whether your goal is security testing or understanding how everything works, reverse engineering is the most effective method you can use. This course will hone your assembly language skills, go through how arguments get passed in registers, and land on analyzing sophisticated malware. All of this will be done using Ghidra, the free and open-source tool developed by the National Security Agency.
Ghidra is one of the most powerful Reverse Engineering tools available in the market, and the course will not only teach you regular RE techniques, but will also show how to boost them using Ghidra’s advanced capabilities. All of this will be done hands-on, with CrackMe's and challenges to test your skills.
Who is this course for?
- Beginners - you want to make sure you have this important skill in your bag when they look for cyber security as a career.
- Developers - you want to learn how to check how a program works or at what point it fails.
- Software security teams - you want to understand how you can find bugs in your software.
- Threat Hunters - you have just started with analyzing malware and want to learn more.
- Exploit researchers/developers - you who want to find bugs in execution logic or underlying functions of target applications, and create your exploits accordingly.
Every day attackers target things that could affect your everyday life and work, from nuclear power plants to a simple washing machine in your house. As a security pro these are the problems you are facing right now, and it will only get more serious from now on. You need to keep up with malware to defend against it, and reverse engineering it with top-shelf tools is the best way to do it.
This course will introduce you to Ghidra, which is a reverse engineering tool with one of the most advanced decompilers available on the market. After this course it will be your go-to when you want to deconstruct malware. Let’s face it, malware analysis will not go away anytime soon, and malware authors have always been one step ahead of the security researchers. Why not face them armed with the best arsenal?
You will train to:
- Level up your Assembly programming skills
- Reveal the internals of software without access to source code
- Approach and solve a problem with little to none prior information about it
- Prepare for reverse engineering challenges in CTF competitions
- Practice scripting in Ghidra
- Extend your reverse engineering toolset with custom and modified tools.
What will you learn about?
- x86/x86-64 assembly
- Malware analysis
- Embedded firmware analysis
- In-depth Ghidra usage
What tools will you use?
- Process Explorer
Course general information:
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
COURSE LAUNCH DATE: February 11th 2020
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What to bring with you;
- Hardware Requirements: Laptop running Windows (preferably Windows 10) as the host OS having at least 8GB of RAM.
- Software Requirements: VirtualBox/VMware Workstation or Fusion with a clean install of Ubuntu 18.04 and Windows 7.
What should you know before you join?
- You are expected to have experience with Linux command line, C/C++ and any scripting language.
- No prior experience with Windows internals is required.
- Working knowledge of debuggers such as x64dbg, OllyDbg.
Your instructor: Ashish Gahlot
Ashish is a security researcher from India with an interest in low-level systems. He has previously worked at Smokescreen Technologies to build the endpoint deception agent and Faultline. Working there he has learned in-depth about windows internals and reverse engineering. Ashish has worked with IIT Kanpur to find vulnerabilities and has published multiple CVEs in Industrial Control Systems which included finding bugs both in PLC/RTU and SCADA software.
Introduction to x86/x86-64 assembly:
- Windows & Linux calling convention
- Stack organization
- Function prolog and epilog
- Understanding loops in assembly
Getting started with Ghidra
In this module, we will go through an introduction to assembly language that will act as a foundation for using Ghidra and in the future how malware works. We will also learn how an executable gets executed by the operating system and how the internals of the program differ from UNIX type operating systems and Windows.
- Setting up the lab environment
- Getting started with Ghidra
- Introduction to Windows tools
- Analyzing Linux and Windows executables in Ghidra
- Basics of GDB
- Ghidra GDB bridge
- Solve the given crackmes, based on topics from the Introduction as well as Module 1 practical part.
- You will provide a report with a detailed analysis of your solution.
- You will be graded on the basis of how well you have understood the problem, and not just a brute force solution.
Windows internals and Introduction to Ghidra
In this module, we take a deep dive into the various executable format structures and some of the most commonly used Windows APIs and how they work. We then move on to analyze x64 bit executables in Ghidra and tackle various challenges of compiler optimization while debugging.
- Reverse engineering tools (CFF explorer, sysinternals)
- Taking a look at Shadow stack in Ghidra and debugging x64 code
- Shared vs Dynamic Linking
- Basic bug classes
- Reversing C++
- Executable file formats
- ELF file format
- PE internals
- Gathering info from PE file
- Imports and Exports
- WinApi and its prefixes
- Undocumented functions
- Find information of the given binary.
- Hijack the control flow of the given executable.
- You will reinforce the module by learning about heap exploitation, Return Oriented Programming and how to use it with latest mitigations in place.
- The topics the exercises most correspond with is Executable file format, Imports and Exports, WinApi.
- You will generate a report with the information about the binary and how control flow in executable was hijacked.
Scripting with Ghidra
In this module, we now move to some advanced capabilities that are available inside Ghidra. Ghidra is written in Java, and its plugins can be written in Java or Python. The Python Interpreter interacts with Ghidra’s Java API through Jython. We will learn how we can utilise the scripting engine to find vulnerabilities in executable code.
- Introduction to firmware reversing
- Setting up the Ghidra plugin Dev environment using Eclipse
- Ghidra scripting 101
- Using Ghidra p-code to find vulnerable functions
- Ghidra headless mode
- Using patch diffing to find CVE-2019-11932
- Scripting in Ghidra (python3 bridge)
- Understanding Ghidra p-code
- SLEIGH language format
- Ghidra patch diffing
- Firmware reversing and Ghidra scripting.
- Find the vulnerable code in the given executable.
- The topics that the exercise most corresponds with are Scripting with Ghidra, Firmware reversing and Patch diffing with Ghidra.
- You will prepare a report with scripts and screenshots of vulnerable functions.
Malware analysis using Ghidra
Packers are mainly used by malware authors to make the reverse engineering of malware more difficult and time consuming. In this module, we will have a look at different types of packers and how to unpack them. Also, we will learn how to evade anti-debugging techniques while analysing malware.
- Packed vs unpacked malware in Ghidra (Process Hollowing malware)
- Credential stealing malware (having a look at Windows vault)
- Unpacking Gandcrab ransomware
- Static analysis of Trickbot dropper using Ghidra
- Common API Used in Malware
- Process injection techniques
- Anti-debugging Techniques
- Understanding Packed Malware
- Reverse Engineering the Windows Vault System.
- Unpacking a malware sample.
- You will prepare an in-depth explanation of how can one add credential to the Windows Vault with pseudo/source code.
- You will also present how you unpacked the malware sample.
- The topics that exercises correspond with are Common API used in malware, packed malware, Credential stealing malware.
You will be asked to perform a detailed analysis of a malware sample using Ghidra and reverse engineering skills you mastered in the course.
If you have any questions, please contact our eLearning Manager Marta at [email protected].