John McIntosh - Everyday Ghidra: Practical Windows Reverse Engineering - DCTLV2025
Name of Training: Everyday Ghidra: Practical Windows Reverse Engineering
Trainer(s): John McIntosh
Dates: August 11-12, 2025
Time: 08:00 am to 05:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2600
Course Description:
Reverse engineering is the process of uncovering the principles, architecture, and internal structure of a piece of software or hardware. It can be used for various purposes, such as improving compatibility, enhancing security, understanding program behaviour, and even vulnerability research. However, reverse engineering can also be challenging, especially when dealing with complex and modern Windows binaries.
That’s why you need Ghidra, a powerful and open-source software reverse engineering framework developed by the National Security Agency (NSA). Ghidra can help you perform in-depth analysis of Windows binaries, using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it and this course will guide your steps.
In this course, you will learn how to use Ghidra effectively to reverse engineer Windows binaries. While Ghidra is at the heart of our curriculum, we go far beyond a simple user manual. This course is designed to help you master Windows reverse engineering techniques by using Ghidra as your primary tool. You will start with the basics of Ghidra, such as creating projects, importing and analyzing binaries, and using Ghidra’s native tools. You will then learn how to customize Ghidra to suit your needs, such as building custom data types and configuring optimal analysis. From there, you will complete progressive labs that will teach you to apply both static and dynamic analysis techniques to dive deep into Windows application behavior using Ghidra’s Windows-specific features and scripts.
Practical Exercises:
-
Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior.
-
Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows servers with Ghidra’s Debugger
-
Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability and find its root cause.
Course Outline:
DAY 1 : Introduction to Reverse Engineering
-
Introduction to Reverse Engineering
-
Getting Started with Ghidra
-
Windows Security Concepts
-
Ghidorah: Taming the 3-headed dragon
-
Code Browser
-
Debugger
-
Version Tracking
-
Reverse Engineering Windows Binaries - Static
-
A Practical RE Workflow
-
Binary Acquisition
-
Analysis Improvements
-
Setting Reverse Engineering Goals
-
Reversing Windows Malware
DAY 2 : Reverse Engineering Windows Binaries - Dynamic and Patch Diffing
-
Reverse Engineering Windows Binaries - Dynamic
-
Ghidra Debugger Overview
-
Debugging Windows Applications
-
Pretending All Binaries Come with Source
-
Debugging a Windows RPC Service
-
Reversing Petitpotam ( NTLM Authentication Bypass )
-
Patch Diffing and Root Cause Analysis of Windows CVE
-
Patch Diffing in Ghidra
-
Finding a CVE
-
Patch Diffing Windows Binaries
-
Hunting for the vulnerability
-
Finding the root cause
Difficulty Level:
Intermediate
Suggested Prerequisites:
-
Knowledge of Windows Security Concepts
-
Fundamental Understanding and experience with assembly
-
Experience Debugging software applications
What Students Should Bring:
-
Hardware Requirements
-
i7+ Laptop with 16GB+ RAM
-
60 GB disk space
-
Ability to run Intel based VM similar to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
-
Software Requirements
-
VMware (now free to download)
Trainer(s) Bio:
John McIntosh ([@clearbluejar](https://twitter.com/clearbluejar)) is a security researcher and lead instructor @clearseclabs, a company that offers hands-on training and consulting for reverse engineering and offensive security. He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He has created several open-source security tools and courses, which are available on his GitHub page. He regularly blogs about his research projects and experiments on his [website] (https://clearbluejar.github.io), where you can find detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security enthusiasts.
Related RE content from the instructor:
-
https://clearbluejar.github.io/posts/from-ntobjectmanager-to-petitpotam/
-
https://www.clearseclabs.com/everyday-ghidra-practical-windows-reverse-engineering.html
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]