Dr. McGrew at DEF CON 29: Teaching Software Reverse Engineering

August 3, 2021

By Dr. Wesley McGrew, Senior Cyber Fellow;

Tomorrow morning, I will be traveling to Las Vegas, Nevada for the highest-profile hacking conference of the year, DEF CON. As a teenage hacker in the 1990s, I was fascinated by media coverage of the early iterations of DEF CON and followed its content for years. After developing my career in cybersecurity, leveraging my enjoyment for breaking things, I began attending DEF CON thirteen years ago, and this will be my 11th year contributing content to this influential conference. I have been a speaker, presenting new research on a variety of offensive security topics, I have been an instructor, teaching others how to conduct safe penetration tests and reverse engineer malicious software, I have documented previous iterations of the conference with my photography, and I have performed as a DJ for nighttime events (streaming last year, and this year, in-person).

After a late-night Thursday night mixing dance music for attendees as “Dr. McGrew” (the DJ), I’ll wake up on Friday morning, drink several cups of coffee (black), and head to the conference floor again as “Dr. McGrew” (the professor) to teach a workshop on software reverse engineering. For four hours, I’ll be hands-on with real-world advanced persistent threat malware with 150 attendees in “The Joy of Reverse Engineering: Learning With Ghidra and WinDbg”.

While it can be intimidating to “get into” software reverse engineering (RE), it can be very rewarding. Reverse engineering skills are useful in malicious software analysis, vulnerability discovery, exploit development, bypassing host-based protection, and in approaching many other interesting and useful problems in hacking. Being able to study how software works, without source code or documentation, will give you the confidence that there is nothing about a computer system you can’t understand if you simply apply enough time and effort. Beyond all of this: it’s fun. Every malicious program becomes a new and interesting puzzle to “solve”.

The purpose of this workshop is to introduce software reverse engineering to the attendees, using static and dynamic techniques with the Ghidra disassembler and WinDbg debugger. No prior experience in reverse engineering is necessary. There will be few slides–concepts and techniques will be illustrated within the Ghidra and WinDbg environments, and attendees can follow along with their laptops and virtual environments. We will cover the following topics:

  • Software Reverse Engineering concepts and terminology
  • The execution environment (CPU, Virtual Memory, Linking, and Loading)
  • C constructs, as seen in disassembled code
  • Combining static and dynamic analysis to understand and document compiled binary code
  • Methodology and approaches for reverse engineering large programs
  • Hands-on malware analysis
  • How to approach a “new-to-you” architecture

I’ve intentionally selected malware to use for our case studies that I have not reverse engineered before so that attendees can observe the process and difficulties that can arise “live”. I’m looking forward to meeting the attendees of my workshop and working through some interesting code with them, adding capable reverse engineers to the talent pool!