🔧 Lab 1

Getting to Know the Tools

Installation and first steps with RE tools

🎯 Lab Objectives

📥 Part 1: Tool Installation

Task 1.1 - Install Ghidra
  1. Make sure Java JDK 17+ is installed: 
    java -version
  2. Download Ghidra from: https://ghidra-sre.org/
  3. Extract the file to a folder (e.g., C:\Tools\Ghidra)
  4. Run ghidraRun.bat
  5. Create a new Project: File → New Project → Non-Shared Project
Task 1.2 - Install x64dbg
  1. Download from: https://x64dbg.com/
  2. Extract the file
  3. Run x96dbg.exe (will automatically choose 32/64-bit)
  4. Or run directly x32dbg.exe / x64dbg.exe
Task 1.3 - Install Helper Tools
  1. PE-bear: https://github.com/hasherezade/pe-bear
  2. Detect It Easy (DIE): https://github.com/horsicq/Detect-It-Easy
  3. HxD (Hex Editor): https://mh-nexus.de/en/hxd/

🔬 Part 2: First Analysis with Ghidra

We'll use calc.exe or notepad.exe as a safe example.

Task 2.1 - Open a File in Ghidra
  1. File → Import File
  2. Navigate to C:\Windows\System32\calc.exe
  3. Click OK on the default settings
  4. When asked about Analysis, click Yes
  5. Wait for the Analysis to finish (check status bar)
Task 2.2 - Explore the Interface
  • Find the Symbol Tree window - open Imports
  • Find the Functions window - how many functions are there?
  • Find the entry (entry point)
  • Click on any function - see the code in the Listing window
  • See the Decompiler on the side (C code)
Task 2.3 - Search for Strings
  1. Search → For Strings
  2. Check all String types
  3. Click Search
  4. Browse the list - what's interesting?
  5. Double-click on a string to jump to it in the code
Task 2.4 - Check Imports

Open Symbol Tree → Imports and find:

  • Which DLLs does the program import from?
  • Are there file functions? (CreateFile, ReadFile...)
  • Are there network functions? (socket, connect...)
  • Are there Registry functions?

🐛 Part 3: First Steps with x64dbg

Task 3.1 - Open a Program for Debugging
  1. Open x64dbg (or x32dbg for 32-bit)
  2. File → Open
  3. Select C:\Windows\System32\notepad.exe
  4. The program will stop at the Entry Point
Task 3.2 - Get Familiar with the Interface
  • Identify the CPU window (Assembly code)
  • Identify the Registers window
  • Identify the Stack window
  • Identify the Dump window (memory)
Task 3.3 - Try the Shortcuts
  1. Press F8 (Step Over) several times - see EIP advancing
  2. Press F7 (Step Into) - enters a function
  3. Press F2 on a line - set Breakpoint
  4. Press F9 - run until the BP
  5. Press Ctrl+G - jump to address
Task 3.4 - Check Registers

In the Registers window:

  • What is the value of EIP/RIP?
  • What is the value of ESP/RSP?
  • Press F8 and watch EIP change
  • Double-click on EAX and change its value

📦 Part 4: PE Analysis with PE-bear

Task 4.1 - Check PE Structure
  1. Open PE-bear
  2. Drag an EXE file into it
  3. Check the Headers:
  • Find the DOS Header (starts with MZ)
  • Find the PE Signature
  • What is the Entry Point?
  • What is the ImageBase?
  • How many Sections are there?
Task 4.2 - Check Sections
  • Identify the .text section
  • What are its permissions? (R/W/X)
  • Identify the .data section
  • Are there suspicious sections? (strange names, RWX permissions)

✅ Completion Checklist

At the end of this lab, make sure you know how to:
  • Open a file in Ghidra and navigate it
  • Search for Strings and Imports
  • Open a program in x64dbg
  • Use F7, F8, F9, F2
  • Identify PE parts in PE-bear
← Chapter 10: Debugging Lab 2: Reading Assembly →