Patch Diffing In The Dark: CVE guided VR

Instructors:    John McIntosh
Dates:  June 23 to 26 2025
Capacity:   30

Every day, new vulnerabilities are disclosed through CVEs (Common Vulnerabilities and Exposures) or detailed in blog posts, often leaving individuals aware of the issue but uncertain about how to dive deeper into its root cause. This course is designed for those who want to move beyond surface-level understanding and develop the skills to dissect modern vulnerabilities systematically. By mastering binary patch diffing - an essential skill for reverse engineering, vulnerability research, and malware analysis - you'll gain the ability to identify security-relevant changes in closed-source binaries and uncover the underlying issues that make them exploitable. By honing these skills, you'll be equipped to embark on - or elevate - your journey in vulnerability research.

This fast-paced course will teach you how to reverse engineer real-world CVEs on Windows using open-source tools. Starting from a simple description of a vulnerability, you'll progress to identifying its root cause through hands-on exercises. The training emphasizes practical application, focusing on analyzing recent CVEs and their corresponding binaries. You'll learn a step-by-step approach to modern patch diffing, including best practices, common pitfalls to avoid, and useful scripts to enhance your workflow.

In addition to patch diffing, the course focuses on both static and dynamic vulnerability analysis, allowing you to develop exploits and exercise the vulnerabilities you identify (and even learn to use AI to kickstart your POCs!). With short topical lessons and practical exercises, you'll gain confidence in your ability to analyze and understand modern vulnerabilities.

Don't let gaps in your knowledge keep you in the dark - take a step into the light. Sign up for this course and learn the skills needed to transition from knowing about a vulnerability to truly understanding it.

The goal of this course is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Windows. Students will use open-source tools like the Ghidra SRE framework to reverse engineer the latest CVEs. The course will help you discover that you already have the information and tools needed to get started today. This course will help students develop the confidence and competence to reverse engineer and discover complex vulnerabilities.By honing these skills, you'll be equipped to embark on - or elevate—your journey in vulnerability research.

This course focuses on the three fundamental pillars of vulnerability research via a CVE-guided approach:

1. Vulnerability Discovery
2. Vulnerability Analysis
3. Exploit Development

By following a step-by-step (CVE) methodology, we uncover vulnerabilities and treat CVEs as north stars to navigate and understand security vulnerabilities.

The best part about the training is that there is no secret ingredient. Using free tools (Ghidra SRE framework, BinDiff, and more) and leveraging readily available CVE information, you will learn how to discover and analyze complex vulnerabilities. The course, via hands-on exercises and lectures that cover real-world CVEs challenges, provides students with practical reverse engineering exercises to help them learn and practice the concepts and techniques. Participants will discover that you can leverage CVEs as a guide for reverse engineering and vulnerability research.

KEY LEARNING OBJECTIVES

• CVE Analysis: Learn how to analyze Common Vulnerabilities and Exposures (CVEs) to understand the impact and exploitability of vulnerabilities.
• Patch Diffing: Learn the fundamentals of patch diffing, including what it is and how it can be used in vulnerability research.
• Binary Analysis: Gain skills in analyzing binary files in order to understand their structure and behavior.
• Identifying Vulnerabilities: Develop the ability to identify potential vulnerabilities in software through comparative analysis.
• Reverse Engineering Techniques: Acquire new techniques for reverse engineering binaries to discover how they work by leveraging static and dynamic analysis.
• Exploit Development: Understand the principles of developing exploits based on the vulnerabilities found through patch diffing.
• SRE Tool Utilization: Become proficient in using various open-source tools and software that aid in the process of patch diffing and vulnerability discovery.

Practical Exercises

Patch Diffing and Root Cause Analysis of real-world CVEs

• Use Ghidra's Patch Diffing to compare two versions of a Windows binary and identify changes made to address vulnerabilities. Perform root cause analysis and understand how vulnerabilities are exploited.

Combined Static and Dynamic Analysis

• Utilize static analysis to identify security vulnerabilities and locate problematic areas of code.
• Employ dynamic analysis with debuggers and third-party tools to deeply investigate CVEs and verify root causes.

Building Exploit Proofs of Concept (POCs)

• Develop exploit POCs to demonstrate identified vulnerabilities.
• Leverage publicly available resources to accelerate POC development.
• Use AI tools to assist in writing C sample code

CLASS OUTLINE

Part 1 - Vulnerability Discovery - Static

Learn the tools of the trade. Understand how to use modern SRE tooling to dig into CVEs and discover security vulnerabilities. Leverage patch diffing and reverse engineering to pinpoint areas of insecure code.

Introduction

• Binary Diffing Use Cases
• Seeking Binary Truth
• Overview of the CVE vulnerabilities and their impact
• Introduce the tools and data sets (Ghidra, WinDbg, Frida, CVEs)

Reverse Engineering Windows Binaries

• Ghidra Windows Primer
• Reverse Engineering Windows Binaries
• Leverage Custom Data Types

Patch Diffing

• The Diffing Tools - Version Tracking, Bindiff, Ghidriff
• Finding the binaries
• Patch Diffing Workflow
• Interpreting Diff Results
• Patching Holes in Ghidra Version Tracking
• Root Cause Analysis

Vulnerability Analysis - Static

• Discovering the vulnerable code path
• Identifying the vulnerability
• Ghidra scripting Version Tracking analysis

Part 2 - Vulnerability Analysis - Dynamic

Learn how to go from a simple CVE description to finding the underlying root cause of the vulnerability. This day will provide the background on how to research CVEs, find the binaries of interest, and reverse engineer the vulnerabilities using both static and dynamic analysis.

Setting up the Dynamic Environment

• Quickly build test environments
• Learn to install necessary analysis/debugging tools (Sysinternals, Windbg)

Vulnerability Classes

• Understand modern vulnerability classes (UAF, info leak, heap overflow, etc.)
• Learn to recognize vulnerability classes in real world software

Vulnerability Analysis - Dynamic

• Learning how to switch from static to dynamic analysis
• Efficient use of the platform debugger
• Understand how to control program state to reach vulnerable code

Part 3 - Exploit Development - Attacking Windows Services

Reverse engineer several CVEs in Windows services. Learn how to create POC exploits that will trigger the vulnerable path for each CVE. Leverage Dynamic Analysis to understand how to direct the control flow to the vulnerable path.

• Reverse engineer the CVE
• Research the vulnerable service
• Build the test dynamic environment
• Learn Visual Studio basics to create basic POCs
• Patch Diff in the Light
• Leverage public code and other POCs to get started
• Take advantage of AI to create sample C code
• Create POCs for several vulnerability classes

Part 4 - Putting it All Together

Last, we will conclude with a final project. The final project is designed to cement the concepts learned throughout the course and prepares a researcher for learning outside of class. It will consist of several patch diffing challenges allowing you to flex the skills developed during the course.

Final Project

• Practical application of skills learned in the course
• Challenge will be validated with live course CTF server

Windows: Zero to Hero

• Identify vulnerable application
• Research methods to reach vulnerable code paths
• Static and Dynamic Analysis
• Root Cause the vulnerability
• Develop exploit trigger POC

Grab Bag CVEs (time permitting)

• This exercise will provide an instructor led walk through of as many live patch diffs of preselected CVEs and/or student suggested CVEs
• Experience will be unique for each class.

Related RE content from the instructor:

• https://medium.com/@clearbluejar
• https://cve-north-stars.github.io/

Hardware/Software Requirements

• 64-bit i7+ Laptop with 16GB+ RAM
• 60 GB disk space
• Ability to run Intel based VM similar to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
• VMware

Prerequisites

This course is rated intermediate, but suitable for beginners with heart.

• Basic Knowledge of Vulnerabilities or CVEs: Understand how the Common Vulnerabilities and Exposures (CVE) system identifies unique vulnerabilities and understand the concept of vulnerability classes.
• Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
• Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.

No prior experience with Ghidra is required.

What Students Will Be Provided With

• Course slides / Training materials
• Virtual machines with all the labs
• Resources for further learning
• Access to course CTF server during and beyond the course
• Access to instructor(s) via Discord during the course and beyond

Who is This Course For:

• Cybersecurity professionals seeking to advance their skills in reverse engineering complex vulnerabilities to learn how to mitigate risk and evaluate recent CVEs.
• Vulnerability Researchers hoping to learn a practical technique for vulnerability discovery. This course will challenge the researcher to go one step past learning (what others understand) and arrive in a place of actual research (discovering something new).
• Reverse engineers that want to learn how operating system securities are compromised by vulnerable application, services, and low-level interactions of modern operating systems.

BIO

John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.

www.clearseclabs.com/

clearbluejar.github.io/

To Register

Click here to register.