Skip to main content

Everyday Ghidra

Practical Windows Reverse Engineering

This course provides a comprehensive guide to using Ghidra, covering fundamental operations to advanced techniques, with hands-on exercises on real-world Windows applications. It’s designed for those with foundational Windows and security knowledge, aiming to equip them with practical “everyday” reverse engineering skills using Ghidra.

Reverse Engineering

Reverse engineering is a technique to understand the workings of software or hardware, often applied to enhance security or compatibility. It is fun, rewarding, and always challenging, especially when dealing with modern Windows closed-source binaries. Enter Ghidra, a robust software reverse engineering framework created by the NSA for in-depth analysis of complex binaries. Ghidra can help you perform in-depth analysis of Windows binaries using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it.

Course Outline

In this course, you will learn how to use Ghidra effectively to reverse engineer Windows binaries. While Ghidra is at the heart of our curriculum, we go far beyond a simple user manual. This course is designed to help you master Windows reverse engineering techniques by using Ghidra as your primary tool.  You will start with the basics of Ghidra, such as creating projects, importing and analyzing binaries, and using Ghidra’s native tools. You will then learn how to customize Ghidra to suit your needs, such as building custom data types and configuring optimal analysis. From there, you will complete progressive labs that will teach you to apply both static and dynamic analysis techniques to dive deep into Windows application behavior using Ghidra’s Windows-specific features and scripts.

Part 1: Introduction to Reverse Engineering With Ghidra

  • Getting Started with Ghidra
  • Import, Analyze, Repeat
  • Windows Security Concepts
  • Managed vs. Native Binaries
  • Ghidorah: Taming the Three-Headed Dragon
  • Code Browser, Debugger, and Version Tracking

Part 2: Reverse Engineering Windows Binaries - Static

  • A Practical Reverse Engineering Workflow
  • Setting Reverse Engineering Goals
  • Binary Acquisition and Analysis Improvements
  • Building Custom Ghidra Data Types
  • Reversing Windows Malware

Part 3: Reverse Engineering Windows Binaries - Dynamic

  • Ghidra Debugger Overview
  • Debugging an Application
  • Pretending All Binaries Come with Source
  • Debugging a Windows RPC Service & RPC Call
  • Case Study: Reversing Petitpotam (NTLM Authentication Bypass)
  • Tools: RPCview, NtObjectManager, System Informer, Sysinternals

Part 4: Patch Diffing and Root Cause Analysis of Windows CVE

  • Patch Diffing in Ghidra
  • Finding and Analyzing a CVE
  • Patch Diffing Windows Binaries
  • Hunting for Vulnerabilities and Finding the Root Cause
  • Building a Trigger Proof-of-Concept

Intended Audience

  • Cybersecurity Professionals: Ideal for those advancing their skills in reverse engineering and malware analysis on Windows.
  • Software Developers: A deep dive into Windows internals for enhanced understanding.
  • Vulnerability Researchers: Hands-on experience with Ghidra for identifying and analyzing vulnerabilities in Windows binaries.

Key Learning Objectives

  • Ghidra Proficiency: Master static and dynamic analysis of Windows binaries.
  • Tool Mastery: Leverage Ghidra’s Code Browser, Debugger, and Version Tracking for complex reverse engineering tasks.
  • Enhanced Analysis Techniques: Create custom data types and utilize Ghidra’s PDB support for deeper insights.
  • Malware Behavior Identification: Reverse engineer Windows malware, recognizing persistence and network communication tactics.
  • Vulnerability Assessment: Analyze patch differences to identify security updates in Windows binaries.
  • Dynamic Debugging: Develop skills to dynamically debug Windows applications for live problem-solving.

Practical Exercises

  • Reverse Engineering Windows Malware: Perform static analysis on malware samples to uncover persistence, network activity, and obfuscation techniques.
  • Dynamically Debugging a Windows RPC Server: Gain insight into Windows RPC and apply dynamic inspection using Ghidra’s Debugger.
  • Patch Diffing & Root Cause Analysis of a Windows CVE: Compare Windows binary versions to track security fixes and understand vulnerability exploitation.

Knowledge Prequisites

  • Basic Knowledge of Windows: Familiarity with the Windows operating system and its core functionalities.
  • Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
  • Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.
  • Debugging: Experience debugging software applications

Related RE content from the instructor:

System Requirements

Hardware

Software

  • VMware Workstation (Free download)

What Students Will Be Provided With

  • Course slides / Training materials
  • Virtual machines with all the labs
  • Resources for further learning
  • Access to course CTF server during and beyond the course
  • Access to instructor(s) via Discord during the course and beyond

Learn Ghidra's Decompilation View

Ghidra Decompilation Debugging

Build Custom Data Types to improve your RE!

Upcoming Courses

  • 📅 Browse Upcoming Events — Find the next in‑person or virtual session that fits your schedule.