Course Description
Reverse Engineering with Ghidra is an intensive, comprehensive course meticulously designed for cybersecurity professionals and organizations seeking expertise in the NSA's premier reverse engineering tool - Ghidra. This Ghidra training offers a deep dive into the art of reverse engineering, focusing on practical, real-world applications that leverage Ghidra's advanced capabilities.
Developed by the National Security Agency (NSA), Ghidra is a powerful open-source software reverse engineering (SRE) framework. It stands out as a superior tool in the cybersecurity domain due to its versatility and adaptability. Ghidra supports multiple platforms, including Windows, Linux, and MacOS, and accommodates an array of architectures such as ARM, PowerPC, MIPS, x86, and x64. Its built-in decompiler sets it apart from other reversing software by translating low-level machine code back into a human-readable format.
Perfectly suited for beginners and advanced practitioners alike, this Ghidra course explores how to use Ghidra for reverse engineering in-depth. This includes static analysis of real-world binaries, application of manual and automated techniques, effective utilization of Ghidra's strengths, and mitigation of its weaknesses.
Through this course, students will not only learn the fundamentals of Ghidra software reverse engineering but also gain proficiency in advanced topics. These include automation with Ghidra, data extraction, cross-architecture analysis, and automated binary similarity analysis.
The Ghidra training also includes a significant focus on practical applications. Students will have the opportunity to work with Windows binaries, Linux binaries, and binaries from various architectures. This hands-on approach ensures that students can immediately apply their newly acquired skills in their professional roles, making this course a valuable investment for both individuals and organizations.
The course is live and recorded each day, with recordings posted at the end of each day. Students keep the VM, exercises, solutions, and all recordings. Students are encouraged to post all the materials in their organizations internal wiki to be used as future reference for themselves and other staff.
Who Should Take This Reverse Engineering with Ghidra course?
The course is designed for a broad range of individuals and professionals who are keen on gaining a comprehensive understanding of the NSA's premiere reverse engineering tool, Ghidra. Here are the specific groups who will benefit the most from this course:
Cybersecurity Professionals: If you're already in the cybersecurity field, this Ghidra course will augment your skillset, allowing you to perform more advanced vulnerability assessments and threat analyses.
Beginners in Reverse Engineering: If you're new to the field, this course serves as an excellent introduction to Ghidra software reverse engineering. It will equip you with a strong foundation in using Ghidra for reverse engineering, preparing you for more advanced topics.
Threat Analysts and Digital Forensic Investigators: This course will provide you with a powerful new tool in your arsenal, helping you better understand and interpret the digital evidence you encounter in your day-to-day work.
US Military Personnel: Given the national security implications of cybersecurity, this course is of particular relevance to those serving in the military. Understanding how to use the NSA reverse engineering tool Ghidra will enhance your capacity to protect sensitive information and systems.
IT Professionals and System Administrators: For those responsible for the security and integrity of IT systems, this Ghidra training will help you better understand potential vulnerabilities, allowing you to secure your systems more effectively.
Computer Science Students and Academics: If you're studying or teaching in a field related to computing or cybersecurity, this course offers valuable practical knowledge and skills that complement theoretical learning.
Course Schedule:
Day 1: Ghidra Overview - Building Your Foundation
Our journey into reverse engineering with Ghidra commences with a comprehensive overview of the platform. We will explore:
Project Management: Learn how to effectively manage and organize your projects within Ghidra, including importing and exporting files and setting up shared projects for collaborative work.
Code Navigation and Manipulation: Delve into the nuances of navigating through disassembled code, manipulating views, and understanding the code hierarchy.
Symbols, Labels, Bookmarks, and Searching: Get acquainted with the robust features of Ghidra for annotating and navigating your analysis, including creating labels, adding bookmarks, and using advanced search techniques.
Disassembler-Decompiler Interaction: Understand the interplay between Ghidra's disassembler and decompiler, and learn how to utilize this relationship for effective reverse engineering.
Patching: Gain practical skills in modifying binaries within Ghidra, a crucial step in exploit development and vulnerability patching.
Day 2: Ghidra Expert Tools - Deep Diving into Advanced Features
On the second day, we will delve deeper into the Ghidra toolset, covering:
Decompiler Deep Dive: Explore the power of Ghidra's decompiler and how it translates machine code back into high-level languages.
Datatype and Memory Management: Learn to define and manage datatypes and understand Ghidra's memory representation and its implications for your reverse engineering tasks.
P-code and Program Flow: Uncover the intermediate language used by Ghidra’s decompiler and how it aids in understanding complex program flow.
Ghidra Tools and Plugin Groups: Discover additional tools and plugins that extend Ghidra's capabilities, enabling more effective and efficient analysis.
Day 3: Automation with Ghidra - Streamlining Your Analysis
Day three is dedicated to automating your Ghidra workflow. We will cover:
Python Prompt and Script Manager: Discover how to automate repetitive tasks using Ghidra's Python interface and script management system.
Eclipse GhidraDev Extension: Learn to develop your own Ghidra plugins and scripts using the GhidraDev extension for the popular Eclipse IDE.
Ghidra+Jupyter Lab: Unveil the powerful combination of Ghidra with Jupyter Lab for interactive, notebook-based reverse engineering.
Ghidra API: Learn to harness the Ghidra API for custom extensions and deeper integration with your tools and workflows.
Day 4: Advanced Automation Techniques - Taking Your Analysis to the Next Level
The fourth day delves into advanced automation techniques that can significantly enhance your analysis capabilities:
Headless Mode for Batch Analysis: Learn how to leverage Ghidra's headless mode to perform batch analysis of multiple binaries, a powerful technique for large-scale investigations.
Data Extraction: Discover how to extract valuable information from binaries, such as strings, functions, and cyclomatic complexity measures.
Cross-architecture Analysis: Understand how to use Ghidra for analyzing binaries from different architectures, a crucial skill in the multi-platform world of cybersecurity.
Development with Eclipse and the GhidraDev Plugin: Dive deeper into developing custom extensions and scripts for Ghidra using Eclipse and the GhidraDev plugin.
Day 5: Automated Binary Similarity Analysis - Unveiling Hidden Connections
On the final day, we will focus on advanced techniques for binary similarity analysis:
Function-level Binary Similarity Analysis: Learn to use Ghidra to identify similar functions across different binaries, a crucial tool in malware analysis and threat intelligence.
Analysis and Graphing of Large Datasets: Discover how to analyze and visualize large datasets from your Ghidra analyses, enabling you to spot trends and patterns that can inform your cybersecurity strategies.
Prerequisites
Students are expected to have some experience with static and dynamic analysis, Linux, Windows, command line tools, shell scripting, C, and Python. Students should have the ability to do the following:
Declare an array pointer in C
Write a Python script to XOR an encoded string
Required Hardware/Software
Students are expected to bring their own laptops. The laptops are required to run a 30GB virtual machine but will not perform any intensive computation. A recommended hardware configuration would have the following:
50 GB of free hard disk space
16 GB of RAM
4 Processor cores
VMWare or Virtual Box to import an ova file
In today's increasingly digital world, a deep understanding of cybersecurity and the tools used to maintain it, such as Ghidra, is an invaluable asset. By completing this comprehensive course on reverse engineering with Ghidra, you will not only acquire the practical skills to conduct efficient and effective analysis of various binaries, but you will also gain a deep theoretical understanding of Ghidra's functionalities and how they are applied in real-world scenarios. This fusion of theoretical and practical knowledge empowers you to confidently tackle the ever-evolving challenges in the realm of cybersecurity.
In addition to enhancing your individual skill set, this training is also designed to benefit your organization. The course materials, including VM, exercises, solutions, and all recordings, can be used as an ongoing resource, helping to build institutional knowledge and skills. With the skills and knowledge gained from this course, you will be able to drive the security initiatives in your organization, contributing to a more secure and resilient digital infrastructure.
About Boston Cybernetics Institute
Boston Cybernetics Institute, PBC was created by former MIT Lincoln Lab cybersecurity researchers to give meaningful niche cyber instruction to a new generation of cybersecurity professionals.
We avoid the normal style of teaching with PowerPoint and lectures, opting to provide instead real-life engaging instruction that takes place in a customized environment. We have given our style of instruction to multiple DoD agencies, US commercial companies, and international companies.
Instructors at Boston Cybernetics Institute
Jeremy Blackthorne
President of the Boston Cybernetics Institute
Jeremy Blackthorne is a Lead Instructor at the Boston Cybernetics Institute (BCI). Before BCI, he was a researcher in the Cyber System Assessments group at MIT Lincoln Laboratory. Blackthorne is the co-creator and instructor for the Rensselaer Polytechnic Institute (RPI) courses: Modern Binary Exploitation, Spring 2015 and Malware Analysis, Spring 2013. Jeremy has published research at various academic and industry conferences. He served in the U.S. Marine Corps and is an alumnus of RPISEC. He holds a BS and MS in computer science. Blackthorne was an active member of the Student Security Club and CTF team, RPISEC, from 2012 to 2015, where he taught seminars on Reverse-Engineering, Exploitation, and various other Cybersecurity topics.
Clark Wood
security researcher and instructor
Clark Wood is a security researcher and instructor at the Boston Cybernetics Institute (BCI), focusing on Reverse Engineering, Exploitation, and CI/CD. He recently built a Reverse-Engineering and Exploitation platform for a DoD customer and is the Lead Engineer for BCI’s Government Services. Clark was formerly on the technical staff at MIT Lincoln Laboratory where he was a member of the Cyber System Assessments Group. Clark holds a BA in Economics from the University of Florida, a BS and MS in Computer Science from Florida State University, and a Master’s in Technology and Policy from MIT.
Rodolfo Cuevas
security researcher and instructor
Rodolfo Cuevas is a security researcher and instructor at BCI, where he focuses on understanding how design constraints can be used to limit the impact of an attacker on a system. His research combines the adversarial mindset with approaches influenced by Systems and Control Theory. Rodolfo was a staff member at MIT Lincoln Laboratory and began his career as a RADAR and Ballistic Missile Defense System (BMDS) analyst. Later, Rodolfo transitioned to evaluating and Red-Teaming tactical and commercial cyber systems in support of DoD and other government programs. Rodolfo holds a BS, M.Eng., and M.S. in Electrical and Computer Engineering from Cornell University.
Reed Porada
security researcher and instructor
Reed Porada is a security researcher and instructor at BCI, focused on getting to the "so what" of both defensive and offensive cyber measures. Reed also leads BCI training in Cyber Systems Analysis, focusing on developing systems-thinking skills of developers up to managers. Reed was a staff member at MIT Lincoln Laboratory for ten years, where he was responsible for Test and Evaluation, Test Automation Research, Red-Teaming of Cyber Systems, and Blue System Architectures. Reed was a computer scientist at the Naval Research Laboratory focused on wireless communication systems. He holds a BS in Computer Science from the University of Maryland, College Park and an MS in Software Engineering from Carnegie Mellon University.