|
|
Content coming soon! |
|
# Ghidra
|
|
\ No newline at end of file |
|
|
|
|
|
|
|
|
|
|
|
|
|
Ghidra is a free and open source reverse engineering tool developed by the National Security Agency (NSA).
|
|
|
|
The program can be downloaded as a binary [here](http://ghidra-sre.org/) or as source [here](https://github.com/NationalSecurityAgency/ghidra).
|
|
|
|
|
|
|
|
## Setup
|
|
|
|
|
|
|
|
The simplest way to get started with Ghidra is to use the binary download [here](http://ghidra-sre.org/).
|
|
|
|
The software requires the Java Development Kit (JDK) version 11 or newer, which can be found [here](https://www.oracle.com/technetwork/java/javase/downloads/index.html).
|
|
|
|
Make note of where the JDK is installed, as you may have to manually provide the location it if Ghidra fails to automatically locate it.
|
|
|
|
|
|
|
|
## Getting Started
|
|
|
|
|
|
|
|
Once installed, Ghidra can be launched using the ghidraRun.bat batch script (for Windows) or the ghidraRun shell script (for Linux/Unix).
|
|
|
|
After launching Ghidra for the first time, you will need to create a project: `File > New Project...`.
|
|
|
|
You will be asked if the project should be shared or non-shared; for now, select `Non-Shared Project` and hit `Next >>>`.
|
|
|
|
Specify a location to store your reverse engineering work in `Project Directory:` and give the project a name in `Project Name:` (e.g., My First Project).
|
|
|
|
Note that the binary objects to be analyzed don't have to be anywhere near the project directory; this directory is just for storing the results of the reverse engineering analysis.
|
|
|
|
Once done, click `Finish`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now that you have a project, you'll need one or more binary files to analyze.
|
|
|
|
Binaries can be added to a project by selecting `File > Import File...` for a single file, or `File > Batch Import` for multiple files.
|
|
|
|
Alternatively, binaries can be dragged and dropped into the project window to add them.
|
|
|
|
In this example, I'll add Window's notepad.exe (located at C:\Windows\system32\notepad.exe) for analysis.
|
|
|
|
A dialogue box will present you with the format and language Ghidra has identified from the binary; if you know these ahead of time, you will want to verify that Ghidra has made the correct selections.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Click `OK` once finished and Ghidra will begin the import process (this can take some time for large binaries).
|
|
|
|
When finished, Ghidra will present a summary of the import results; odd results might indicate an improper selection of binary format or language.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Click `OK` to continue, then double click on the binary in the project window.
|
|
|
|
The first time you open a binary, Ghidra will ask if you want it analyzed; click `Yes`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You'll be presented with a list of optional analyzers, including some experimental prototype options.
|
|
|
|
For now, you can just leave it as the default set of analyzers and click `Analyze`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ghidra will then run the selected analyzers, which can take a while for large binaries; progress is shown in the bottom right.
|
|
|
|
Once completed, you'll see the Code Browser window, the main interface for Ghidra.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On the left at the top is the Program Trees window, which shows the layout of the sections of binary (e.g., headers, text, data).
|
|
|
|
You can double-click these to navigate to the associated section.
|
|
|
|
Below that is the Symbol Tree window, which identifies the symbols used in the binary (e.g., function names).
|
|
|
|
Clicking on a symbol will navigate to that portion of the assembly.
|
|
|
|
Below the Symbol Tree is the Data Type Manager Window, which is useful for identifying the data structures used in the code, and where they are defined.
|
|
|
|
|
|
|
|
In the center, the Listing window shows the disassembled binary.
|
|
|
|
For interpretability, Ghidra adds a great deal of color coding and annotative comments to the assembly display.
|
|
|
|
To the right of the Listing window is the Decompile window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
|
|
|
|
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompile window.
|
|
|
|
|
|
|
|
### Under construction |
|
|
|
\ No newline at end of file |
