3
MEET GHIDRA

Ghidra is a freely available open source SRE tool suite developed by the National Security Agency (NSA). The platform-independent Ghidra environment includes an interactive disassembler and decompiler as well as a plethora of related tools that work together to help you analyze code. It supports a wide variety of instruction set architectures and binary formats and can be run in both stand-alone and collaborative SRE configurations. Perhaps the best feature of Ghidra is that it allows you to customize your work environment and develop your own plugins and scripts to enhance your SRE process and to share your innovations with the Ghidra community at large.

Ghidra Licenses

Ghidra is distributed free of charge and is licensed under the Apache License, Version 2.0. This license provides a lot of freedom to individuals to use Ghidra but does have some associated restrictions. All individuals downloading, using, or editing Ghidra are encouraged to read the Ghidra User Agreement (docs/UserAgreement.html) as well as the license files in the GPL and licenses directories in order to ensure that they are complying with all licensing agreements, as third-party components within Ghidra have their own licenses. In case you ever forget anything in this paragraph, Ghidra helpfully displays the licensing information every time you start Ghidra or select About Ghidra from the Help menu.

Ghidra Versions

Ghidra is available for Windows, Linux, and macOS. While Ghidra is highly configurable, most new users will likely download Ghidra and choose to start with the most current version of Ghidra Core, which includes traditional reverse engineering functionality. The focus of this book is on the Ghidra Core functionality for nonshared projects. In addition, we spend time discussing shared projects and headless Ghidra as well as the Developer, Function ID, and Experimental configurations.

Ghidra Support Resources

Working with a new software suite can be daunting, especially when the intent is to approach a challenging real-world problem by using reverse engineering. As a Ghidra user (or potential developer), you may wonder where you can turn for help when you have Ghidra-related questions. If we do our job well enough, this book will suffice in many situations. When you find yourself needing additional help, though, here are some additional resources you can turn to:

Official help documentation Ghidra contains a detailed help system that can be activated through the menu or by pressing F1. The help system provides a hierarchical menu as well as search functionality. While the Help menu offers various views, it does not currently provide support for interrogatory questions such as “How can I do x?”

Readme files In some cases, the Ghidra Help menu will refer you to additional content on a particular topic such as a readme file. Many readme files are included in the documentation to supplement specific plugins, extend topics in the Help menu (such as support/analyzeHeadlessREADME.html), assist with various installations (docs/InstallationGuide.html), and aid your evolution as a developer (such as Extensions/Eclipse/GhidraDev/GhidraDev_README.html) should you choose to pursue that path (and perhaps develop support for interrogatory questions such as “How can I do x?”).

Ghidra site The Ghidra project home page (https://www.ghidra-sre.org/) provides options for potential users, current users, developers, and contributors to further their knowledge about Ghidra. Along with detailed download information associated with each Ghidra release, a helpful Installation Guide video walks you through the installation process.

Ghidra docs directory Your installation of Ghidra includes a directory containing helpful Ghidra-related documentation, including a printable guide to menus and hotkeys (docs/CheatSheet.html) that can greatly ease your introduction to Ghidra, and much more. Tutorials that cover beginner, intermediate, and advanced features of Ghidra can be found under docs/GhidraClass.

Downloading Ghidra

Obtaining your free copy of Ghidra is an easy three-step process:

1. Navigate to https://ghidra-sre.org/.
2. Click the big red Download Ghidra button.
3. Save the file to the desired location on your computer.

As with many simple three-step processes, there are a couple of points where a few renegades may choose to veer slightly from the recommended path. The following options are for those of you who want something different from the traditional starter pack:

• If you want to install a different release, just click the Releases button and you will have the option to download other released versions. While some functionality may vary, the basics of Ghidra should remain the same.
• If you wish to install to a server to support collaborative work, hang on until Chapter 11 to find out how to make that important change to your installation (or feel free to jump ahead and give it a try using the information in the server directory.) Worst case, it is easy to back out and start again with the simple three-step process and begin with a local Ghidra instance.
• The truly brave at heart may wish to build Ghidra from source. The Ghidra source code is available on GitHub at https://github.com/NationalSecurityAgency/ghidra/.

Let’s move ahead with the traditional installation process.

Installing Ghidra

So, what did the magical red download button do when you clicked it and selected a destination on your computer? If everything went as planned, you should now have a zip file in your selected directory. For the original Ghidra release, the zip file’s name was ghidra_9.0_PUBLIC_20190228.zip. We can break down the naming convention. First, 9.0 is the version number. Next, PUBLIC is the type of release (there are other release types such as BETA_DEV releases). Finally, we have the release date, followed by the .zip file extension.

This zip file is actually a collection of the over 3400 files that make up the Ghidra framework. If you are happy with the location you saved the file to, unzipping it (for example, by right-clicking and selecting Extract All in Windows) will provide access to the Ghidra hierarchical directory. Note that Ghidra needs to compile some of its internal data files, so a Ghidra user will typically need write access to all Ghidra program subdirectories.

The Ghidra Directory Layout

Familiarity with the contents of your Ghidra installation is by no means a requirement before you start using Ghidra. However, since our attention is on your extracted download for the moment, let’s take an initial look at the basic layout. An understanding of the Ghidra directory structure will become more important as you progress to using the more advanced features of Ghidra covered in later chapters. A brief description of each of the subdirectories within the Ghidra installation follows. Figure 3-1 shows the Ghidra directory layout.

Figure 3-1: Ghidra directory layout

docs Contains general support documentation about Ghidra and how to use it. Included in this directory are two subdirectories that bear mentioning. First, the GhidraClass subdirectory provides educational content to help you learn about Ghidra. Second, the languages sub­directory describes Ghidra’s processor specification language, SLEIGH. SLEIGH is discussed extensively in Chapter 18.

Extensions Contains useful prebuilt extensions and important content and information for writing Ghidra extensions. This directory is covered more thoroughly in Chapters 15, 17, and 18.

Ghidra Contains the code for Ghidra. You will learn more about the resources and contents in this directory as we begin customizing Ghidra in Chapter 12 and building new capabilities in Chapters 13 through 18.

GPL Some of the components that make up part of the Ghidra framework were not developed by the Ghidra team, but consist of other code distributed under the GNU General Public License (GPL). The GPL directory contains files associated with this content, including licensing information.

licenses Contains files outlining the appropriate and legal usage of various third-party components of Ghidra.

server Supports the installation of the Ghidra server, which facilitates collaborative SRE. This directory is discussed in depth in Chapter 11.

support Serves as a catchall for a variety of specialized Ghidra capabilities and functionalities. As a bonus, this is also where the Ghidra icon can be found (ghidra.ico) if you want to customize your work environment further (for example, creating a shortcut to your Ghidra startup script). This directory is discussed as needed throughout the text, as we introduce various Ghidra capabilities.

Starting Ghidra

Alongside the subdirectories, files in the root directory allow you to get started on your Ghidra SRE journey. Yet another license file is in this directory (LICENSE.txt), but more importantly, you will find the scripts that actually launch Ghidra. The first time you double-click ghidraRun.bat (or run the equivalent ghidraRun script from the command line on Linux or macOS), you will need to agree to the end-user license agreement (EULA) shown in Figure 3-2, to acknowledge that you plan to use Ghidra in compliance with the Ghidra User Agreement. Once you have agreed, you will not see this window on subsequent startups, but can view the content at any time through the Help menu.

In addition, you may be asked for the path to your Java installation. (If you do not have Java installed, see the Installation Guide in the docs subdirectory, which provides supporting documentation in the Java Notes section.) Ghidra requires version 11 or higher of the Java Development Kit (JDK).¹

Figure 3-2: Ghidra User Agreement

Summary

Once you are successful in opening Ghidra, you are ready to move on to using it to accomplish something useful. Over the course of the next few chapters, you will discover how to use Ghidra to perform basic file analysis, learn about CodeBrowser and the many common Ghidra display windows, and see how to configure and manipulate those displays to further your understanding of a program’s behavior.