Reverse engineering and looking for code reuse in malware with Ghidra
2-day in-person
This two-day training dives into Ghidra’s internals to let you automate the tedious and boring steps, and instead allows you to focus on the sections that matter. You will be introduced to Ghidra, its internal API, how to efficiently use AI and LLMs to aid your during your reversing endeavour, and more of Ghidra’s features. You will get hands-on experience with malware that was found in the wild, where you analyse the files and automate repetitive steps. Additionally, you will learn how to create signatures for functions to find those functions in other files, as well as similar functions.
The included exercises vary in difficulty, and you can mix-and-match what you prefer to work on. After two days, you will walk away with the knowledge how to automate tedious work with Ghidra’s API, you can find difference between two binaries and apply the function signatures of a binary on another binary’s functions, and you have a deep fundamental understanding of Ghidra’s most commonly used features.
Course Overview
This outline first briefly dives into the difference between the goals for the 2 days, after which each day is covered in detail. Both days contain theory sections, but I am a firm believer that nothing beats hands-on experience. As such, the majority of the time in this training is spent hands-on with actual malware samples. During any of the hands-on time, I am available for questions, and I will walk around the classroom to proactively ask attendees to explain what they are doing.
Day 1
The first day begins with introductions, virtual machine setup guidance, and a foundational theory session on navigating and using Ghidra. You will then work through increasingly advanced exercises using malware such as Amadey stealer and XorDDoS. These tasks involve analyzing binaries, decrypting strings, automating workflows, and understanding how Ghidra’s decompiler and APIs operate under the hood. The training demonstrates how automation can accelerate malware analysis. Additionally, you will explore Ghidra’s intermediate language, P-Code, showing how it can abstract away architecture-specific details and enable more flexible automation across different arhitectures.
Day 2
Day two shifts toward advanced malware analysis, AI-assisted reverse engineering, and statically compiled binaries. You will learn how large language models (LLMs) can support reverse engineering by renaming variables, summarizing functions, and improving analyst productivity through automated contextualization. To reduce hallucinations and improve accuracy, you will learn how graph theory concepts can organize function relationships so that LLMs process binaries in a logical bottom-up manner. Practical exercises use malware such as CaddyWiper to demonstrate these techniques, alongside scripts that visually highlight function complexity inside Ghidra to guide analysts during manual review.
The remainder of day two focuses heavily on Golang malware, as they are statically compiled. In particular, you will dig into the the Kuiper ransomware family and qBitStealer. You will examine Golang runtime structures, and learn how to recover missing function information using FunctionID and BSim databases. You will also learn how to create your own recovery databases before applying them to modified ransomware samples with stripped symbols, reinforcing realistic analysis workflows where imperfect recovery is expected. The course concludes with a competitive challenge in which attendees search for coding mistakes in the Kuiper ransomware.
Target Audience
Malware analysts
reverse engineers
threat hunters
SOC analysts
incident responders
hobbyists
Pre-requisites
Students should be able to understand (pseudo-)C and have a fundamental understanding of programming in general. The fundamental understanding assumes students know programs consist of (among other things) functions, which in turn consists of local and global variables. Having a rough idea as to how concepts in code, such as loops and conditions, translate to the same concepts in assembly is a pre, but not required. Any assembly language (i.e. x86, ARM, PPC) works for this, as the conceptual knowledge is spoken about, not the specific implementation.
Being able to write code in Java and/or Python is also required for some exercises. Other languages can also work for some of the exercises, but not for all.
Experience with Ghidra is a pre, although not required. Experience with any other tooling (i.e. IDA Pro, Binary Ninja, Hopper, or JEB) are also a pre, but not required either.
What should students bring
A laptop with 16 gigabytes of RAM, 100 gigabyte of free disk space on your SSD. Make sure your laptop is capable of running an x86_64-based VM. The VM will be provided prior to the training. For those using an M-based Macbook: those are ARM-based and have difficulty running an x86_64-based VM.
The laptop should have VirtualBox installed to load the provided image. Alternatively, you can choose to bring your own preconfigured laptop and simply download the course materials on said laptop. If you choose to do so, you will need to install Ghidra (built instance, plus source code) along with Eclipse (or any editor you prefer to work with) which can debug the provided source. You can do this in a virtual machine (which I recommend) or directly on your laptop (not recommended).
What are students provided with
A VirtualBox OVA image which comes with all the required software preinstalled, as well as all required course materials. You will be able to download this image several days prior to the start of the training.
Trainer Bio
Max Kersten is a senior malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. He then worked at Trellix in the Advanced Research Center, where he dove into APT malware and campaigns. Currently, Max works as an analyst at Politie (Dutch law enforcement). Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.
LinkedIn: https://www.linkedin.com/in/libranalysis/
Twitter (X): @Libranalysis
Blog: https://maxkersten.nl/
