Ghidra (pronounced GEE-druh), an open-source software reverse engineering toolkit created and maintained by the National Security Agency (NSA), has just been updated to 11.0.1. First released to the public in 2019, the toolkit aims to help cybersecurity professionals with reverse engineering and debugging. Formerly classified, it’s become a popular toolkit for malware analysts as it can help find function mappings within widely distributed malware.
What is the Ghidra Reverse Engineering Toolkit?
Ghidra is built for reverse engineering and file disassembly and is used by cybersecurity professionals and those looking to develop new technical skills in malware analysis. It will support Windows, Linux, and macOS operating systems as a dissembler. Ghidra is written in Java using the Swing framework for the graphical user interface and C++ for the decompiler (the ‘headless’ environment).
Some intended use cases for Ghidra are comparing compiler code, understanding function graphs, and supporting loading multiple binaries simultaneously into a project.
Understanding Ghidra Function Graphs
One of the other benefits of using Ghidra and exploring how malware is created is understanding malicious hackers’ intentions. Ghidra function graphs help visualize the logic and structure of functions and connections between different instructions and code blocks.
For this reason, Function Graphs are one of the most popular and fun use cases of Ghidra.
Ghidra Function Graphs provides visualization and understanding of:
- Nodes: Represent individual instructions or blocks of instructions.
- Edges: Show the execution flow between nodes, indicating jumps, branches, and calls.
- Attributes: Additional information about nodes, like instruction mnemonics, operands, and data types, can be displayed for deeper understanding.
- Code Visualization: They offer a more intuitive way to grasp the function’s flow compared to reading linear lines of assembly code.
- Analysis and Navigation: Navigating complex functions with loops, branches, and calls becomes easier by following the visual pathways.
- Identifying Key Points: They help pinpoint entry points, loops, exits, and potential vulnerabilities by highlighting specific elements.
Multiple complimentary open-source extensions for Ghidra exist to make function graphs more robust. A few quick links to reference are the Ghidra Wide Graph Layout extension (GitHub link), and CERT Kaiju, built upon Ghidra to provide Path Analyzer and API Analyzer visualizations.
If you’re familiar with IDA-Pro, you can quickly get up to speed with these helpful tips from SANS Institute.
How to learn the Ghidra Toolkit
For those new to tools like Ghidra, you will benefit from reading O’Reilly’s book on the tool and exploring the official NSA GitHub open-source repository. Ghidra should always be run within a virtual machine sandbox environment, never natively on the host operating system.
You can also check out the excellent introductory video by renown cybersecurity enthusiast John Hammond.
You can also watch an extensive walkthrough of Ghidra components from plugins, scripts and extensions by Mike J. Bell. The recording is from the Security Summit held in 2019, but still provides valuable knowledge of the toolkit. And Mike would know: he was part of the actual Ghidra development team from 2007-2015.
Mike J. Bell presenting on Ghidra components at the Security Summit held in Laurel, Maryland in 2019. Mike discusses Ghidra Function Graphs, plugins, scripts, and more. (source: The Cyberwire)
The importance of access to powerful tools like Ghidra for reverse engineering analysis can’t be overemphasized. At its original release, the go-to best alternative was IDA Pro, which cost $13,000. While it’s a mature solution with many open-source tools built around it, IDA Pro remains out of reach of the average cybersecurity professional or those looking to explore malware reverse engineering.
Download Ghidra 11.0.1
If you’re interested in experimenting with Ghidra, read the official 11.0.1 release notes and visit the Ghidra GitHub repository.
