Getting started with the Ghidra reverse engineering framework
Reverse engineering malware allows threat hunters to understand what the software does and how it affects a system. It can also scan for the presence of malware on a system to prevent the software from causing further damage.
There are several reverse engineering frameworks for malware analysts to choose from. One option is Ghidra, which was originally developed for internal use by the National Security Agency (NSA) and officially released in 2019.
AP malware analyst and author David wrote Ghidra Software Reverse Engineering for Beginners because he felt that there was no book available that offered a deep dive into the open source reverse-engineering tool.
“All relevant reverse engineering frameworks have at least one book to teach it. At the time of writing my book, there was no book explaining Ghidra with the depth it deserves,” David said. “I found it necessary to explain the framework in an organized and beginner-friendly way, while covering the entire framework and advanced reverse engineering techniques.”
Here, David explains what new and experienced malware analysts will learn from the book, from what to expect from Ghidra, to the complexity of the reverse-engineering tool for new and experienced security researchers and professionals. you have to use the framework alone or in combination. with the others.
Editor’s Note: The following interview has been edited for clarity and length.
What do you want readers to take away from your book on reverse engineering Ghidra?
AP David: Readers should be able to reverse engineer programs, that is, malware samples, using Ghidra. Even if readers are unfamiliar with assembly language, they should be able to reverse engineer programs by reading their decompiled versions. In the case of Ghidra, the decompiled version of the program consists of a list of high-level pseudo-C programming language codes. Readers should also be able to use and write their own Ghidra scripts in Java and Python – and automate them. To reverse engineer programs effectively, it is necessary to automate repetitive and time-consuming tasks.
In the book, I wanted to explain Ghidra’s reverse engineering framework in depth. It is extremely useful for beginners to understand how a reverse engineering framework works and how the tool can take and display information from a given program.
Since the Ghidra reverse engineering framework is open source, users can modify it and add functionality as needed through plugins and extensions. Readers can also submit custom code and suggestions to the NSA repository for possible inclusion in the next release.
Finally, I wanted to engage readers. I’ve included real-life examples, discussed Windows structures, and covered common malware tips. This gives readers a better knowledge of reverse engineering, while learning about the Ghidra framework.
Who will benefit most from reading this book?
David: People who have no knowledge of Ghidra will get the most out of it. I have tried to cover the whole framework using simple language to make it easy to understand. I have noticed from reviews and general comments that advanced reverse engineers also find the book useful – especially when it comes to compiling Ghidra, use PCode. [also written as p-code, it is code that allows a compiled file to run on different processor types] for scripts and more.
When did you start using Ghidra? What prompted you to use it over other existing frameworks?
David: I started using Ghidra as soon as it was released. I also started collaborating and reporting security bugs. I like that Ghidra’s reverse-engineering framework is open source and well documented. I enjoyed exploring the source code and being able to debug it. The PCode is awesome because you can support all architectures by writing a script once. This gives users an incredible advantage – for example, to efficiently perform an IoT malware scan where you typically find malware compiled for different types of architectures.
Extending the Ghidra framework by writing new tools, plugins and scripts is neat and makes it powerful. Some of the coolest things about Ghidra are its collaboration feature, version tracking, and huge arsenal of pre-existing scripts that are ready to use and tweak as needed.
The NSA released the debugger for Ghidra later, but also included the PCode emulator. This allows users to write advanced reverse engineering tools. It was a big surprise.
How long would it take a novice and advanced malware analyst to start using Ghidra?
David: Readers of all skill levels should be able to start using Ghidra after a few hours. Newbies will take longer to really understand the scope of reverse engineering, of course. But, for anyone with basic knowledge of C programming language, Ghidra’s decompiled view will be useful and can start scanning for malware.
Ghidra is probably the best framework for beginners to learn. It has a GUI mode – but also a non-GUI mode – which is easy to use and perfect for a beginner. Since Ghidra is open source, beginners will be able to understand the tool better than if they were using a private reverse-engineered framework.
An advanced malware analyst should be able to intuitively use Ghidra or any GUI based framework, as the GUI is similar to existing frameworks.
How does Ghidra compare to other reverse engineering frameworks available, such as Interactive Disassembler (IDA) and Radare2?
David: Radare2 is amazing – it’s blazingly fast, has a console mode, and if you enter the ‘V’ command you get a visual console mode (switch between views using the ‘P’ key).
But I can’t compare Ghidra to Radare2 because the two frameworks are fundamentally different. I recommend security researchers to use them in combination. Ghidra can work with just about any reverse engineering framework because it is extensible.
IDA and Ghidra are similar, but I recommend Ghidra unless IDA supports a specific process or something that Ghidra does not support. I like Ghidra more because it has PCode, which allows you to script once and support all architectures and has more granularity than assembly language.
Ghidra has two modes which users can take advantage of. Headless mode takes automation to another level. This is useful for processing multiple files; for example, you can apply automated de-obfuscation to hundreds of files. GUI mode allows you to deeply analyze files with colorful graphics and comments on snippets etc. I use both modes, depending on the task.
How common is it for someone using Ghidra to compile a version of it on their own rather than using the executable on GitHub?
David: Compiling Ghidra is necessary when developing Ghidra. From a user’s perspective, it’s good to understand and experiment with the source code to get more information about what happens internally when performing an action. Additionally, when a new feature is in development but not yet released, users can compile it instead of waiting for the final version. You can learn new features early, find bugs early, and contribute to development.
Are there any vulnerabilities in Ghidra?
David: Some vulnerabilities in an earlier version of Ghidra allowed adversaries to execute arbitrary code on a victim’s machine. Another vulnerability allowed overwriting of arbitrary files. These vulnerabilities are a good reason why I suggest readers learn to build Ghidra on their own. You can correct the program and / or compile a corrected version of the program before the final version.
Are there any features you would add to Ghidra?
David: I wish it had supported Python 3. Ghidra uses Jython – a Python interpreter written in the Java programming language – which is limited to Python 2. Unfortunately, Python 2 is an obsolete version.
How do you come across files for review via Ghidra?
David: There are several reasons why I put files in Ghidra for analysis. For example, I like to reverse engineer programs before installing them on my computer to make sure they don’t invade my privacy.
For my job as a malware analyst, I have various powerful resources to obtain malware samples, but I cannot discuss it publicly. One tool that I can suggest security researchers to use is VirusTotal.
About the Author
AP David is a senior malware analyst and reverse engineer. He has over seven years of IT experience, having previously worked on his own antivirus product. He started working for a company to reverse engineer banking malware and help automate the process. Next, David joined the critical malware department of an antivirus company. He is currently working as a security researcher at the Galician Center for Research and Development in Advanced Telecommunications (Gradiant) while doing a PhD on malware. He has tracked down vulnerabilities in some affected companies in his spare time, including Microsoft’s Windows 10 and the NSA’s Project Ghidra.