Advanced malware reverse engineering with Ghidra*

Embark on an immersive learning journey where knowledge meets hands-on practice. Benefit from the unparalleled expertise of renowned industry experts and equip yourself with cutting-edge techniques. The course empowers you to become a Ghidra master, ready to face the toughest cybersecurity challenges.

Ghidra isn’t just a tool; it’s your strategic advantage in the digital realm. Gain hands-on experience, master scripting, and navigate complex malware analysis with confidence, all while following the lead of Kaspersky’s cybersecurity experts.

Immerse yourself in the realm of advanced malware analysis with Ghidra, guided by industry luminaries Igor Kuznetsov and Georgy Kucherin. Empower your InfoSec career to confidently tackle real-world
threats or elevate your organization’s cybersecurity posture.

Built for Tier 3 Threat Hunters

Advanced

$1,800 inc. tax per learner

Advanced

$1,800 inc. tax per learner

Background

As the digital realm continues to expand, the challenges associated with it grow as well. Enter Ghidra, a powerful tool that has become indispensable for InfoSec specialists. Whether you’re an individual looking to enhance your career prospects or a business striving to fortify its digital stronghold, Ghidra is the compass guiding you through the intricate terrain of malware analysis and reverse engineering.

Developed by experts at the Kaspersky Lab, the “Advanced Malware Reverse Engineering with Ghidra” course is your gateway to unlocking the full potential of this invaluable tool.

Created by luminaries in the field such as Igor Kuznetsov, Director of GReAT, and Kaspersky security researcher Georgy Kucherin, this course is designed to empower you with the skills and knowledge necessary to navigate the complex world of malware analysis.

The course is tailored to provide a robust foundation in Ghidra. Starting with mastering the basics of Ghidra, you’ll embark on a journey that de-mystifies the malware analysis workflow. Explore data types, structures, and external type definitions. Learn basic and advanced-level Ghidra scripting in Python and Java, find out how to identify run-time library code and much more.

Let’s embark on this transformative training course together, where understanding Ghidra isn’t just an achievement — it’s a strategic advantage.

Course leaders

Igor Kuznetsov

Director, Global Research & Analysis Team (GReAT)

Igor is the Director of the Global Research & Analysis Team (GReAT) at Kaspersky. His research focuses on investigating malware campaigns and employing reverse engineering techniques to understand advanced malware. His profound knowledge and skills have proven instrumental in understanding and countering complex cyber threats. He has more than 20 years of reverse engineering experience.

Georgy Kucherin

Security Researcher, Global Research & Analysis Team (GReAT)

Georgy Kucherin is a Security Researcher at Kaspersky’s renowned Global Research and Analysis Team. Georgy demonstrates an unwavering passion for unraveling the intricacies of complex malware and employing reverse engineering techniques to analyze and understand its inner workings. With a strong background in cybersecurity research, Georgy has contributed significantly to the field through his comprehensive investigations into advanced persistent threats (APTs) such as FinFisher, APT41, and Lazarus. Georgy actively shares his research findings at prominent conferences, including SAS, VirusBulletin, and other renowned gatherings, where his presentations captivate audiences and contribute to the collective knowledge of the cybersecurity community.

Overview & Objectives

Get familiarized with the process of setting up Ghidra and building its latest version from source code
Understand how to perform a typical malware analysis workflow with Ghidra
Gain a firm understanding of how to work with data types and structures in Ghidra
Be able to identify runtime library code with Ghidra
Learn how to use Ghidra’s disassembler and decompiler scripting capabilities to automate reverse engineering tasks
Understand how to extend Ghidra’s capabilities using the Eclipse IDE™ (Eclipse IDE is a trademark of Eclipse Foundation, Inc.)

Syllabus

Introduction to Ghidra

– Ghidra overview
– Building Ghidra on Windows, macOS, Linux

Analysis workflow

– Introduction to the Metasploit sample
– Settings overview, configuring familiar controls
– Basic analysis workflow
– Using Data Type Manager to import type libraries

– Using Ghidra’s parser to import C headers

– Applying structure pointers

Working with types and pointers

– Working with linked lists and adjusting shifted pointers

– Analyzing code that uses PE header structures

– Introduction to scripting

Scripting API hashing

– Analyzing an API hashing algorithm with Ghidra

– Implementing an API hash analysis script in Python and Java

Library identification

– Introduction to the Mettle sample

– Using a library (.so file) to create a function identification database

– Using Ghidra’s headless mode to create a function identification database from an archive (.a) file

Structures and function pointers 

– Introduction to the Calypso sample
– Studying capabilities related to structure pointers, such as automatic recognition of structure fields

– Tips and tricks for working with function pointers, such as applying API function signatures for them

Decompiler scripting

– Ghidra’s decompiler internals overview

– Advanced-level scripting: coding a stack string analysis script using knowledge of decompiler internals

Coding an analyzer

– Learning to expand Ghidra’s capabilities using the Eclipse IDE

– Coding an API hash analysis extension for Ghidra

Whos it for?

InfoSec professionals

Perfect for seasoned reverse engineers, incident responders, and digital forensics experts, this course takes your cybersecurity prowess to new heights through an advanced acquaintance with the Ghidra tool.

Cybersecurity consultancies

The course will empower your personnel with the mastery of Ghidra, enabling them to provide unparalleled cybersecurity solutions and deliver top-tier malware analysis services to clients.

Enterprises

Elevate your organization's cybersecurity and SOC teams. Upon completing the course, they'll become experts in conducting a comprehensive malware analysis using Ghidra, capable of uncovering actionable insights that bolster your organization's security framework and enhance incident response strategies.

How you'll learn

Guided video lectures

Dive into the Ghidra tool usage through the expert lectures that break down complex concepts into easily digestible segments.

Virtual Lab

Step into a secure virtual environment created specifically for the course, where you can apply your skills without risk.

Iterative learning

Embrace a learning journey that adapts to your pace. Benefit from iterative exercises, quizzes and experts’ solutions that reinforce your understanding, ensuring mastery of each topic before moving forward.

Benefits

Access

6 months to complete your course

Language

Course delivered in English with English subtitles

Pace

Self guided learning that fits around your life

Access to Virtual lab

100 hours in browser based Virtual lab with hands on training

Learning environment

Browser based via desktop, mobile or tablet

Guided videos

40+ videos to guide you through the course

Certification of completion

PDF document on a Kaspersky letterhead certifying the completion of the course, signed by the course leader(s)

*Ghidra is an open-source software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. Reference herein to any specific commerical product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Software is used for informational purposes only and does not constitute any association or relationship with NSA or its products.