Instructors: John McIntosh
Dates: June 23 to 26 2025
Capacity: 30
Every day, new vulnerabilities are disclosed through CVEs (Common Vulnerabilities and Exposures) or detailed in blog posts, often leaving individuals aware of the issue but uncertain about how to dive deeper into its root cause. This course is designed for those who want to move beyond surface-level understanding and develop the skills to dissect modern vulnerabilities systematically. By mastering binary patch diffing - an essential skill for reverse engineering, vulnerability research, and malware analysis - you'll gain the ability to identify security-relevant changes in closed-source binaries and uncover the underlying issues that make them exploitable. By honing these skills, you'll be equipped to embark on - or elevate - your journey in vulnerability research.
This fast-paced course will teach you how to reverse engineer real-world CVEs on Windows using open-source tools. Starting from a simple description of a vulnerability, you'll progress to identifying its root cause through hands-on exercises. The training emphasizes practical application, focusing on analyzing recent CVEs and their corresponding binaries. You'll learn a step-by-step approach to modern patch diffing, including best practices, common pitfalls to avoid, and useful scripts to enhance your workflow.
In addition to patch diffing, the course focuses on both static and dynamic vulnerability analysis, allowing you to develop exploits and exercise the vulnerabilities you identify (and even learn to use AI to kickstart your POCs!). With short topical lessons and practical exercises, you'll gain confidence in your ability to analyze and understand modern vulnerabilities.
Don't let gaps in your knowledge keep you in the dark - take a step into the light. Sign up for this course and learn the skills needed to transition from knowing about a vulnerability to truly understanding it.
The goal of this course is to teach participants how to use patch diffing techniques to analyze
real-world vulnerabilities in Windows. Students will use open-source tools like the Ghidra SRE framework
to reverse engineer the latest CVEs. The course will help you discover that you already have the
information and tools needed to get started today. This course will help students develop the confidence
and competence to reverse engineer and discover complex vulnerabilities.By honing these skills, you'll be equipped to embark on - or elevate—your journey in vulnerability research.
This course focuses on the three fundamental pillars of vulnerability research via a CVE-guided
approach:
1. Vulnerability Discovery
2. Vulnerability Analysis
3. Exploit Development
By following a step-by-step (CVE) methodology, we uncover vulnerabilities and treat CVEs as north stars
to navigate and understand security vulnerabilities.
The best part about the training is that there is no secret ingredient. Using free tools (Ghidra SRE
framework, BinDiff, and more) and leveraging readily available CVE information, you will learn how to
discover and analyze complex vulnerabilities. The course, via hands-on exercises and lectures that cover
real-world CVEs challenges, provides students with practical reverse engineering exercises to help them
learn and practice the concepts and techniques. Participants will discover that you can leverage CVEs as
a guide for reverse engineering and vulnerability research.
Patch Diffing and Root Cause Analysis of real-world CVEs
Combined Static and Dynamic Analysis
Building Exploit Proofs of Concept (POCs)
Learn the tools of the trade. Understand how to use modern SRE tooling to dig into CVEs and discover security vulnerabilities. Leverage patch diffing and reverse engineering to pinpoint areas of insecure code.
Introduction
Reverse Engineering Windows Binaries
Patch Diffing
Vulnerability Analysis - Static
Learn how to go from a simple CVE description to finding the underlying root cause of the vulnerability. This day will provide the background on how to research CVEs, find the binaries of interest, and reverse engineer the vulnerabilities using both static and dynamic analysis.
Setting up the Dynamic Environment
Vulnerability Classes
Vulnerability Analysis - Dynamic
Reverse engineer several CVEs in Windows services. Learn how to create POC exploits that will trigger the vulnerable path for each CVE. Leverage Dynamic Analysis to understand how to direct the control flow to the vulnerable path.
Last, we will conclude with a final project. The final project is designed to cement the concepts learned throughout the course and prepares a researcher for learning outside of class. It will consist of several patch diffing challenges allowing you to flex the skills developed during the course.
Final Project
Windows: Zero to Hero
Grab Bag CVEs (time permitting)
This course is rated intermediate, but suitable for beginners with heart.
No prior experience with Ghidra is required.
John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.
Click here to register.