Detect potentials bugs in your code or program and develop your own tools using the Ghidra reverse engineering framework developed by the NSA project

Key Features

  • Make the most of Ghidra on different platforms such as Linux, Windows, and macOS
  • Leverage a variety of plug-ins and extensions to perform disassembly, assembly, decompilation, and scripting
  • Discover how you can meet your cybersecurity needs by creating custom patches and tools

Book Description

Ghidra, an open source software reverse engineering (SRE) framework created by the NSA research directorate, enables users to analyze compiled code on any platform, whether Linux, Windows, or macOS. This book is a starting point for developers interested in leveraging Ghidra to create patches and extend tool capabilities to meet their cybersecurity needs.

You'll begin by installing Ghidra and exploring its features, and gradually learn how to automate reverse engineering tasks using Ghidra plug-ins. You'll then see how to set up an environment to perform malware analysis using Ghidra and how to use it in the headless mode. As you progress, you'll use Ghidra scripting to automate the task of identifying vulnerabilities in executable binaries. The book also covers advanced topics such as developing Ghidra plug-ins, developing your own GUI, incorporating new process architectures if needed, and contributing to the Ghidra project.

By the end of this Ghidra book, you'll have developed the skills you need to harness the power of Ghidra for analyzing and avoiding potential vulnerabilities in code and networks.

What you will learn

  • Get to grips with using Ghidra's features, plug-ins, and extensions
  • Understand how you can contribute to Ghidra
  • Focus on reverse engineering malware and perform binary auditing
  • Automate reverse engineering tasks with Ghidra plug-ins
  • Become well-versed with developing your own Ghidra extensions, scripts, and features
  • Automate the task of looking for vulnerabilities in executable binaries using Ghidra scripting
  • Find out how to use Ghidra in the headless mode

Who this book is for

This SRE book is for developers, software engineers, or any IT professional with some understanding of cybersecurity essentials. Prior knowledge of Java or Python, along with experience in programming or developing applications, is required before getting started with this book.

Table of Contents

  1. Ghidra Software Reverse Engineering for Beginners
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewer
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  8. Section 1: Introduction to Ghidra
  9. Chapter 1: Getting Started with Ghidra
    1. Technical requirements
    2. WikiLeaks Vault 7
    3. NSA release
    4. Ghidra versus IDA and many other competitors
    5. Ghidra overview
    6. Installing Ghidra
    7. Overview of Ghidra's features
    8. Summary
    9. Questions
  10. Chapter 2: Automating RE Tasks with Ghidra Scripts
    1. Technical requirements
    2. Using and adapting existing scripts
    3. The script class
    4. Script development
    5. Summary
    6. Questions
  11. Chapter 3: Ghidra Debug Mode
    1. Technical requirements
    2. Setting up the Ghidra development environment
    3. Overviewing the software requirements
    4. Installing the Java JDK
    5. Installing the Eclipse IDE
    6. Installing PyDev
    7. Installing GhidraDev
    8. Debugging the Ghidra code and Ghidra scripts
    9. Debugging Ghidra scripts from Eclipse
    10. Debugging any Ghidra component from Eclipse
    11. Ghidra RCE vulnerability
    12. Explaining the Ghidra RCE vulnerability
    13. Exploiting the Ghidra RCE vulnerability
    14. Fixing the Ghidra RCE vulnerability
    15. Looking for vulnerable computers
    16. Summary
    17. Questions
    18. Further reading
  12. Chapter 4: Using Ghidra Extensions
    1. Technical requirements
    2. Installing existing Ghidra extensions
    3. Analyzing the code of the Sample Table Provider plugin
    4. Understanding the Ghidra extension skeleton
    5. Analyzers
    6. Filesystems
    7. Plugins
    8. Exporters
    9. Loaders
    10. Developing a Ghidra extension
    11. Summary
    12. Questions
    13. Further reading
  13. Section 2: Reverse Engineering
  14. Chapter 5: Reversing Malware Using Ghidra
    1. Technical requirements
    2. Setting up the environment
    3. Looking for malware indicators
    4. Looking for strings
    5. Intelligence information and external sources
    6. Checking import functions
    7. Dissecting interesting malware sample parts
    8. The entry point function
    9. Analyzing the 0x00453340 function
    10. Analyzing the 0x00453C10 function
    11. Analyzing the 0x0046EA60 function
    12. Analyzing the 0x0046BEB0 function
    13. Analyzing the 0x0046E3A0 function
    14. By analyzing this function, we notice that the pipe is used for some kind of synchronization. The CreateThread API function receives as parameters the function to execute as a thread and an argument t
    15. Analyzing the 0x004559B0 function
    16. Analyzing the 0x004554E0 function
    17. Analyzing the 0x0046C860 function
    18. Analyzing the 0x0046A100 function
    19. Summary
    20. Questions
    21. Further reading
  15. Chapter 6: Scripting Malware Analysis
    1. Technical requirements
    2. Using the Ghidra scripting API
    3. Writing scripts using the Java programming language
    4. Writing scripts using the Python programming language
    5. Deobfuscating malware samples using scripts
    6. The delta offset
    7. Translating API hashes to addresses
    8. Deobfuscating the hash table using Ghidra scripting
    9. Improving the scripting results
    10. Summary
    11. Questions
    12. Further reading
  16. Chapter 7: Using Ghidra Headless Analyzer
    1. Technical requirements
    2. Why use headless mode?
    3. Creating and populating projects
    4. Performing analysis on imported or existing binaries
    5. Running non-GUI scripts in a project
    6. Summary
    7. Questions
    8. Further reading
  17. Chapter 8: Auditing Program Binaries
    1. Technical requirements
    2. Understanding memory corruption vulnerabilities
    3. Understanding the stack
    4. Stack-based buffer overflow
    5. Understanding the heap
    6. Heap-based buffer overflow
    7. Format strings
    8. Finding vulnerabilities using Ghidra
    9. Exploiting a simple stack-based buffer overflow
    10. Summary
    11. Questions
    12. Further reading
  18. Chapter 9: Scripting Binary Audits
    1. Technical requirements
    2. Looking for vulnerable functions
    3. Retrieving unsafe C/C++ functions from the symbols table
    4. Decompiling the program using scripting
    5. Looking for sscanf callers
    6. Enumerating caller functions
    7. Analyzing the caller function using PCode
    8. PCode versus assembly language
    9. Retrieving PCode and analyzing it
    10. Using the same PCode-based script in multiple architectures
    11. Summary
    12. Questions
    13. Further reading
  19. Section 3: Extending Ghidra
  20. Chapter 10: Developing Ghidra Plugins
    1. Technical requirements
    2. Overview of existing plugins
    3. Plugins included with the Ghidra distribution
    4. Third-party plugins
    5. The Ghidra plugin skeleton
    6. The plugin documentation
    7. Writing the plugin code
    8. The provider for a plugin
    9. Developing a Ghidra plugin
    10. Documenting the plugin
    11. Implementing the plugin class
    12. Implementing the provider
    13. Summary
    14. Questions
    15. Further reading
  21. Chapter 11: Incorporating New Binary Formats
    1. Technical requirements
    2. Understanding the difference between raw binaries and formatted binaries
    3. Understanding raw binaries
    4. Understanding formatted binaries
    5. Developing a Ghidra loader
    6. The old-style DOS executable (MZ) parser
    7. The old-style DOS executable (MZ) loader
    8. Understanding filesystem loaders
    9. FileSystem Resource Locator
    10. Summary
    11. Questions
    12. Further reading
  22. Chapter 12: Analyzing Processor Modules
    1. Technical requirements
    2. Understanding the existing Ghidra processor modules
    3. Overviewing the Ghidra processor module skeleton
    4. Setting up the processor module development environment
    5. Creating a processor module skeleton
    6. Developing Ghidra processors
    7. Documenting processors
    8. Identifying functions and code using patterns
    9. Specifying the language and its variants
    10. Summary
    11. Questions
    12. Further reading
  23. Chapter 13: Contributing to the Ghidra Community
    1. Technical requirements
    2. Overviewing the Ghidra project
    3. The Ghidra community
    4. Exploring contributions
    5. Understanding legal aspects
    6. Submitting a bug report
    7. Suggesting new features
    8. Submitting questions
    9. Submitting a pull request to the Ghidra project
    10. Summary
    11. Questions
    12. Further reading
  24. Chapter 14: Extending Ghidra for Advanced Reverse Engineering
    1. Technical requirements
    2. Learning the basics of advanced reverse engineering
    3. Learning about symbolic execution
    4. Learning about SMT solvers
    5. Learning about concolic execution
    6. Using Ghidra for advanced reverse engineering
    7. Adding symbolic execution capabilities to Ghidra with AngryGhidra
    8. Converting from PCode into LLVM with pcode-to-llvm
    9. Summary
    10. Questions
    11. Further reading
  25. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
  26. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think