The Joy of Reverse Engineering: Learning With Ghidra and WinDbg

Presented at DEF CON 31 (2023), Aug. 12, 2023, 2 p.m. (240 minutes).

While it can be intimidating to "get into" software reverse engineering (RE), it can be very rewarding. Reverse engineering skills will serve you well in malicious software analysis, vulnerability discovery, exploit development, bypassing host-based protection, and in approaching many other interesting and useful problems in hacking. Being able to study how software works, without source code or documentation, will give you the confidence that there is nothing about a computer system you can't understand, if you simply apply enough time and effort. Beyond all of this: it's fun. Every malicious program becomes a new and interesting puzzle to "solve". The purpose of this workshop is to introduce software reverse engineering to the attendees, using static and dynamic techniques with the Ghidra disassembler and WinDbg debugger. No prior experience in reverse engineering is necessary. There will be few slides--concepts and techniques will be illustrated within the Ghidra and WinDbg environments, and attendees can follow along with their own laptops and virtual environments. We will cover the following topics: - Software Reverse Engineering concepts and terminology - Setting up WinDbg and Ghidra - The execution environment (CPU, Virtual Memory, Linking and Loading) - C constructs, as seen in disassembled code - Combining static and dynamic analysis to understand and document compiled binary code - Methodology and approaches for reverse engineering large programs - Hands-on malware analysis - How to approach a "new-to-you" architecture Skill Level: Beginner Prerequisites for students: - No previous reverse engineering experience required. - Basic familiarity with programming in a high-level language is necessary (C preferred, Scripting languages like Python would be okay). Materials or Equipment students will need to bring to participate: - A laptop with a fresh Windows 10 Virtual Machine. - Being able to dedicate 8GB RAM to the VM (meaning, you probably have 16GB in your laptop) will make the experience smoother, but you can get by with 4GB - 10 GB storage free in the VM (after installing Windows) - Administrative privileges - Ability to copy exercise files from USB We will be working with live malware samples. Depending on your comfort level with this, bring a "burner" laptop, use a clean drive, or plan on doing a clean install before and after the workshop.

Presenters:

  • Wesley McGrew - Senior Cyber Fellow at MartinFed
    Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Similar Presentations: