Patch Diffing In The Dark

Instructors:    John McIntosh
Dates:  June 23 to 26 2025
Capacity:   30

Every day, a new CVE (Common Vulnerabilities and Exposure) is published or a new blog post comes out detailing the latest and greatest vulnerability. Often, we know about a vulnerability but feel like we don't have the skills or time to understand its root cause. What if you could change that? What if you could learn a skill that would lead you step by step towards understanding modern vulnerabilities? If you feel like you are always "in the dark" about the latest CVE and want to take a step towards the light (understanding), this course is for you.

Binary patch diffing is an essential skill for reverse engineering, vulnerability research, and malware analysis. The process helps a researcher identify the security-relevant code changes of a patched binary and helps highlight the underlying security issues. The process is not magic, and with a little guidance, a new researcher can learn to identify and understand modern vulnerabilities.

This fast-paced training will teach you how to reverse engineer the latest CVEs. We will start with a simple CVE description, progress towards identifying a vulnerability, and eventually gain a complete understanding of the underlying vulnerability and identify its root cause. You will analyze real-world CVEs, dive into the patch diffing process, and learn a step-by-step approach to modern patch diffing using open-source tools. The short topical lessons and hands-on exercises will have you patch diffing recent CVEs and their corresponding binaries across on the Windows platform. You will learn about best practices, how to avoid patch diffing pitfalls, and get useful scripts to enhance your analysis workflow. After you discover the vulnerability via patch diffing, you will then learn how to use both static and dynamic techniques to approach exploit development to exercise the vulnerability.

Take the first step into the light. Sign up for this course. Learn the skill of patch diffing to go from knowing about a vulnerability to actually understanding it.

The goal of this course is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Windows. Students will use open-source tools like the Ghidra SRE framework to reverse engineer the latest CVEs. The course will help you discover that you already have the information and tools needed to get started today. This course will help students develop the confidence and competence to reverse engineer and discover complex vulnerabilities.

This course focuses on the three fundamental pillars of vulnerability research via a CVE-guided approach:

1. Vulnerability Discovery
2. Vulnerability Analysis
3. Exploit Development

By following a step-by-step (CVE) methodology, we uncover vulnerabilities and treat CVEs as north stars to navigate and understand security vulnerabilities.

The best part about the training is that there is no secret ingredient. Using free tools (Ghidra SRE framework, BinDiff, and more) and leveraging readily available CVE information, you will learn how to discover and analyze complex vulnerabilities. The course, via hands-on exercises and lectures that cover real-world CVEs challenges, provides students with practical reverse engineering exercises to help them learn and practice the concepts and techniques. Participants will discover that you can leverage CVEs as a guide for reverse engineering and vulnerability research.

KEY LEARNING OBJECTIVES

• CVE Analysis: Learn how to analyze Common Vulnerabilities and Exposures (CVEs) to understand the impact
• and exploitability of vulnerabilities.
• Patch Diffing: Learn the fundamentals of patch diffing, including what it is and how it can be used in
• vulnerability research.
• Binary Analysis: Gain skills in analyzing binary files in order to understand their structure and
• behavior.
• Identifying Vulnerabilities: Develop the ability to identify potential vulnerabilities in software
• through comparative analysis.
• Reverse Engineering Techniques: Acquire new techniques for reverse engineering binaries to discover how
• they work by leveraging static and dynamic analysis.
• Exploit Development: Understand the principles of developing exploits based on the vulnerabilities found
• through patch diffing.
• SRE Tool Utilization: Become proficient in using various open-source tools and software that aid in the
• process of patch diffing and vulnerability discovery.

Practical Exercises

Patch Diffing and Root Cause Analysis of real-world CVEs

• Use Ghidra's Patch Diffing to compare two versions of a Windows binary and identify changes made to address vulnerabilities. Perform root cause analysis and understand how vulnerabilities are exploited.

Combined Static and Dynamic Analysis

• Utilize static analysis to identify security vulnerabilities and locate problematic areas of code.
• Employ dynamic analysis with debuggers and third-party tools to deeply investigate CVEs and verify root causes.

Building Exploit Proofs of Concept (POCs)

• Develop exploit POCs to demonstrate identified vulnerabilities.
• Leverage publicly available resources to accelerate POC development.
• Use AI tools to assist in writing C sample code

CLASS OUTLINE

Part 1 - Vulnerability Discovery - Static

Learn the tools of the trade. Understand how to use modern SRE tooling to dig into CVEs and discover security vulnerabilities. Leverage patch diffing and reverse engineering to pinpoint areas of insecure code.

Introduction

• Binary Diffing Use Cases
• Seeking Binary Truth
• Overview of the CVE vulnerabilities and their impact
• Introduce the tools and data sets (Ghidra, WinDbg, Frida, CVEs)

Reverse Engineering Windows Binaries

• Ghidra Windows Primer
• Reverse Engineering Windows Binaries
• Leverage Custom Data Types

Patch Diffing

• The Diffing Tools - Version Tracking, Bindiff, Ghidriff
• Finding the binaries
• Patch Diffing Workflow
• Interpreting Diff Results
• Patching Holes in Ghidra Version Tracking
• Root Cause Analysis

Vulnerability Analysis - Static

• Discovering the vulnerable code path
• Identifying the vulnerability
• Ghidra scripting Version Tracking analysis

Part 2 - Vulnerability Analysis - Dynamic

Learn how to go from a simple CVE description to finding the underlying root cause of the vulnerability. This day will provide the background on how to research CVEs, find the binaries of interest, and reverse engineer the vulnerabilities using both static and dynamic analysis.

Setting up the Dynamic Environment

• Quickly build test environments
• Learn to install necessary analysis/debugging tools (Sysinternals, Windbg)

Vulnerability Classes

• Understand modern vulnerability classes (UAF, info leak, heap overflow, etc.)
• Learn to recognize vulnerability classes in real world software

Hands on guided reverse engineering:

• C++ malware
• Multi-threaded malware

Vulnerability Analysis - Dynamic

• Learning how to switch from static to dynamic analysis
• Efficient use of the platform debugger
• Understand how to control program state to reach vulnerable code

Part 3 - Exploit Development - Attacking Windows Services

Reverse engineer several CVEs in Windows services. Learn how to create POC exploits that will trigger the vulnerable path for each CVE. Leverage Dynamic Analysis to understand how to direct the control flow to the vulnerable path.

• Reverse engineer the CVE
• Research the vulnerable service
• Build the test dynamic environment
• Learn Visual Studio basics to create basic POCs
• Patch Diff in the Light
• Leverage public code and other POCs to get started
• Take advantage of AI to create sample C code
• Create POCs for several vulnerability classes

Part 4 - Putting it All Together

Last, we will conclude with a final project. The final project is designed to cement the concepts learned throughout the course and prepares a researcher for learning outside of class. It will consist of several patch diffing challenges allowing you to flex the skills developed during the course.

Final Project

• Practical application of skills learned in the course
• Challenge will be validated with live course CTF server

Windows: Zero to Hero

• Identify vulnerable application
• Research methods to reach vulnerable code paths
• Static and Dynamic Analysis
• Root Cause the vulnerability
• Develop exploit trigger POC

Grab Bag CVEs (time permitting)

• This exercise will provide an instructor led walk through of as many live patch diffs of preselected CVEs and/or student suggested CVEs
• Experience will be unique for each class.

Related RE content from the instructor:

• https://medium.com/@clearbluejar
• https://cve-north-stars.github.io/

Hardware/Software Requirements

• 64-bit i7+ Laptop with 16GB+ RAM
• 60 GB disk space
• Ability to run Intel based VM similar to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
• VMware

Prerequisites

This course is rated intermediate, but suitable for beginners with heart.

• Basic Knowledge of Vulnerabilities or CVEs: Understand how the Common Vulnerabilities and Exposures (CVE) system identifies unique vulnerabilities and understand the concept of vulnerability classes.
• Understanding of Security Principles: A foundational grasp of cybersecurity concepts and practices.
• Assembly Language Basics: An introductory understanding of assembly language or familiarity with programming in C.

No prior experience with Ghidra is required.

What Students Will Be Provided With

• Course slides / Training materials
• Virtual machines with all the labs
• Resources for further learning
• Access to course CTF server during and beyond the course
• Access to instructor(s) via Discord during the course and beyond

Who is This Course For:

• Cybersecurity professionals seeking to advance their skills in reverse engineering complex vulnerabilities to learn how to mitigate risk and evaluate recent CVEs.
• Vulnerability Researchers hoping to learn a practical technique for vulnerability discovery. This course will challenge the researcher to go one step past learning (what others understand) and arrive in a place of actual research (discovering something new).
• Reverse engineers that want to learn how operating system securities are compromised by vulnerable application, services, and low-level interactions of modern operating systems.

BIO

John McIntosh @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page. Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.

www.clearseclabs.com/

clearbluejar.github.io/

To Register

Click here to register.