New blog post! 🚀 Learn how to leverage a Ghidra AI assisted workflow by integrating local LLMs using GhidraMCP, Ollama, and OpenWebUI.

Read more here:

https://medium.com/@clearbluejar/supercharging-ghidra-using-local-llms-with-ghidramcp-via-ollama-and-openweb-ui-794cef02ecf7

@stf @buherator 🔥

New #ghidriff release! v0.9.0

- Set custom analysis options
- Set custom base address (bootloaders, etc)

https://github.com/clearbluejar/ghidriff/releases/tag/v0.9.0

Recon CFP ends in less than 2 weeks on April 28. Prices for the training and conference increase on May 1st. Register now to save with early bird price. We have already announced a few talks and workshops, and more videos from last year have been released. https://recon.cx #reverseengineering #cybersecurity #offensivesecurity #hardwarehacking @hackingump1 @mr_phrazer @nicolodev @SinSinology @hunterbr72 @clearbluejar @phLaul @oryair1999 @hookgab @TheQueenofELF @So11Deo6loria @i0n1c @pedrib1337 @MalachiJonesPhD @Pat_Ventuzelo @KB_Intel @pinkflawd @Reverse_Tactics @OnlyTheDuck @t0nvi @drch40s @BrunoPujos @mhoste1 @andreyknvl @texplained_RE @jsmnsr @pulsoid @SpecterDev @richinseattle @yarden_shafir @aionescu @hackerschoice @SinSinology @sergeybratus @SpecterOps @oryair1999 @phLaul @trailofbits @HexRaysSA @nostarch

Wrapped up an incredible time teaching #PatchDiffingInTheDark in Austin, TX with
@_ringzer0
! The city didn’t disappoint—amazing food, friendly people, and my first autonomous vehicle ride!🤖 🚗✨ #waymo

#EverydayGhidra virtual course with
@_ringzer0
just wrapped up! 😅 Huge shoutout to my stellar students 🤓 who crushed a jam-packed CTF. Next stop: Austin, TX for my in-person #PatchDiffingInTheDark course next week. See you at #Bootstrap25 Conference next weekend! 🤠🎯

"Running #Ghidra on the same platform as the binaries you’re analyzing isn’t just convenient — it’s strategic."
https://medium.com/@clearbluejar/everyday-ghidra-how-platform-choice-influences-ghidras-binary-analysis-76c40db0e407

One more this week!

#CVE-2025-21418 2025-Feb Windows Ancillary Function Driver for WinSock 7.8 EoP Heap-based Buffer Overflow

This time in AfdAccept... 🧐
https://gist.github.com/clearbluejar/9c33282f3c579cbc00fa80791a0cb77e

Side by side: https://diffpreview.github.io/?9c33282f3c579cbc00fa80791a0cb77e 👀

#patchdiffinginthedark #Ghidra

Just released #ghidriff v0.8.0 - Ghidra 11.3 Support + PyGhidra 🔥👀

This release uses the latest PyGhidra now officially supported by Ghidra 🤓💪

https://github.com/clearbluejar/ghidriff/releases/tag/v0.8.0

🔋 included!

The new check previously checked for a null value, but now the free will only be called if the buffer was used based on the result of the RndisDevHostSetBuffers API 🤓

A new check was introduced to protect a call to a function that eventually calls free...

An ideal diff... only one function changed!

CVE-2024-43625 - 2024-Nov - Microsoft Windows VMSwitch Elevation of Privilege - Use After Free - CVSS 8.1

#ghidriff vmwsitch diff
https://gist.github.com/clearbluejar/b5c12615270a54d031dc13a7d07988c9
👀🔥

Side-by-side view: https://diffpreview.github.io/?b5c12615270a54d031dc13a7d07988c9 🧐

A patch diffing 🧵...

CVE-2025-21325 - 2025-Jan - ARM64 - Windows Secure Kernel Mode Elevation of Privilege

#ghidriff full diff 👀 https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e

Incorrect permission assignment? 🧐 https://gist.github.com/clearbluejar/318abe5d072eef55b9ea7c23a591726e#skmicommitpte-diff

@buherator @tmr232

Hey! Just posted an update on the pull request. https://github.com/clearbluejar/ghidriff/pull/107

POC for CVE-2025-21298 (Windows OLE RCE CVSS 9.8): https://github.com/ynwarcs/CVE-2025-21298

I'll publish some details about the PoC later, but the vulnerability is pretty boring, a double-free (UAF more generally) with a narrow window of time between the two operations so you'd need a miracle to exploit it.

Slides here: https://github.com/clearseclabs/ObjectiveByTheSea-v7-2024-Patch-Different

Exciting! My talk recording just dropped from #OBTS v7! 🗣️✨ Learn how to patch diff on Apple with #Ghidra, #ghidriff, and #ipsw: "Patch Different on *OS": https://www.youtube.com/watch?v=Ellb76t7nrc

Slides set, bags packed—heading to my first #OBTS! Let's gooo! 🌴💻📱

In an ideal world for reverse engineering, every function would have a name, and every variable would be correctly typed. Take a step towards that world, learn to build your own custom Ghidra Data Types in my latest post: https://medium.com/@clearbluejar/everyday-ghidra-ghidra-data-types-creating-custom-gdts-from-windows-headers-part-2-39b8121e1d82