Ghidra — Reverse Engineering Tool used by NSA

What is Ghidra ?

Ghidra is an open-source software reverse engineering (SRE) framework developed by National Security Agency (NSA) Research Directorate of United States, for NSA’s Cyberseurity mission.

The binaries were released at RSA Conference in March 2019; the sources were published one month later on GitHub. Ghidra is seen by many security researchers as a competitor to IDA Pro. The software is written in Java using the Swing framework for the GUI. The decompiler component is written in C++. Ghidra plugins can be developed in Java or in Python (provided via Jython).

It is a Java based GUI reverse engineering framework, it is able to de-compile a application from binary and understand the logic of the code. NSA used it to find malwares inside a application, it also very useful for finding bugs on applications.

How to Install Ghidra on Kali Linux 2022

We just need one command to install it on our Kali Linux system. We need to use following command:

1

sudo apt install -y ghidra

The above command will install Ghidra on our Kali Linux system. It will download more than 250 MB and take almost 750 MB disk space on our system. So installing it will consume some time depending on our network speed and system configuration. Coffee Break .

How to use Ghidra on Kali Linux

After installing Ghidra on our Kali Linux system we can open this GUI based tool by using following command to open it up:

1

ghidra

The above command will open Ghidra on our Kali Linux system, or we can search for it on Application menu. As we can see on the following screenshot:

Here Ghidra is showing us the “User agreement” to use this tool. We need to read it carefully then click on “I agree” for the very first time of using Ghidra.

After clicking on ‘I agree’ Ghidra will open two window, one for help another is the Ghidra framework’s main screen, we can check the help if we want, but here we close it and focus on Ghidra. It looks like the following screenshot:

Here we can see that we don’t have any active project on our Ghidra. So we need to import a project. We have an exe file here to test. First of all we need to go to  the menu File>New Project, Then we need to select our new project type, here we are choosing non-shared project.

We click on “Next”, now we need to select the project location and name. We have chosen the default home path and named the project as we wish. Then we click on “Finish”, to complete creating a new project.

We can import an application file. For an example we have an exe file. We can directly drag & drop the application file over the project or we can simply press I to import application file for testing, We can also choose from menu File>Import File.

Then we need to choose application file to test as shown in the following screenshot:

Here we have choose an shell.exe file for testing. We select it to import.

We can see some details of importing file, we click on “OK“.

Here in this window we can see the import file summary on Ghidra. We press ‘Enter‘ key here.

Now Ghidra will import the file and prompt to analyze the application file on CodeBrowser.

We click on “Yes“. Then on a new window we need to select analyzers. There are lots of analysis configuration options do exist. We can see a description of every option by clicking on it, the description is displayed in the upper-right Description section.

Let’s click on Analyze to perform the analysis of the file. Then, we can see the Ghidra CodeBrowser window. We shouldn’t worry if we forget to analyze something, we can reanalyze the program later (by going to the Analysis tab and then Auto Analyze ‘shell.exe’).

Ghidra CodeBrowser

Here we are in Ghidra CodeBrowser. From here we can analysis application data and logic. Ghidra CodeBrowser has a good and well-chosen interface. Let’s briefly know about it.

Let’s see how CodeBrowser is distributed by default:

1. Usually, by default in reverse engineering frameworks, in the center of the screen, Ghidra shows a disassembly view of the application file.
2. As the disassembly level is sometimes a too low-level perspective, Ghidra incorporates its own de-compiler, which is located to the right of the disassembly window. The main function of the program was recognized by a Ghidra signature, and then parameters were automatically generated. Ghidra also allow us to manipulate de-compiled code in a lot of aspects. Of course, a hexadecimal view of the file is also available in the corresponding tab. These three windows (disassembly, de-compiler, and the hexadecimal window) are synchronized, offering different perspectives of the same thing.
3. Ghidra also allow us to easily navigate in the program. For instance, to go to another program section, we can refer to the Program Trees window located in the upper-left margin of CodeBrowser.
4. If we prefer to navigate to a symbol (for example, a program function), then we need to go just below that, to where the Symbols Tree pane is located.
5. If we want to work with data types, then we need to go just below that again, to Data Type Manager.
6. As Ghidra allows scripting reverse engineering tasks, script results are shown in the corresponding window at the bottom. Of-course, the Bookmarks tab is available in the same position, allowing us to create pretty well-documented and organized bookmarks of any memory location for quick access.
7. Ghidra has also a quick access bar at the top.
8. At the topmost part of CodeBrowser, the main bar is located. Now we know the default perspective of Ghidra.
9. Following the current address, the current function is shown.
10. In addition to the current address and the current function, the current disassembly line is shown to complete the contextual information.
11. Finally, at the bottom right, the first field indicates the current address.

Ghidra is highly customizable framework. It has tons of features and also we can run our own scripts on it. Covering every details of Ghidra is not possible on an article. Ghidra is a huge topic we must need an entire book to learn it clearly.