Ghidra Software Reverse Engineering for Beginners

Ghidra Software Reverse Engineering for Beginners

by David Álvarez Pérez
Released January 2021
Publisher(s): Packt Publishing
ISBN: 9781800207974

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Detect potentials bugs in your code or program and develop your own tools using the Ghidra reverse engineering framework developed by the NSA project

Key Features

  • Make the most of Ghidra on different platforms such as Linux, Windows, and macOS
  • Leverage a variety of plug-ins and extensions to perform disassembly, assembly, decompilation, and scripting
  • Discover how you can meet your cybersecurity needs by creating custom patches and tools

Book Description

Ghidra, an open source software reverse engineering (SRE) framework created by the NSA research directorate, enables users to analyze compiled code on any platform, whether Linux, Windows, or macOS. This book is a starting point for developers interested in leveraging Ghidra to create patches and extend tool capabilities to meet their cybersecurity needs.

You'll begin by installing Ghidra and exploring its features, and gradually learn how to automate reverse engineering tasks using Ghidra plug-ins. You’ll then see how to set up an environment to perform malware analysis using Ghidra and how to use it in the headless mode. As you progress, you’ll use Ghidra scripting to automate the task of identifying vulnerabilities in executable binaries. The book also covers advanced topics such as developing Ghidra plug-ins, developing your own GUI, incorporating new process architectures if needed, and contributing to the Ghidra project.

By the end of this Ghidra book, you’ll have developed the skills you need to harness the power of Ghidra for analyzing and avoiding potential vulnerabilities in code and networks.

What you will learn

  • Get to grips with using Ghidra's features, plug-ins, and extensions
  • Understand how you can contribute to Ghidra
  • Focus on reverse engineering malware and perform binary auditing
  • Automate reverse engineering tasks with Ghidra plug-ins
  • Become well-versed with developing your own Ghidra extensions, scripts, and features
  • Automate the task of looking for vulnerabilities in executable binaries using Ghidra scripting
  • Find out how to use Ghidra in the headless mode

Who this book is for

This SRE book is for developers, software engineers, or any IT professional with some understanding of cybersecurity essentials. Prior knowledge of Java or Python, along with experience in programming or developing applications, is required before getting started with this book.

Table of contents

  1. Ghidra Software Reverse Engineering for Beginners
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewer
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  8. Section 1: Introduction to Ghidra
  9. Chapter 1: Getting Started with Ghidra
    1. Technical requirements
    2. WikiLeaks Vault 7
      1. NSA release
    3. Ghidra versus IDA and many other competitors
    4. Ghidra overview
      1. Installing Ghidra
      2. Overview of Ghidra's features
    5. Summary
    6. Questions
  10. Chapter 2: Automating RE Tasks with Ghidra Scripts
    1. Technical requirements
    2. Using and adapting existing scripts
    3. The script class
    4. Script development
    5. Summary
    6. Questions
  11. Chapter 3: Ghidra Debug Mode
    1. Technical requirements
    2. Setting up the Ghidra development environment
      1. Overviewing the software requirements
      2. Installing the Java JDK
      3. Installing the Eclipse IDE
      4. Installing PyDev
      5. Installing GhidraDev
    3. Debugging the Ghidra code and Ghidra scripts
      1. Debugging Ghidra scripts from Eclipse
      2. Debugging any Ghidra component from Eclipse
    4. Ghidra RCE vulnerability
      1. Explaining the Ghidra RCE vulnerability
      2. Exploiting the Ghidra RCE vulnerability
      3. Fixing the Ghidra RCE vulnerability
      4. Looking for vulnerable computers
    5. Summary
    6. Questions
    7. Further reading
  12. Chapter 4: Using Ghidra Extensions
    1. Technical requirements
    2. Installing existing Ghidra extensions
      1. Analyzing the code of the Sample Table Provider plugin
    3. Understanding the Ghidra extension skeleton
      1. Analyzers
      2. Filesystems
      3. Plugins
      4. Exporters
      5. Loaders
    4. Developing a Ghidra extension
    5. Summary
    6. Questions
    7. Further reading
  13. Section 2: Reverse Engineering
  14. Chapter 5: Reversing Malware Using Ghidra
    1. Technical requirements
    2. Setting up the environment
    3. Looking for malware indicators
      1. Looking for strings
      2. Intelligence information and external sources
      3. Checking import functions
    4. Dissecting interesting malware sample parts
      1. The entry point function
      2. Analyzing the 0x00453340 function
      3. Analyzing the 0x00453C10 function
      4. Analyzing the 0x0046EA60 function
      5. Analyzing the 0x0046BEB0 function
      6. Analyzing the 0x0046E3A0 function
      7. By analyzing this function, we notice that the pipe is used for some kind of synchronization. The CreateThread API function receives as parameters the function to execute as a thread and an argument to pass to the function; so, when a thread creation appears, we have to analyze a new function – in this case, lpStartAddress_00449049:
      8. Analyzing the 0x004559B0 function
      9. Analyzing the 0x004554E0 function
      10. Analyzing the 0x0046C860 function
      11. Analyzing the 0x0046A100 function
    5. Summary
    6. Questions
    7. Further reading
  15. Chapter 6: Scripting Malware Analysis
    1. Technical requirements
    2. Using the Ghidra scripting API
    3. Writing scripts using the Java programming language
    4. Writing scripts using the Python programming language
    5. Deobfuscating malware samples using scripts
      1. The delta offset
      2. Translating API hashes to addresses
      3. Deobfuscating the hash table using Ghidra scripting
      4. Improving the scripting results
    6. Summary
    7. Questions
    8. Further reading
  16. Chapter 7: Using Ghidra Headless Analyzer
    1. Technical requirements
    2. Why use headless mode?
    3. Creating and populating projects
    4. Performing analysis on imported or existing binaries
    5. Running non-GUI scripts in a project
    6. Summary
    7. Questions
    8. Further reading
  17. Chapter 8: Auditing Program Binaries
    1. Technical requirements
    2. Understanding memory corruption vulnerabilities
      1. Understanding the stack
      2. Stack-based buffer overflow
      3. Understanding the heap
      4. Heap-based buffer overflow
      5. Format strings
    3. Finding vulnerabilities using Ghidra
    4. Exploiting a simple stack-based buffer overflow
    5. Summary
    6. Questions
    7. Further reading
  18. Chapter 9: Scripting Binary Audits
    1. Technical requirements
    2. Looking for vulnerable functions
      1. Retrieving unsafe C/C++ functions from the symbols table
      2. Decompiling the program using scripting
    3. Looking for sscanf callers
      1. Enumerating caller functions
    4. Analyzing the caller function using PCode
      1. PCode versus assembly language
      2. Retrieving PCode and analyzing it
      3. Using the same PCode-based script in multiple architectures
    5. Summary
    6. Questions
    7. Further reading
  19. Section 3: Extending Ghidra
  20. Chapter 10: Developing Ghidra Plugins
    1. Technical requirements
    2. Overview of existing plugins
      1. Plugins included with the Ghidra distribution
      2. Third-party plugins
    3. The Ghidra plugin skeleton
      1. The plugin documentation
      2. Writing the plugin code
      3. The provider for a plugin
    4. Developing a Ghidra plugin
      1. Documenting the plugin
      2. Implementing the plugin class
      3. Implementing the provider
    5. Summary
    6. Questions
    7. Further reading
  21. Chapter 11: Incorporating New Binary Formats
    1. Technical requirements
    2. Understanding the difference between raw binaries and formatted binaries
      1. Understanding raw binaries
      2. Understanding formatted binaries
    3. Developing a Ghidra loader
      1. The old-style DOS executable (MZ) parser
      2. The old-style DOS executable (MZ) loader
    4. Understanding filesystem loaders
      1. FileSystem Resource Locator
    5. Summary
    6. Questions
    7. Further reading
  22. Chapter 12: Analyzing Processor Modules
    1. Technical requirements
    2. Understanding the existing Ghidra processor modules
    3. Overviewing the Ghidra processor module skeleton
      1. Setting up the processor module development environment
      2. Creating a processor module skeleton
    4. Developing Ghidra processors
      1. Documenting processors
      2. Identifying functions and code using patterns
      3. Specifying the language and its variants
    5. Summary
    6. Questions
    7. Further reading
  23. Chapter 13: Contributing to the Ghidra Community
    1. Technical requirements
    2. Overviewing the Ghidra project
      1. The Ghidra community
    3. Exploring contributions
      1. Understanding legal aspects
      2. Submitting a bug report
      3. Suggesting new features
      4. Submitting questions
      5. Submitting a pull request to the Ghidra project
    4. Summary
    5. Questions
    6. Further reading
  24. Chapter 14: Extending Ghidra for Advanced Reverse Engineering
    1. Technical requirements
    2. Learning the basics of advanced reverse engineering
      1. Learning about symbolic execution
      2. Learning about SMT solvers
      3. Learning about concolic execution
    3. Using Ghidra for advanced reverse engineering
      1. Adding symbolic execution capabilities to Ghidra with AngryGhidra
      2. Converting from PCode into LLVM with pcode-to-llvm
    4. Summary
    5. Questions
    6. Further reading
  25. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
  26. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Ghidra Software Reverse Engineering for Beginners
  • Author(s): David Álvarez Pérez
  • Release date: January 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781800207974