Chapter 4. Next Steps

Now that you have made it a couple of steps up the ladder toward a better understanding of Ghidra, you may be wondering where you can go from here. Well, for a start, you can take the source code you will find in Appendix A and compile it yourself. The source code is a portion of an implementation of Conway’s Game of Life. You’ll be able to follow along with what you saw earlier when you looked at the assembly code and also the different sections of the CodeBrowser. Additionally, you can compile it using a couple of different compilers. Another feature you can look at is to see how the compiled program differs when you make changes. Figure 4-1 shows differences in the program when a new function is added. You are looking at the same section of the program in both of the lefthand windows. The difference is that in the far left, the new function is in place. It’s not there in the middle pane.

Any change you make in the program can be viewed as a difference. The one thing you don’t want to do is try to run program differences against two instances of the programs that have been run through two separate compilers. What you are looking at is not apples being compared with apples. Maybe you are looking at apples on the one hand. You are maybe comparing a Red Delicious against a Granny Smith though. They do the same thing but don’t look much like each other. Since the program comparison is looking at the same sections of a program by memory address, you aren’t going to be looking at the right places. Each compiler will be putting the program together in different ways so when you are looking at offset 0x12c5 in one program and seeing code, you may be looking at nothing at all in the other simply because the program has been constructed differently.

Figure 4-1. Program differences

The added function that created the differences here is also shown in Appendix A, separate from the original program source code. The source code provided is standard C, so it should compile under any compiler you wish to try it against.

Once you have a handle on running Ghidra using some programs you can create and manipulate yourself, you can move on to other programs. If you are not used to malware analysis, it may be best to start with programs that are completely innocuous. You could use programs that come with your operating system, for instance. Nothing in those will cause problems for you. Using these programs will help you get more familiar with the functionality of Ghidra.

Once you are completely comfortable with Ghidra, you can find some malware samples and carefully look at them. This should be done in a controlled environment. Using virtual machines with no network connectivity can be beneficial. Additionally, using snapshots may help with containment. If a piece of malware executes at all, you can restore from a snapshot and get a clean system again. Understanding malware is important but keeping your systems from being infected is even more important than that.