Ghidra reverse engineering

Author: k | 2025-04-24

Software Reverse Engineering with Ghidra, published by Packt - PacktPublishing/Ghidra-Software-Reverse-Engineering-for-Beginners

Ghidra tutorial in reverse engineering for

By David Álvarez PérezRavikant TiwariPublisher Packt PublishingWritten by David Álvarez Pérez, a senior malware analyst at Gen Digital Inc., and Ravikant Tiwari, a senior security researcher at Microsoft, with expertise in malware and threat detection, this book is a complete guide to using Ghidra for examining malware, making patches, and customizing its features for your cybersecurity needs.This updated edition walks you through implementing Ghidra’s capabilities and automating reverse-engineering tasks with its plugins. You’ll learn how to set up an environment for practical malware analysis, use Ghidra in headless mode, and leverage Ghidra scripting to automate vulnerability detection in executable binaries. Advanced topics such as creating Ghidra plugins, adding new binary formats, analyzing processor modules, and contributing to the Ghidra project are thoroughly covered too.This edition also simplifies complex concepts such as remote and kernel debugging and binary diffing, and their practical uses, especially in malware analysis. From unpacking malware to analyzing modern ransomware, you’ll acquire the skills necessary for handling real-world cybersecurity challenges.By the end of this Ghidra book, you’ll be adept at avoiding potential vulnerabilities in code, extending Ghidra for advanced reverse-engineering, and applying your skills to strengthen your cybersecurity strategies.© 2025 Packt Publishing (Ebook): 9781835889831Release dateEbook: 17 January 2025

Ghidra Reverse Engineering - PenTesting.Org

The NSA released the Ghidra, a multi-platform reverse engineering framework that could be used to find vulnerabilities and security holes in applications. In January 2019, the National Security Agency (NSA) announced the release at the RSA Conference of the free reverse engineering framework GHIDRA.GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.Now the NSA has released the suite Ghidra that could be used to find vulnerabilities and security holes in applications. Ghidra is Apache 2.0-licensed and requires a Java runtime, it is availablefor download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it. The platform was presented at the RSA Conference in San Francisco on Tuesday by Rob Joyce, former head of the NSA’s elite hacking team and now White House cybersecurity coordinator, Joyce has presented the code-analysis suite, he remarked the absence of backdoors.“There is no backdoor in Ghidra,” he announced. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”The popular expert Matthew “HackerFantastic” Hickey, cofounder of British security shop Hacker House, noticed something of strange. Hickey told The Register that when you run it in debug mode the suite, it opens port 18001 to your local network that accepts and executes remote commands from any machine that can connect in. Even if the Debug mode is

Ghidra: The NSA Reverse Engineering

To understand their intent and behavior. By reverse engineering the code, they can identify key functionalities, detect and investigate potential vulnerabilities, and gain insights into the techniques employed by attackers.Dynamic AnalysisWhile static analysis provides a wealth of information, some advanced malware may exhibit dynamic behavior and evade detection through conventional static analysis techniques. Ghidra offers dynamic analysis capabilities, allowing analysts to trace execution paths, monitor system interactions, and detect runtime anomalies. This combination of static and dynamic analysis empowers analysts to comprehensively analyze and understand malware.Identifying Anti-Analysis TechniquesMalware authors often employ various anti-analysis techniques to hinder reverse engineering efforts. Ghidra equips analysts with powerful features to identify and neutralize these techniques. By analyzing code snippets that exhibit obfuscation, anti-debugging, or anti-virtual machine techniques, analysts can develop countermeasures and strengthen their defense strategies.Modifying and Patching BinariesGhidra's scripting capabilities enable analysts to modify and patch binaries directly. This feature is immensely valuable in scenarios where vendors have not released patches for known vulnerabilities, or in cases where patching is the only immediate option available to mitigate an ongoing attack.ConclusionGhidra is a formidable open-source reverse engineering tool that has revolutionized the field of malware analysis. Its extensive features, collaborative environment, and user-friendly interface make it an invaluable asset for security researchers, malware analysts, and programmers alike. By leveraging Ghidra's capabilities, analysts can gain deep insights into malware's inner workings, identify vulnerabilities, and develop effective defense mechanisms. Stay tuned for more informative posts as we delve further into the fascinating world of malware analysis.I hope this technical blog post meets your requirements. Let me know if you need any further assistance!. Software Reverse Engineering with Ghidra, published by Packt - PacktPublishing/Ghidra-Software-Reverse-Engineering-for-Beginners

NSA's Ghidra Reverse Engineering

Malware Analysis Tools and Platforms: Ghidra - A Powerful Open-Source RE ToolIntroductionMalware analysis is a critical aspect of cybersecurity that entails understanding the inner workings of malicious software to develop effective countermeasures. Reverse engineering plays a crucial role in this process, as it involves dissecting malware to gain insights into its code, functionality, and overall behavior. In this tutorial, we will explore Ghidra, an exceptionally powerful open-source reverse engineering tool widely used for malware analysis.What is Ghidra?Ghidra is a state-of-the-art software reverse-engineering framework developed by the National Security Agency (NSA). Initially released to the public in 2019, Ghidra quickly gained popularity for its extensive features, robustness, and user-friendly interface. Its open-source nature enables security researchers, malware analysts, and programmers to leverage its capabilities effectively without any financial constraints.Features of GhidraDecompilerGhidra's decompiler component is one of its most remarkable features. It translates compiled machine code into a higher-level programming language, making it easier to understand and analyze complex malware. Let's take a look at a code snippet to demonstrate this:int main() { int x = 5; int y = 10; int result = x + y; return result;}Using the Ghidra decompiler, we can obtain the following decompiled code:undefined4 main(void){ int x; int y; int local_c; x = 5; y = 10; local_c = x + y; return local_c;}Collaboration and ScriptingGhidra provides a collaborative environment that allows multiple analysts to work simultaneously on the same project. This feature fosters knowledge sharing, teamwork, and efficient analysis workflows. Additionally, Ghidra offers an extensive scripting interface, empowering analysts to automate tasks and create custom analysis tools tailored to their specific needs.Graphical User Interface (GUI)Ghidra's user-friendly GUI makes it accessible to both experienced analysts and beginners alike. The interface provides an intuitive navigation experience, simplifying the process of exploring disassembled code, debugging malware, and inspecting memory. Ghidra's GUI significantly enhances productivity and reduces the learning curve for newcomers in the field.Ghidra in Malware AnalysisNow that we have acquainted ourselves with Ghidra's features let's delve into its application in malware analysis.Static AnalysisStatic analysis involves examining malware without executing it. Ghidra enables analysts to statically analyze malicious binaries

Reverse Engineering with Ghidra - Pluralsight

Ghidra is the most advanced reverse engineering tool on the market, and best of all it is completly free and open source! Most of the content on RetroReversing will be using Ghidra going forward due to it being much more accessable than competitors such as IDA Pro.Introduction to GhidraThere is no better way to start out the hobby reverse engineering than learning Ghidra, it is an essentail tool that takes much of the headaches out of reversing. Introduction to Decompiling C++ with Ghidra For a good introduction to decompiling with Ghidra check out this post. Console PluginsNintendo Game BoyDownload the Ghidra plugin from GithubNintendo Game Boy AdvanceDownload the Ghidra plugin from GithubAn excellent guide for decompiling GBA games using Ghidra and mGBA is available on StarcubelabsAnother excellent guide is on wrongbaudNintendo DSDownload the Ghidra plugin from GithubNintendo Entertainment SystemDownload the Ghidra plugin from GithubIt even has multiple builds setup for each Ghidra version via Github Workflows!Note that there was another older Ghidra plugin called Ghidra-Nes-Rom-Decompiler-Plugin however it failed to build against latest Ghidra (11.1.2).Super NintendoThere is only one Ghidra plugin for SNES but it is currently not under active development you can get it from GithubNintendo 64Nintendo 64 games can be slightly harder to reverse due to everything being bundles as one large ROM image containing all the code and assets used in the game. Luckily there are a few tools that can help, such as the Reversing Emulator and a N64 Loader for Ghidra. N64 Decompiling with Ghidra If you are interested in Decompiling a Nintendo 64 game with Ghidra check out this post. GamecubeDownload the Ghidra plugin from GithubNote that to build the GameCubeLoader you will need to have gradle version 7 or below installed otherwise you will get an error similar to:FAILURE: Build failed with an exception.* Where:Build file './Ghidra-GameCube-Loader/build.gradle' line: 63* What went wrong:A problem occurred evaluating root project 'GameCubeLoader'.> Adding a Configuration as a dependency is no longer allowed as of Gradle 8.0.On Mac OSX you can install an older version of Gradle using brew:WiiA guide for using Ghidra on Wii games is available on WiiBrewSega Master System/Game gearDownload the Ghidra plugin from GithubSega Mega Drive/GenesisDownload the Ghidra plugin from GithubSega SaturnDownload the Ghidra plugin from GithubSega DreamcastDownload the Ghidra plugin from GithubAlso for GDI support in Ghidra: GithubOriginal XboxDownload the Ghidra plugin from GithubXbox 360Download the Ghidra plugin from GithubPlaystation 1Download the Ghidra plugin from GithubAlso for a guide for using Ghidra for PS1 reversing: tokimeki-memorialPlaystation 2Download the Ghidra plugin from GithubPlaystation 3There are a few useful script for working with PS3 executables on GithubPlaystation PortableDownload the Ghidra plugin from GithubFeature PluginsWhile Ghidra has a large number of features built in, there are a number of features missing that are thankfully available due to community plugins, this section will cover some of the most useful for game reversing.CodeCutCodeCut allows a user to assign functions to object files in Ghidra, and then interact with the binary at the object file level. Functions are assigned to

Introduction to Reverse Engineering with Ghidra

SAN FRANCISCO—Provocative titles are a sure way to get people to show up to your presentation, even at sober events like RSA. And "Come Get Your Free NSA Reverse Engineering Tool!" is easily the most bombastic title of the conference, and one your humble reporter could not resist. Before I continue: yes, it really was a presentation by the NSA and yes, the agency really did give away free reverse-engineering tools. It's called GHIDRA and is currently available for download on the NSA's website. The talk was headed by Robert Joyce, an NSA senior advisor, who explained that GHIDRA has been in development for years, and would likely continue to be long after release. Future updates are on the way, and a Github repository arrives in the coming weeks. At first it might seem surprising that the NSA would release tools like this on its own. After all, it has been a bit of a bogeyman since former contractor Edward Snowden revealed its massive, global data interception infrastructure. However, signals intelligence is only half of the NSA's mission. The other half is to prevent other countries from snooping on our activities. For example, the agency played a role in the approval of the AES encryption standard for general use. "We have a mission for foreign intelligence and we have a misison for cybersecurity," explained Joyce. "And what we've found is that this has a use on both sides of the house." Internally, the NSA uses GHIDRA to examine all kinds of software, from analyzing pieces of malware on networks secured by the NSA to examining legitimate software for vulnerabilities. "When you look at the amount of malware we have to get through, it's more than we have the talent or the manpower to handle." Hence, a tool like GHIDRA. Releasing the tool will hopefully help national security by supporting independent researchers, and help educate a new workforce for the industry and the NSA, Joyce said. It's also a chance for the NSA to give back. "We built GHIDRA using government funds and where we can, we wanted to give back." The more skeptical readers might think this sounds too good to be true, and suspect that the NSA has hidden some nasty surprises inside the GHIDRA. Joyce insisted this is not the case. "There's no backdoor in GHIDRA, this is the last community where you'd want to release a product

Reverse Engineering with Ghidra - Kapravelos

With a backdoor," he said. Some watchers on Twitter, however, remain skeptical. On whether the new reverse engineering tool from the NSA has a backdoor, senior advisor for NSA Rob Joyce says, "There's no backdoor in GHIDRA. This is the last community where you'd want to release a product with a backdoor." pic.twitter.com/aK4WKbnsV1 — Bitter, Tired, and Sweaty (@wmaxeddy) March 6, 2019 According to the NSA's website, the goal of GHIDRA is straightforward: to help researchers understand how malicious software works. "[GHIDRA] helps analyze malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems," it says. Interestingly, a Wikipedia search for "GHIDRA" redirects to a Godzilla monster. In Joyce's words, GHIDRA helps turn the machine-readable code found in a complete software package into human-readable code that can be examined. "It's like working a puzzle; you're given a binary and you're trying to get back to what it was," he said. Recommended by Our Editors Despite covering more than 1.2 million lines of code, GHIDRA is intended to be straightforward, featuring a GUI and support on Linux, macOS, and Windows machines. A simple, usable interface was something that was of major importance in GHIDRA's development, said Joyce. The software has a lot of tricks up its sleeve, like being able to recognize the language in which certain software was written. It also includes a generic microprocessor module, and can be configured to use several different kinds of processors in the reverse-engineering process. GHIDRA is also highly customizable and extensible and capable of comparing different versions of the same software—especially important when examining different iterations of malware. A key feature Joyce highlighted is how GHIDRA works for groups tackling the same code. It can work a bit like Github, pulling together the combined efforts of multiple users. With GHIDRA now out in the wild, Joyce hopes others will build on it. "We really want to encourage collaboration within the reverse engineering community, so if you build something please share." SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2025-01-23T16:44:01.000000Z","last_published_at":"2025-01-23T16:43:49.000000Z","created_at":null,"updated_at":"2025-01-23T16:44:01.000000Z"})" x-intersect.once="window.trackGAImpressionEvents("pcmag-on-site-newsletter-block", "SecurityWatch", $el)"> Like What You're Reading? Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox. This newsletter may contain advertising, deals, or affiliate links. By clicking the button, you confirm you are 16+ and agree to our Terms. Software Reverse Engineering with Ghidra, published by Packt - PacktPublishing/Ghidra-Software-Reverse-Engineering-for-Beginners Software Reverse Engineering with Ghidra – Setup and Installation - YouTube ↩. Software Reverse Engineering with Ghidra – How to import files and get started - YouTube ↩. Software Reverse Engineering with Ghidra – Creating Structures - YouTube ↩

Reverse Engineering with Ghidra - QA

Ghidra Software Reverse Engineering FrameworkGhidra is a software reverse engineering (SRE) framework created and maintained by theNational Security Agency Research Directorate. This framework includes a suite offull-featured, high-end software analysis tools that enable users to analyze compiled code on avariety of platforms including Windows, macOS, and Linux. Capabilities include disassembly,assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidrasupports a wide variety of processor instruction sets and executable formats and can be run in bothuser-interactive and automated modes. Users may also develop their own Ghidra extension componentsand/or scripts using Java or Python.In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problemson complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA hasapplied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code andgenerating deep insights for SRE analysts who seek a better understanding of potentialvulnerabilities in networks and systems.If you are a U.S. citizen interested in projects like this, to develop Ghidra and othercybersecurity tools for NSA to help protect our nation and its allies, consider applying for acareer with us.Security WarningWARNING: There are known security vulnerabilities within certain versions of Ghidra. Beforeproceeding, please read through Ghidra's Security Advisories for a better understandingof how you might be impacted.InstallTo install an official pre-built multi-platform Ghidra release:Install JDK 21 64-bitDownload a Ghidra release fileNOTE: The official multi-platform release file is namedghidra___.zip which can be found under the "Assets" drop-down.Downloading either of the files named "Source Code" is not correct for this step.Extract the Ghidra release fileLaunch Ghidra: ./ghidraRun (ghidraRun.bat for Windows)or launch PyGhidra: ./support/pyGhidraRun (support\pyGhidraRun.bat for Windows)For additional information and troubleshooting tips about installing and running a Ghidra release,please refer to the Installation Guide which can be found in a Ghidra releaseat docs/InstallationGuide.html.BuildTo create the latest development build for your platform from this source repository:Install build tools:JDK 21 64-bitGradle 8.5+ (or provided Gradle wrapper if Internet connection is available)Python3 (version 3.9 to 3.13) with bundled pipmake, gcc, and g++ (Linux/macOS-only)Microsoft Visual Studio 2017+ or Microsoft C++ Build Tools with thefollowing components installed (Windows-only):MSVCWindows SDKC++ ATLDownload and extract the source:Download from GitHubunzip ghidra-mastercd ghidra-masterNOTE: Instead of downloading the compressed source, you may instead want to clone the GitHubrepository: git clone additional build dependencies into source repository:NOTE: If an Internet connection is available and you did not install Gradle, the followinggradle commands may be replaced with ./gradle(.bat).gradle -I gradle/support/fetchDependencies.gradleCreate development build:The compressed development build will be located at build/dist/.For more detailed information on building Ghidra, please read the Developer Guide.For issues building, please check the Known Issues section for possible solutions.DevelopUser Scripts and ExtensionsGhidra installations support users writing custom scripts and extensions via the GhidraDev pluginfor Eclipse. The plugin and

Firmware Reverse Engineering with Ghidra

With GhidraGhidra doesn’t have support out of the box for NES ROM reverse engineering so we need to use a plugin created by ilyakharlamov available here:ilyakharlamov/Ghidra-Nes-Rom-Decompiler-Plugin: Ghidra NES / Famicom ROM Decompiler PluginAfter downloading open up ghidra and go to File -> Install Extensions..It will then open up the following window, click the green plus icon in the top right:Then make sure to select the zip file that you downloaded previously:If you get the following screen then you will either need to build the plugin from source or use an older version of Ghidra:When attempting to compile the plugin from source and linking the ghidra directory I normally get the error: JavaModelException: Build path contains duplicate entry: ‘/ghidra_10.2.3_PUBLIC/Ghidra/Processors/68000/lib/68000.jar’for project ‘Ghidra-Nes-Rom-Decompiler-Plugin’To fix this you need to right Click on the Project and select “Properties”, go to the “Java Build Path” tab and then the Libraries tab and delete all the jars.When that is done you will be able to run the application in Eclipse by clicking the green play icon and the following window will pop up:Select “Ghidra” from this window.If you get an error such as: Exception in thread “main” ghidra.util.exception.AssertException: Multiple modules collided with same name: Ghidra-Nes-Rom-Decompiler-PluginTHen you need to delete the Ghidra-Nes-Rom-Decompiler-Plugin folder from the global ghidra config file location e.g ~/.ghidra/ExtensionsNow when you go to Import File and select a .nes ROM file you should get the following dialog:Now after import you should be able to decompile any function you want as long as the Mapper is supported in the NES Plugin (currently only Mapper 0):Reversing Super Mario Bros with GhidraSuper Mario Bros is an excellent game to use to learn Ghidra and how to reverse NES roms, as there is already documentation and disassembly on the web. So you can practise using Ghidra and use the Mario Bros disassembly here to check your work!First make sure to open the Super Mario Bros. (World).nes rom (MD5: 811b027eaf99c2def7b933c5208636de) with Ghidra and the GhidraNes plugin as shown in the previous guide.Now you will notice that it has detected about 36 functions, along with some already named like reset and vblank:If you start at the top of the Ghidra Disassembly window you can start to name them based on the dissassembly file here.Note that normally you won’t have all the symbol names given to you like this for ROMS that have not yet been disassembled by the community, we are just using this as an example to teach the basics of Ghidra.Renaming Functions and LabelsGo to the first function at 0x8000 and you will notice it has already been named as “reset”, in the disassembly we are using it was called start so we can rename this to match just for convenience.To do this select the reset name and Press the L key on the keyboard, this will open a dialog asking for the name type in Start like so:The reason we know this is called Start is because of the .org $8000 just before the Start label, this means. Software Reverse Engineering with Ghidra, published by Packt - PacktPublishing/Ghidra-Software-Reverse-Engineering-for-Beginners Software Reverse Engineering with Ghidra – Setup and Installation - YouTube ↩. Software Reverse Engineering with Ghidra – How to import files and get started - YouTube ↩. Software Reverse Engineering with Ghidra – Creating Structures - YouTube ↩

Simple Reverse Engineering with Ghidra

En el mes de enero ya se comentaba en todo Internet que la NSA (National Security Agency) planeaba liberar una herramienta para realizar trabajos de Ingeniería Inversa (Reverse Engineering) llamada Ghidra. Ha sido ya durante el mes de marzo cuando al fin ha visto la luz, y en el mundo de la ciberseguridad se habla mucho hoy sobre ella. Es por eso que nos hemos decidido a probarla y ver qué tal funciona.Figura 1: Ghidra: Primer análisis con la herramienta de Ingeniería Inversa“cortesía” de la National Security AgencyAntes de probar la herramienta vamos a dejar algunas preguntas con sus respuestas, para las dudas que puedan surgir.Qué es Ghidra: Una herramienta desarrollada en Java, y que ha sido usada durante más de 10 años por la NSA para temas de ingeniería inversa.Dónde ver el código fuente de Ghidra: Aún no se ha hecho público el código, pero según vemos en su GitHub pasará a ser un proyecto Open Source.Dónde descargar Ghidra: Para descargar la herramienta tendremos que visitar la página web que tiene el proyecto Ghidra en Internet.Qué requisitos tiene Ghidra: Todo ello viene recogido en su documento “Ghidra Installation guide”, pero aquí lo dejamos listado:- Sistema Operativo de 64 bits (Linux, macOS o Windows)- 4GB Ram y 1GB de almacenamiento- Java 11 Runtime and Development Kit (JDK)Extensibilidad: Sí, es extensible. Podemos crear nuestro código para Ghidra y extender su funcionalidad, en la guía de instalación lo tienes todo. Además, permite la integración con herramientas como IDAPro o Eclipse.Un prueba de uso de GhidraUna vez tengamos todo listo, podemos pasar a la prueba de concepto, y ver la herramienta en funcionamiento. Cualquier persona que se haya dedicado al reversing se sentirá cómodo trabajando con la aplicación, probablemente te resulte familiar a otros entornos como IDA.Figura 3: Nuevo proyecto en GhidraAquí no vamos a ver todas las opciones ya que no pretendemos entrar en muchos detalles. Vamos a ver por encima la herramienta, para os podáis hacer una idea de su potencial y comenzar a utilizar.Para usar Ghidra, lo primero que tenemos que hacer es crear un nuevo proyecto, que puede de ser de dos tipos, compartido - para trabajar con más personas - o no compartido, como se ve en la Figura 3.Figura 4: Creando un proyecto de prueba con GhidraCuando demos a Next, tendremos que elegir la ruta donde se creará el proyecto, y el nombre que le queremos dar.