Patch Diffing In The Dark: CVE guided VR


Instructors:    John McIntosh
Dates:  June 23 to 26 2025
Capacity:   30


Every day, new vulnerabilities are disclosed through CVEs (Common Vulnerabilities and Exposures) or detailed in blog posts, often leaving individuals aware of the issue but uncertain about how to dive deeper into its root cause. This course is designed for those who want to move beyond surface-level understanding and develop the skills to dissect modern vulnerabilities systematically. By mastering binary patch diffing - an essential skill for reverse engineering, vulnerability research, and malware analysis - you'll gain the ability to identify security-relevant changes in closed-source binaries and uncover the underlying issues that make them exploitable. By honing these skills, you'll be equipped to embark on - or elevate - your journey in vulnerability research.

This fast-paced course will teach you how to reverse engineer real-world CVEs on Windows using open-source tools. Starting from a simple description of a vulnerability, you'll progress to identifying its root cause through hands-on exercises. The training emphasizes practical application, focusing on analyzing recent CVEs and their corresponding binaries. You'll learn a step-by-step approach to modern patch diffing, including best practices, common pitfalls to avoid, and useful scripts to enhance your workflow.

In addition to patch diffing, the course focuses on both static and dynamic vulnerability analysis, allowing you to develop exploits and exercise the vulnerabilities you identify (and even learn to use AI to kickstart your POCs!). With short topical lessons and practical exercises, you'll gain confidence in your ability to analyze and understand modern vulnerabilities.

Don't let gaps in your knowledge keep you in the dark - take a step into the light. Sign up for this course and learn the skills needed to transition from knowing about a vulnerability to truly understanding it.

The goal of this course is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Windows. Students will use open-source tools like the Ghidra SRE framework to reverse engineer the latest CVEs. The course will help you discover that you already have the information and tools needed to get started today. This course will help students develop the confidence and competence to reverse engineer and discover complex vulnerabilities.By honing these skills, you'll be equipped to embark on - or elevate—your journey in vulnerability research.

This course focuses on the three fundamental pillars of vulnerability research via a CVE-guided approach:

1. Vulnerability Discovery
2. Vulnerability Analysis
3. Exploit Development

By following a step-by-step (CVE) methodology, we uncover vulnerabilities and treat CVEs as north stars to navigate and understand security vulnerabilities.

The best part about the training is that there is no secret ingredient. Using free tools (Ghidra SRE framework, BinDiff, and more) and leveraging readily available CVE information, you will learn how to discover and analyze complex vulnerabilities. The course, via hands-on exercises and lectures that cover real-world CVEs challenges, provides students with practical reverse engineering exercises to help them learn and practice the concepts and techniques. Participants will discover that you can leverage CVEs as a guide for reverse engineering and vulnerability research.



KEY LEARNING OBJECTIVES




Practical Exercises


Patch Diffing and Root Cause Analysis of real-world CVEs



Combined Static and Dynamic Analysis



Building Exploit Proofs of Concept (POCs)

CLASS OUTLINE



Part 1 - Vulnerability Discovery - Static

Learn the tools of the trade. Understand how to use modern SRE tooling to dig into CVEs and discover security vulnerabilities. Leverage patch diffing and reverse engineering to pinpoint areas of insecure code.



Introduction


Reverse Engineering Windows Binaries


Patch Diffing


Vulnerability Analysis - Static



Part 2 - Vulnerability Analysis - Dynamic

Learn how to go from a simple CVE description to finding the underlying root cause of the vulnerability. This day will provide the background on how to research CVEs, find the binaries of interest, and reverse engineer the vulnerabilities using both static and dynamic analysis.



Setting up the Dynamic Environment


Vulnerability Classes


Vulnerability Analysis - Dynamic



Part 3 - Exploit Development - Attacking Windows Services

Reverse engineer several CVEs in Windows services. Learn how to create POC exploits that will trigger the vulnerable path for each CVE. Leverage Dynamic Analysis to understand how to direct the control flow to the vulnerable path.





Part 4 - Putting it All Together

Last, we will conclude with a final project. The final project is designed to cement the concepts learned throughout the course and prepares a researcher for learning outside of class. It will consist of several patch diffing challenges allowing you to flex the skills developed during the course.



Final Project


Windows: Zero to Hero


Grab Bag CVEs (time permitting)



Related RE content from the instructor:

Hardware/Software Requirements



Prerequisites


This course is rated intermediate, but suitable for beginners with heart.




No prior experience with Ghidra is required.


What Students Will Be Provided With


Who is This Course For:



BIO

John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.






www.clearseclabs.com/

clearbluejar.github.io/

To Register

Click here to register.