<li><version> is the version number of the release</li>
<li><release> is the name of the release</li>
<li><date> is the date the release was built</li>
</ul>
<br>
<li>Platforms Supported:</li>
<ul>
<li>Microsoft Windows 7 or 10 (64-bit)</li>
<li>Linux (64-bit, CentOS 7 is preferred)</li>
<li>macOS (OS X) 10.8.3+ (Mountain Lion or later)</li>
</ul>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
</p>
</div>
</section>
<section>
<header>Exercise Files</header>
<br>
<ulclass="medium">
<li>Referenced exercise files are located in ghidra_<version>/docs/GhidraClass/ExerciseFiles</li>
<br>
<li>If an exercise file is not specifically listed then do the exercise with your choice of program.</li>
<br>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
</p>
</div>
</section>
<section>
<header>Course Objectives</header>
<ul>
<li>By the end of this course you will be able to:</li>
<ul>
<li>Use some of the more advanced Ghidra features including creating data types, memory map, multi-user projects, comparing programs, and version tracking</li>
<li>Setup Ghidra development environment and write Ghidra scripts</li>
<li>Run Ghidra in headless mode</li>
</ul>
</ul>
<divrole="note">
<p><u><b>Notes:</b></u>
</div>
</section>
<section>
<header>Course Topics</header>
<tablestyle="width:100%; border-spacing:0px;">
<tr>
<tdstyle="vertical-align:top">
<br>
<ulclass="medium">
<li>Creating data types</li>
<li>Memory Map</li>
<li>Multi-user projects</li>
<li>Comparing programs</li>
<li>Version tracking</li>
</ul>
</td>
<tdstyle="vertical-align:top">
<br>
<ulclass="medium ">
<li>Scripting Development</li>
<li>Running Ghidra in headless mode</li>
<li>Optional topics if time allows</li>
</ul>
</td>
</tr>
</table>
<divrole="note">
<p>
<u><b>Notes:</u></b>
</p>
</div>
</section>
<section>
<header>Advanced Data Types<br>Creating Structures and Arrays</header>
<br>
<ulclass="medium">
<li>Create data in Listing first, then make a structure or array from it</li>
<li>Create structure or array first then apply it</li>
<ul>
<li>Right mouse menu –> Data->Create Array</li>
<li>Right mouse menu –> Data->Create Structure</li>
<li>Data Type Manager -> Create Structure</li>
</ul>
<br>
<spanstyle="font-size:30px"><spanstyle="color:#FFFF00">NOTE:</span> If you edit structure later, the edits will take effect in all places where that structure has been defined.</span>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
<ul>
<li>There are two ways to create your own structures. You can create structures from the Listing or From the Data Type Manager.</li>
<li><b>If creating a structure from the Listing:</b></li>
<ul>
<li>You can create data in the Listing before or after creating the structure</li>
<li>Make selection then choose Data->Create Structure</li>
<li>If you already had data created, the field types in the Structure Editor will be pre-populated – you just have to edit the field names</li>
<li>If you didn't have data created you need to fill in the field types and names in the editor</li>
</ul>
<li><b>If creating a structure from the Data Type Manager:</b></li>
<ul>
<li>In the <<i>program name</i>> folder, right click and choose New->Create Structure</li>
</ul>
<li><b>Creating your own Arrays</b></li>
<ul>
<li>You can create data in the Listing before or after creating the array. If you are creating an array from the Listing, make a selection, then choose Data -> Create Array</li>
</ul>
</ul>
</p>
</div>
</section>
<section>
<header>Exercise 1<br>Create and Apply Structure</header>
<br>
<ulclass="small">
<li>Import and analyze docs\GhidraClass\ExerciseFiles\WinhelloCPP\winhelloCPP.exe</li>
<li>Go to address 0040e4a8 and make a label "topErrorNumber"</li>
<li>Go to address 0040e4ac and make a label "topPtrErrorMsg"</li>
<li>Create a structure that contains the following elements:</li>
<ul>
<li>Int - named errorNumber</li>
<li>Char * - named ptrErrorMsg</li>
</ul>
<li>Make a selection from 0040e4a8 to 40e55f and clear the data that is there</li>
<li>Apply your structure to this selection with one apply action. This should make all the structures in the selection at once.</li>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
</p>
</div>
</section>
<section>
<header>Advanced Data Types</header>
<ul>
<br>
<br>
<li>Creating Enums</li>
<li>Function Definitions</li>
</ul>
<divrole="note">
<p>
<b><u>Notes</u></b>
<ul>
<li><b>Enums:</b></li>
<ul>
<li>Users can create their own Enums data types by choosing New->Enum... from the Data Type Manager right mouse menu.</li>
<li>Users can create Enum data types by selecting a group of Enums in the Data Type Manager and selecting Create Enum From Selection.</li>
</ul>
<br>
<li><b>Function Definitions:</b></li>
<ul>
<li>Users can create a function definition data type for function signatures they might want apply again in a new program for a particular named function. To do this, click on a function signature and choose Function->Create Function Definition from the Listing right mouse menu.</li>
<li>Users can create function definitions for their whole program by choosing Capture Function Data Types from the Data Type Manager right mouse menu.</li>
<li>In new program, apply function signature by right mousing on appropriate folder in Data Type Manager and choosing Apply Function Data Types</li>
</ul>
</ul>
</p>
</div>
</section>
<section>
<header>Advanced Data Types</header>
<ul>
<br><br>
<li>Shared Data Archives</li>
<li>Advanced Data Options</li>
<li>C parser</li>
</ul>
<divrole="note">
<p>
<b><u>Notes</u></b>
<ul>
<li><b>Shared Data Archives:</b><br>
There are two types of Shared Data Archives called File archives and Project archives.</li>
<ul>
<li><b>File Archives:</b></li>
<ul>
<li>This archive is stored on the file system and accessible by anyone with access to the file system.</li>
<li>To create a File Archive, pull down on the black triangle in the Data Type manager and choose New File Archive.</li>
</ul>
<li><b>Project Archives:</b></li>
<ul>
<li>This archive is stored within a Ghidra project and is accessible by anyone with access to that project.</li>
<li>Users can change the settings on a single data item or on any applied data of a particular type using the Data->Settings or Data-Default Settings actions on the Listing right mouse menu.</li>
</ul>
<li><b>C parser:</b></li>
<ul>
<li>Users can create data types by parsing header files. To do this, use the File->Parse C Source action.</li>
<li>It is sometimes tricky to get the options setup correctly in this feature. Please contact the Ghidra team if you have troubles.</li>
</ul>
</ul>
</p>
</div>
</section>
<section>
<header>Exercise 2<br>Create and Apply Enum</header>
<ulclass="small">
<li>In winhelloCPP.exe</li>
<ul>
<li>1. Create an new Enum named MyEnum with values 0-3 with corresponding names Enum0, Enum1, Enum2, and Enum3. Find a scalar operand reference with one of these values and use the Set Equate action to apply one of your Enums to it. (NOTE: If you cannot find a scalar use Search->Program Text to help you)</li>
<li>2. Create an ENUM named ExceptionNumbers out of the already defined _FPE_ enums, using the Create Enum from Selection feature. Edit the Enum and make it size 4. Apply the ExceptionNumbers Enum to the appropriate variable in the __XcptFilter function in both the Listing and the decompiler. </li>
</ul>
</ul>
<divrole="note">
<p>
<u><b>Notes:</b></u>
</p>
</div>
</section>
<section>
<header>Memory Map</header>
<ulclass="medium">
<li>The Memory Map</li>
<li>Allows users to add, delete, move, split, merge, or expand memory blocks in their program.</li>
<li>Users can find differences between two programs</li>
<li>Users can apply differences from one program to another</li>
<li>Users can customize how their differences are applied</li>
</ul>
<divrole="note">
<p>
<u><b>Notes:</b></u>
<ul>
<li>To open the Program Differences Tool, go to Tools->Program Differences and choose a program to compare against the currently opened program in the Code Browser.</li>
<br>
<li>Next, choose what types of program differences you want to see: bytes, bookmarks, labels, comments, etc.</li>
<br>
<li>Notice that the program you are comparing shows up to the right of the current program. There are extra icons added to the tool that allow you to navigate to the next difference, view what is different about a particular item, apply differences, or ignore differences.</li>
<br>
<li>You can decide how differences are applied for each kind of item. Most let you ignore, replace, or merge the difference.</li>
<br>
<li>If you want to select all differences, choose Select All Differences from the right mouse menu.</li>
<li>Import winhelloCPP.exe again and call it winhelloCPP2.exe</li>
<li>Pick a new kind of analyzer when you auto-analyze it.</li>
<li>Use the Program Differences Tool to view and apply some of the differences between the two programs.</li>
</ul>
<divrole="note">
<p>
<u><b>Notes:</b></u>
</p>
</div>
</section>
<section>
<header>Shared Project</header>
<ulclass="small">
<li>Setup server</li>
<ul>
<li>Edit Server.conf file to decide how users will authenticate and other options</li>
<li>Install service</li>
<li>Start service</li>
<li>Add users to the server</li>
</ul>
<li>Setup project</li>
<ul>
<li>Create new shared project</li>
<li>Add users to project (subgroup of server users)</li>
<li>Import and initial analysis of binaries</li>
<li>Add to version control so others can get access to it</li>
<li>Others do a check out to get access</li>
</ul>
<li>Shared Project actions</li>
<ul>
<li>Changes should be checked in so others can see them</li>
<li>Others do an update to see the changes</li>
<li>Conflicts get merged one at a time </li>
</ul>
</ul>
<divrole="note">
<p>
<u><b>Notes</b></u>
<ul>
<li>As a user, you can run Ghidra in Shared Project mode which allows users to collaborate with other users when using Ghidra to understand and markup a binary.</li>
<li><b>Server Setup:</b></li>
<ul>
<li>Done once by whoever will administer the server</li>
<li>Users can set up Ghidra servers anywhere there is shared access amongst the users they want to share with</li>
<li>Go to C:\ghidra_<version>\server\svrREADME.html file for server setup instructions</li>
<li>Edit the server.conf file to setup server per the readme file</li>
<li>Install the server using svrInstall</li>
<li>Once server is up and running add people allowed to create shared projects on the server by using the \server\svrAdmin -add <user> command in a cmd window. </li>
</ul>
<li><b>Shared Projects:</b></li>
<ul>
<ul>
<li><b>Person Starting a New Project</b></li>
<ul>
<li>Create a new Ghidra Project using File->New Project and choose "Shared Project" and do the following in New Project Wizard:</li>
<ul>
<li>Type in server name or IP and use default port in most cases</li>
<li>Authenticate with method chosen in server.conf file -- server administrator should communicate this. </li>
<li>Create a new Repository</li>
<li>Give subgroup of people access to your project. You can give them admin, read/write, or read-only access.</li>
<li>Choose storage location for your local version of project</li>
</ul>
</ul>
<li><b>Others joining project</b></li>
<ul>
<li>Create a new Ghidra Project using File->New Project and choose "Shared Project" and do the following in New Project Wizard:</li>
<ul>
<li>Type in server name or IP and use default port in most cases</li>
<li>Authenticate with method chosen in server.conf file -- server administrator or project owner should communicate this. </li>
<li>Join existing Repository</li>
<li>Choose storage location for your local version of project</li>
</ul>
</ul>
</ul>
</ul>
</p>
</div>
</section>
<section>
<header>Checksum Tool</header>
<ul>
<br>
<li>The Checksum Tool allows users to generate a variety of checksums on either the whole program or a selection.</li>
<li>Results are shown in various formats.</li>
<ul>
<li>Decimal</li>
<li>Hex</li>
<li>1's Complement</li>
<li>2's Complement</li>
<ul>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
<br>
To open the Checksum Tool, go to Tools->Generate Checksum.
</p>
</div>
</section>
<section>
<header>Version Tracking</header>
<ul>
<br><br>
<li>Version Tracking is the process of identifying matching functions or data in a new version of a binary.</li>
<li>See VersionTracking.html or VersionTracking_withNotes.html to follow along with the Version Tracking instruction to follow along with the Version Tracking instruction.</li>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
<br>
The VersionTracking.ppt slides are located in your <b>ghidra_<version>\docs\GhidraClass\Intermediate</b> directory.
</p>
</div>
</section>
<section>
<header>Scripting</header>
<ul>
<br><br>
<li>Ghidra allows users to extend its functionality. One way to do this is to develop scripts</li>
<li>See Scripting.html to follow along with the Scripting instruction</li>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
<br>
The Scripting slides are located in your <b>ghidra_<version>\docs\GhidraClass\Intermediate</b> directory.
</p>
</div>
</section>
<section>
<header>Headless Analyzer</header>
<ul>
<br><br>
<li>Analysis and all non-GUI Ghidra scripts can be run without running the Ghidra tool</li>
<li>See HeadlessAnalyzer.html or HeadlessAnalyzer_withNotes.html to follow along with the Headless Analyzer instruction</li>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
<br>
The HeadlessAnalyzer slides are located in your <b>ghidra_<version>\docs\GhidraClass\Intermediate</b> directory.
</p>
</div>
</section>
<section>
<header>Course Summary</header>
<br>
<ulclass="medium">
<li>You now should be able to:</li>
<ul>
<li>Use the more advanced Ghidra features including intermediate code analysis and decompiler, advanced data types and program tree, memory map, multi-user projects, comparing programs, and version tracking</li>
<li>Setup the Ghidra development environment</li>
<li>Write basic Ghidra scripts</li>
<li>Run Ghidra in headless mode</li>
</ul>
</ul>
<divrole="note">
<p>
<b><u>Notes:</u></b>
</p>
</div>
</section>
<!-- COPY THE TEXT BELOW TO START A NEW SLIDE
<section>
<header>Insert Title of Slide Here</header>
<ulclass="small"comment="NOTE: remove the class attribute for regular size, adjust the name if you want big, small, or tiny">
<li>Bullet text here</li>
<ul>
<li>Nested bullet here</li>
</ul>
</ul>
<divrole="note">
<p>Insert notes here</p>
<p>And here, too</p>
</div>
</section>
END COPY -->
<!-- Your Style -->
<!-- Define the style of your presentation -->
<!-- Maybe a font from http://www.google.com/webfonts ? -->