Reverse Engineering: Ghidra

Ghidra made headlines lately when the NSA open-sourced the reverse-engineering framework. It supports Windows, macOS, and Linux. Its feature set includes disassembly, assembly, decompilation, graphing, and scripting.

Ghidra is a Software Reverse Engineering (SRE) framework. It helps analyze malicious code and malware-like viruses and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.

In addition, it supports an array of process instruction sets and executable formats that can run in either interactive or automated modes. What's more, the program is customizable by writing plugins or scripts using Python or Java. It can be run in both user-interface or command line mode, while Its GUI is designed for fewer expert users and features assembler, disassembler, decompiler, and other features including processor instruction sets and executable formats.

When decompiling a code, if you select a portion of the assembly, it automatically highlights in the decompiler window the decompiled code, providing a good way of understanding how high-level code matches the disassembled code.

In order to run, it requires Java along with Java SE Development Kit 11 or above to be installed. Follow the installation guide on Ghidra,

Features of Ghidra

Context Help

Ghidra comes with a contextual menu, by hovering over most interface elements and pressing F1, a pop-up window with the help menu appears providing the user with more information.

Organize project sections

Ghidra can organize your project sections of disassembly code in various ways, just by hitting right-click on the folder of your project, selecting “Modularize By” and choose between “Subroutine”, “Complexity Depth” or “Dominance”.

The next window under “Program Trees” is “Symbol Tree” which enables viewing import, export, functions, labels, classes, and namespaces of a binary file

Listing Window

“Listing” window. Here you can see the reverse-engineered code. 

Users can configure the listing fields by clicking on the icon “Edit the listing fields” in the top right corner and then the “Instruction/Data” tab. 

Any element of the listing interface may be changed, relocated, disabled, or removed.

Loading an Executable

Supports the drag and drop function, a file can be loaded by dropping it into the projected window of Ghidra, launching a dialogue box where a format is selected, the destination folder, and the name of the program.

Import results summary information appears once the file is imported. If the file is not analyzed, a list of Analyzers will appear in order for the user to enable various analyzers depending on the format of the file.

Modifying Display Elements

By using CodeBrowser for reviewing the target file, Ghidra offers customizable display elements (which can help to enhance readability for the user) and various options that can be accessed by clicking edit on the top menu and then selecting tool options.

Suggested environment changes

  • Listing Display:  Can increase the font size and enable bold formatting for easier reading.
  • Listing Fields – Bytes Field: Change “Maximum Lines to Display” to 1 to simplify spacing between lines of assembly code.
  • Listing Fields – Cursor Text Highlight: “Mouse Button to Activate”, change to the left.
  • It will highlight all instances of the selected text when the left mouse button is clicked — similarly to other disassemblers.
  • Listing Fields – EOL Comments Field: Check “Show Semicolon at Start of Each Line” to better separate the assembly text from inserted comments
  • Listing Fields – Operands Field: Check “Add Space After Separator” for improved text readability

View Decompiler Output

Ghidra comes with a built-in decompiler output. It can display the high-level language of the assembly code.

By highlighting one of the operators in the high-level language decompiler window, it highlights the relevant assembly providing the user with a good idea of how and which groups of the assembler instructions match the high-level instructions.


Ghidra includes support for writing Java and Python (via Jython) scripts to automate analysis. To view built-in scripts, go to Windows – Script Manager. A user can add their own script by choosing the “create a new script” option in the script manager window top header menu. It supports scripting with Java and Python.

Investigate a String Reference

Ghidra gives a review of the strings embedded within a target file. To navigate, click on Window–Defined Strings. Clicking on the row associated with a string populates the Listing window with the data on the intended address.
To identify references to a string, the user should right-click in the blue area in the listing window – References – Show References to Address:

Shows how many references are to a particular string.

You might also be interested in, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment