Ghidra made
headlines lately when the NSA open-sourced the reverse-engineering framework.
It supports Windows, macOS, and Linux. Its feature set includes disassembly,
assembly, decompilation, graphing, and scripting.
Ghidra is a
Software Reverse Engineering (SRE) framework. It helps
analyze malicious code and malware-like viruses and can give cybersecurity
professionals a better understanding of potential vulnerabilities in their
networks and systems.
In addition, it supports an array of process instruction sets and executable
formats that can run in either interactive or automated modes. What's more,
the program is customizable by writing plugins or scripts using Python or
Java. It can be run in both user-interface or command line mode, while Its GUI
is designed for fewer expert users and features assembler, disassembler,
decompiler, and other features including processor instruction sets and
executable formats.
When decompiling a code, if you select a portion of the assembly, it
automatically highlights in the decompiler window the decompiled code,
providing a good way of understanding how high-level code matches the
disassembled code.
Features of Ghidra
Context Help
Ghidra comes with a contextual menu, by hovering over most interface elements
and pressing F1, a pop-up window with the help menu appears providing the user
with more information.
Organize project sections
Ghidra can organize your project sections of disassembly code in various
ways, just by hitting right-click on the folder of your project, selecting
“Modularize By” and choose between “Subroutine”, “Complexity Depth” or
“Dominance”.
The next window under “Program Trees” is “Symbol Tree” which enables viewing
import, export, functions, labels, classes, and namespaces of a binary file
Listing Window
“Listing” window. Here you can see the reverse-engineered code.
Users can configure the listing fields by clicking on the icon “Edit the
listing fields” in the top right corner and then the “Instruction/Data”
tab.
Any element of the listing interface may be changed, relocated, disabled, or
removed.
Loading an Executable
Supports the drag and drop function, a file can be loaded by dropping it into
the projected window of Ghidra, launching a dialogue box where a format is
selected, the destination folder, and the name of the program.
Import results summary information appears once the file is imported. If the
file is not analyzed, a list of Analyzers will appear in order for the user to
enable various analyzers depending on the format of the file.
Modifying Display Elements
By using CodeBrowser for reviewing the target file, Ghidra offers customizable
display elements (which can help to enhance readability for the user) and
various options that can be accessed by clicking edit on the top menu and then
selecting tool options.
Suggested environment changes
-
Listing Display: Can increase the font size and enable bold
formatting for easier reading.
-
Listing Fields – Bytes Field: Change “Maximum Lines to Display” to
1 to simplify spacing between lines of assembly code.
-
Listing Fields – Cursor Text Highlight: “Mouse Button to Activate”,
change to the left.
-
It will highlight all instances of the selected text when the left mouse
button is clicked — similarly to other disassemblers.
-
Listing Fields – EOL Comments Field: Check “Show Semicolon at Start
of Each Line” to better separate the assembly text from inserted comments
-
Listing Fields – Operands Field: Check “Add Space After Separator”
for improved text readability
View Decompiler Output
Ghidra comes with a built-in decompiler output. It can display the
high-level language of the assembly code.
By highlighting one of the operators in the high-level language decompiler
window, it highlights the relevant assembly providing the user with a good
idea of how and which groups of the assembler instructions match the
high-level instructions.
Scripting
Ghidra includes support for writing Java and Python (via Jython) scripts to
automate analysis. To view built-in scripts, go to Windows – Script Manager. A user can add their own script by choosing the “create a new script”
option in the script manager window top header menu. It supports scripting with Java and Python.
Investigate a String Reference
Ghidra gives a review of the strings embedded within a target
file. To navigate, click on Window–Defined Strings. Clicking on the row associated with a string populates the Listing window
with the data on the intended address.
To identify references to a string, the user should right-click in the
blue area in the listing window – References – Show References to
Address:
|
Shows how many references are to a particular string.
|
You might also be interested in,
We hope this helps. If any suggestions or doubts you can add a comment and
we will reply as soon as possible.
No comments:
Post a Comment