Ghidra is a free and open source reverse engineering tool developed by the National Security Agency (NSA).
The program can be downloaded as a binary [here](http://ghidra-sre.org/) or as source [here](https://github.com/NationalSecurityAgency/ghidra).
## Setup
The simplest way to get started with Ghidra is to use the binary download [here](http://ghidra-sre.org/).
The software requires the Java Development Kit (JDK) version 11 or newer, which can be found [here](https://www.oracle.com/technetwork/java/javase/downloads/index.html).
Make note of where the JDK is installed, as you may have to manually provide the location it if Ghidra fails to automatically locate it.
## Getting Started
Once installed, Ghidra can be launched using the ghidraRun.bat batch script (for Windows) or the ghidraRun shell script (for Linux/Unix).
After launching Ghidra for the first time, you will need to create a project: `File > New Project...`.
You will be asked if the project should be shared or non-shared; for now, select `Non-Shared Project` and hit `Next >>>`.
Specify a location to store your reverse engineering work in `Project Directory:` and give the project a name in `Project Name:` (e.g., My First Project).
Note that the binary objects to be analyzed don't have to be anywhere near the project directory; this directory is just for storing the results of the reverse engineering analysis.
Now that you have a project, you'll need one or more binary files to analyze.
Binaries can be added to a project by selecting `File > Import File...` for a single file, or `File > Batch Import` for multiple files.
Alternatively, binaries can be dragged and dropped into the project window to add them.
In this example, I'll add Window's notepad.exe (located at C:\Windows\system32\notepad.exe) for analysis.
A dialogue box will present you with the format and language Ghidra has identified from the binary; if you know these ahead of time, you will want to verify that Ghidra has made the correct selections.
On the left at the top is the Program Trees window, which shows the layout of the sections of binary (e.g., headers, text, data).
You can double-click these to navigate to the associated section.
Below that is the Symbol Tree window, which identifies the symbols used in the binary (e.g., function names).
Clicking on a symbol will navigate to that portion of the assembly.
Below the Symbol Tree is the Data Type Manager Window, which is useful for identifying the data structures used in the code, and where they are defined.
In the center, the Listing window shows the disassembled binary.
For interpretability, Ghidra adds a great deal of color coding and annotative comments to the assembly display.
To the right of the Listing window is the Decompile window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompile window.
