The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.
The goal of this session is to expose attendees with no prior reverse engineering experience to the Ghidra disassembler. Ghidra will be used as an environment in which the basics of reading, navigating, and analyzing executable code will be demonstrated. Dr. McGrew will demonstrate how to install and configure Ghidra, and then load a series of sample programs that he will use to illustrate:
Strategies for analyzing unknown programsLinking and loading in WindowsData typesC code constructs in assembly
All of these concepts will be discussed in the context of the iterative process of reverse engineering unknown code--using what we know about the program based on its API calls and overtly documented information to deduce the types and purposes of undocumented variables and functions.
Attendees who wish to follow along should bring a laptop with Ghidra installed (
http://ghidra-sre.org). A link will be provided in-class to samples that will be used. Following along is not required! Attendees who simply observe and ask questions will still gain a useful exposure to reverse engineering and Ghidra. Resources for continuing to learn reverse engineering will be recommended.