Obtaining Ghidra

Before you think about getting a copy of Ghidra, you should think about where you are going to be installing it. If your intention is to look at malware, it’s always best to do that in an isolated environment where you can tightly control network activity. This may mean a virtual machine, perhaps with a host-only network configuration. It’s important to keep in mind that Ghidra is a Java application, which means you need the JDK installed on your system. This may not be something you want installed on your system or you may have a version installed already for something else. Either way, this may be another consideration for using a virtual machine.

You can download a copy of Ghidra from https://ghidra-sre.org/. You’ll need to make sure you get the copy that best fits your environment. If you are going to be running it from a Windows system, for example, you probably don’t want to be grabbing the .tar.gz file since Windows can’t handle that filetype natively. It’s easier to just download the .zip file and work with that.

Ghidra is not a self-installing program. Instead, it’s just a directory that includes all the Java classes needed to run. This brings up the last issue you will need to address. As noted earlier, you will need a copy of the JDK.

Obtaining the Java Development Kit

Ghidra is platform independent because it runs on Java. However this means that you will need the JDK to use it. The Ghidra developers currently suggest downloading the Java 11 JDK version or later. These downloads are located here: http://jdk.java.net/. Once you have downloaded the appropriate archive, move it to a location where you can find it and reference it easily. You will need to reference the path to the extracted contents in order to complete the Ghidra installation.

Extracting JDK on Linux

Once you have moved the JDK archive (tar.gz file) to the location you would like, open a terminal window. Browse to the directory containing the file and run this command:

>tar xvf <JDK distribution .tar.gz>

This command is using tar to open the archive. The arguments xvf do the following:

• x extracts the files from the archive.

• v extracts the files in “verbose” mode, which will display the contents of the archive to the terminal windows as they are extracted.

• f sets the filepath of the extracted contents, which in this case will be the directory you are operating in.

Once this command has completed successfully, browse into the JDK directory and perform the following command:

>ls

This should show a bin directory. Browse to the bin directory and display the full path by entering the following:

>cd bin/ >pwd

Copy this output to a text file or leave it on the screen; you will need it when amending your bash profile in the next step.

Extracting JDK on Windows

Move the downloaded JDK archive to a folder from which you would like to run Java. Then right-click on the archive and choose “Extract all.” This will extract the contents of the archive into this folder.

Editing the PATH Environment Variable

When Ghidra launches, it needs to know where to locate the Java runtime environment, so it can run in Java. In order to find this, it will look in your computer’s PATH environment variable. By appending the JDK path to your PATH variable, you allow Ghidra to run properly. The path you will append to your PATH variable will be <path of extracted JDK dir>/bin.

For more information on environment variables, read this Chingu article on Medium.

Setting Your PATH Variable for Java in Linux

On Linux machines, you can edit the PATH environment variable by editing a file that sets up configuration for your terminal. This file, named .bashrc, is located in the following path:

~/.bashrc

(“~/” simply is an alias for your home directory.)

You may use an editor of your choice to edit the file. For example, to use vi, enter the following command:

>vi ~/.bashrc

This will open the /bashrc file in vi. From there, use vi commands to go to the bottom of the file and append the following statement: For a guide on how to edit a file in vi, you can find instructions on How to Geek.

export PATH=<JDK_path_you_copied>:$PATH

Keep in mind that <path_you_copied> should end with /bin. Another way to think of it is noted in the Ghidra documentation as <path of extracted JDK dir>/bin.

Setting Your PATH Variable for Java (Windows)

Open your Environment Variables window:

• On Windows 10, right-click the Windows Start button and choose System.

• On Windows 7, click the Windows Start button in the lower left, right click on Computer, and then click on Properties.

Choose “Advanced system settings” as seen in Figure 2-1.

Figure 2-1. Advanced system settings

Choose “Environment Variables” as seen in Figure 2-2.

Figure 2-2. Environment Variables button

Now you should be in the right menu window to edit your environment variables.

Under “System variables”, highlight the PATH option and click Edit. You can also simply double-click PATH to open the editing window.

Figure 2-3. Editing PATH variable

At the end of the “Variable value” field, add a semicolon, followed by the following string:

“<JDK_path_you_copied>”

or

“<path of extracted JDK dir>in”

Click OK three times to fully exit the System Variables window.

Then close any command prompt windows you may have open, and reopen a command prompt for the change to take effect.

Docker Containers

Containers are excellent for handling applications that have pre-requisites, like Ghidra does. You may not want to install the JDK in your main operating system but rather use an isolated environment. This may be especially true in the case of macOS, which has a complicated relationship with Java at times. Using a container to run Ghidra will save you from having to address anything that deals with your Java installation or any discrepancies between versions that may be required.

A container is a self-contained application that runs in an isolated environment, using the same kernel that all of your other applications are using. The advantage to using a container is that your application and any dependency applications and libraries are stored in memory tagged with a namespace. The namespace is a way of identifying all memory segments that belong to a given process. Once the kernel has tagged these memory segments, though, it can use the tags to isolate one application from another. If your application tries to gain access to any other memory segments that aren’t tagged with your namespace, the access will fail. This also means any process outside of the containerized application trying to get in won’t be able to.

This leaves us with two advantages to containers. You can install an application that has dependencies like Ghidra does with Java into a container without having to touch any of these dependencies already installed in your primary operating environment. Additionally, you are isolating one process from all the others. Should the process misbehave in some way, or if you just want to protect everything else from it, the container will keep the process from impacting any other process running on your system.

There are a few containers for Ghidra available. The Docker Hub is a place to go looking for a Ghidra container. If you are less familiar with the use of containers, the directions provided with the container will help you out.

Running Ghidra Under Windows and Linux

Move the downloaded Ghidra .zip file to the directory from which you would like to launch Ghidra.

To extract the contents of the .zip file on Linux, open a terminal window, browse to the folder containing the Ghidra archive, and run this command:

>unzip <ghidra_archive.zip>

To extract the contents of the file in Windows, right-click the archive and select “Extract all.”

Starting Ghidra

In Windows, simply double-click ghidraRun.bat.

In Linux, using a terminal, navigate to the Ghidra directory and issue the following command in the command line:

>./ghidraRun

Ready to Start Analysis

At this point you have installed Ghidra and are able to start the program. If you are using a virtual machine, now is a good time to take a snapshot, so you can revert to this point should you want to.

You are now ready to start a project, load some files, and begin analyzing them with all the tools and functions available in the Ghidra platform.