Software reverse engineering is an intimidatingly technical skill to pick up. The goal is to accomplish something that, by the design of how software is built, isn’t meant to be done. Introductory courses on programming that teach “compiled” languages, such as C, often describe the compilation process that builds a program from source code as being “one way”. To learn how we can answer questions about malicious software and vulnerabilities in widely-used programs requires the study of complex tools, computer architecture, and methodology.
For the past seven years, I have designed and taught reverse engineering curriculum at Mississippi State University, to teach the background and skills needed to reverse engineer software. This August, I will be bringing a small part of that to the most well-known conference on hacking around, DEF CON 27. An open source tool for reverse engineering, Ghidra, was recently released in March, and I will be using it as a platform to teach a four-hour reverse engineering workshop.
The purpose of Introduction to Reverse Engineering with Ghidra is to teach beginners, with no prior experience in software reverse engineering, about the analysis of software in the Ghidra disassembler. We'll cover the following major topics, with high degree of interaction between the instructors and students:
- Defining software reverse engineering terms
- Setting up an environment for Ghidra
- Ghidra configuration and usage
- Linking and Loading
- Data types
- C data types and constructs in assembly
- Simple anti-RE tricks and how to analyze them
- Methodology for approaching unknown programs (prioritization, analysis)
- Analysis exercise with a malware sample
While no prior reverse engineering experience is required, the students that will attend should have experience in at least one high-level programming language, such as C. Students will be provided live malware samples to study! The vast majority of the class will be spent hands-on in the Ghidra interface, with my co-instructor Tyler Holland and I providing commentary on our approach to reverse engineering code.
I’m excited to share with the students at DEF CON the basics of how we approach reverse engineering, which enables us to perform advanced analysis in support of incident response engagements, vulnerability analysis of software, and the analysis of new ransomware variants for our Threat Runner ransomware emulation product. Registration opens on July 8th, and more information on the workshop, available for free to DEF CON attendees, is available on the DEF CON website ( https://www.defcon.org/html/defcon-27/dc-27-workshops.html#mcgrew ).