Reverse Engineering with Ghidra is an intensive, comprehensive course meticulously designed for cybersecurity professionals and organizations seeking expertise in the NSA's premier reverse engineering tool - Ghidra. This Ghidra training offers a deep dive into the art of reverse engineering, focusing on practical, real-world applications that leverage Ghidra's advanced capabilities.

Developed by the National Security Agency (NSA), Ghidra is a powerful open-source software reverse engineering (SRE) framework. It stands out as a superior tool in the cybersecurity domain due to its versatility and adaptability. Ghidra supports multiple platforms, including Windows, Linux, and MacOS, and accommodates an array of architectures such as ARM, PowerPC, MIPS, x86, and x64. Its built-in decompiler sets it apart from other reversing software by translating low-level machine code back into a human-readable format.

Perfectly suited for beginners and advanced practitioners alike, this Ghidra course explores how to use Ghidra for reverse engineering in-depth. This includes static analysis of real-world binaries, application of manual and automated techniques, effective utilization of Ghidra's strengths, and mitigation of its weaknesses.

Through this course, students will not only learn the fundamentals of Ghidra software reverse engineering but also gain proficiency in advanced topics. These include automation with Ghidra, data extraction, cross-architecture analysis, and automated binary similarity analysis.

The Ghidra training also includes a significant focus on practical applications. Students will have the opportunity to work with Windows binaries, Linux binaries, and binaries from various architectures. This hands-on approach ensures that students can immediately apply their newly acquired skills in their professional roles, making this course a valuable investment for both individuals and organizations.

The course is live and recorded each day, with recordings posted at the end of each day. Students keep the VM, exercises, solutions, and all recordings. Students are encouraged to post all the materials in their organizations internal wiki to be used as future reference for themselves and other staff.

Who Should Take This Reverse Engineering with Ghidra course?

The course is designed for a broad range of individuals and professionals who are keen on gaining a comprehensive understanding of the NSA's premiere reverse engineering tool, Ghidra. Here are the specific groups who will benefit the most from this course:

1. Cybersecurity Professionals: If you're already in the cybersecurity field, this Ghidra course will augment your skillset, allowing you to perform more advanced vulnerability assessments and threat analyses.
   

2. Beginners in Reverse Engineering: If you're new to the field, this course serves as an excellent introduction to Ghidra software reverse engineering. It will equip you with a strong foundation in using Ghidra for reverse engineering, preparing you for more advanced topics.
   

3. Threat Analysts and Digital Forensic Investigators: This course will provide you with a powerful new tool in your arsenal, helping you better understand and interpret the digital evidence you encounter in your day-to-day work.
   

4. US Military Personnel: Given the national security implications of cybersecurity, this course is of particular relevance to those serving in the military. Understanding how to use the NSA reverse engineering tool Ghidra will enhance your capacity to protect sensitive information and systems.
   

5. IT Professionals and System Administrators: For those responsible for the security and integrity of IT systems, this Ghidra training will help you better understand potential vulnerabilities, allowing you to secure your systems more effectively.
   

6. Computer Science Students and Academics: If you're studying or teaching in a field related to computing or cybersecurity, this course offers valuable practical knowledge and skills that complement theoretical learning.
   

Course Schedule:

Day 1: Ghidra Overview - Building Your Foundation

Our journey into reverse engineering with Ghidra commences with a comprehensive overview of the platform. We will explore:

• Project Management: Learn how to effectively manage and organize your projects within Ghidra, including importing and exporting files and setting up shared projects for collaborative work.
  

• Code Navigation and Manipulation: Delve into the nuances of navigating through disassembled code, manipulating views, and understanding the code hierarchy.
  

• Symbols, Labels, Bookmarks, and Searching: Get acquainted with the robust features of Ghidra for annotating and navigating your analysis, including creating labels, adding bookmarks, and using advanced search techniques.
  

• Disassembler-Decompiler Interaction: Understand the interplay between Ghidra's disassembler and decompiler, and learn how to utilize this relationship for effective reverse engineering.
  

• Patching: Gain practical skills in modifying binaries within Ghidra, a crucial step in exploit development and vulnerability patching.
  

Day 2: Ghidra Expert Tools - Deep Diving into Advanced Features

On the second day, we will delve deeper into the Ghidra toolset, covering:

• Decompiler Deep Dive: Explore the power of Ghidra's decompiler and how it translates machine code back into high-level languages.
  

• Datatype and Memory Management: Learn to define and manage datatypes and understand Ghidra's memory representation and its implications for your reverse engineering tasks.
  

• P-code and Program Flow: Uncover the intermediate language used by Ghidra’s decompiler and how it aids in understanding complex program flow.
  

• Ghidra Tools and Plugin Groups: Discover additional tools and plugins that extend Ghidra's capabilities, enabling more effective and efficient analysis.
  

Day 3: Automation with Ghidra - Streamlining Your Analysis

Day three is dedicated to automating your Ghidra workflow. We will cover:

• Python Prompt and Script Manager: Discover how to automate repetitive tasks using Ghidra's Python interface and script management system.
  

• Eclipse GhidraDev Extension: Learn to develop your own Ghidra plugins and scripts using the GhidraDev extension for the popular Eclipse IDE.
  

• Ghidra+Jupyter Lab: Unveil the powerful combination of Ghidra with Jupyter Lab for interactive, notebook-based reverse engineering.
  

• Ghidra API: Learn to harness the Ghidra API for custom extensions and deeper integration with your tools and workflows.
  

Day 4: Advanced Automation Techniques - Taking Your Analysis to the Next Level

The fourth day delves into advanced automation techniques that can significantly enhance your analysis capabilities:

• Headless Mode for Batch Analysis: Learn how to leverage Ghidra's headless mode to perform batch analysis of multiple binaries, a powerful technique for large-scale investigations.
  

• Data Extraction: Discover how to extract valuable information from binaries, such as strings, functions, and cyclomatic complexity measures.
  

• Cross-architecture Analysis: Understand how to use Ghidra for analyzing binaries from different architectures, a crucial skill in the multi-platform world of cybersecurity.
  

• Development with Eclipse and the GhidraDev Plugin: Dive deeper into developing custom extensions and scripts for Ghidra using Eclipse and the GhidraDev plugin.
  

Day 5: Automated Binary Similarity Analysis - Unveiling Hidden Connections

On the final day, we will focus on advanced techniques for binary similarity analysis:

• Function-level Binary Similarity Analysis: Learn to use Ghidra to identify similar functions across different binaries, a crucial tool in malware analysis and threat intelligence.
  

• Analysis and Graphing of Large Datasets: Discover how to analyze and visualize large datasets from your Ghidra analyses, enabling you to spot trends and patterns that can inform your cybersecurity strategies.

Prerequisites

Students are expected to have some experience with static and dynamic analysis, Linux, Windows, command line tools, shell scripting, C, and Python. Students should have the ability to do the following:

• Declare an array pointer in C

• Write a Python script to XOR an encoded string

Required Hardware/Software

Students are expected to bring their own laptops. The laptops are required to run a 30GB virtual machine but will not perform any intensive computation. A recommended hardware configuration would have the following:

• 50 GB of free hard disk space

• 16 GB of RAM

• 4 Processor cores

• VMWare or Virtual Box to import an ova file

In today's increasingly digital world, a deep understanding of cybersecurity and the tools used to maintain it, such as Ghidra, is an invaluable asset. By completing this comprehensive course on reverse engineering with Ghidra, you will not only acquire the practical skills to conduct efficient and effective analysis of various binaries, but you will also gain a deep theoretical understanding of Ghidra's functionalities and how they are applied in real-world scenarios. This fusion of theoretical and practical knowledge empowers you to confidently tackle the ever-evolving challenges in the realm of cybersecurity.

In addition to enhancing your individual skill set, this training is also designed to benefit your organization. The course materials, including VM, exercises, solutions, and all recordings, can be used as an ongoing resource, helping to build institutional knowledge and skills. With the skills and knowledge gained from this course, you will be able to drive the security initiatives in your organization, contributing to a more secure and resilient digital infrastructure.