INDEX
A
ABI (application binary interface), 100, 101, 103, 458
About Ghidra, 34
abstract base class (C++), 174
abstract function, 174
access control (Ghidra Server), 218, 221, 231
activation records. See stack frame.
Add Block (Memory Map toolbar), 370
addEntryPoint method, 383, 396
Add File to Version Control, 235
adding an analyzer module (Eclipse), 329, 337–339
Add Reference dialog, 196
Add Reference from, 195
Address Interface, 298
AddressOfEntryPoint field, 369
AddressSourceInfo object, 524, 525
address table, 10
Address Type overview bar, 480
addrinfo data type, 148, 149, 172
ai_socktype, 149
alignment gap, 520
ALT-left arrow hotkey (Go To Previous Location), 92, 93
ALT-right arrow hotkey (Go To Next Location), 92, 93
analysis
analysis engine (Decompiler), 430
Analysis menu (CodeBrowser), 57
-analysisTimeoutPerFile (headless analyzer), 350, 351
analyzeHeadlessREADME.html, 34, 342, 350, 352
analyzer modules
example
ROP gadget, 329
template (Eclipse), 323, 328, 331
testing with Eclipse, 337
analyzers
creating with Eclipse, 329
Decompiler Parameter ID, 50, 53, 109, 113
PE files, 110
Decompiler Switch Analysis, 50, 53
Function ID, 73, 272, 273, 278, 279, 283
headless, 340–345, 347, 354, 357, 358
non-returning functions, 436
results, 51
RTTI, 181
Stack, 94
anti-debug techniques, 505
anti-piracy protections, 505
anti-reverse engineering, 470
anti-reverse engineering tools, 471, 475, 490, 491
API (application programming interface), 52, 477, 489, 490, 500
application binary interface (ABI), 100, 101, 103, 458
application programming interface (API), 52, 477, 489, 490, 500
Apply Differences, 534, 537, 538
Apply Function Signature To Other Side, 546
applying structure layouts, 171
Apply Selection (hotkey F3), 537
architecture size, 263
Archive Current Project (Ghidra), 225
archives
creating data type archives, 269
creating new file archives, 271
creating new project archives, 272
data type archives, 268
arguments. See also parameters, 94–113, 453, 454, 458, 464-466
Array type option (Ghidra), 156
base address, 150, 152, 153, 158, 159, 160, 170
bounds, 151
constant indices, 153, 154, 159, 160
create, 139
elements, 150–153, 156, 158, 159, 169
globally allocated, 150, 154, 161
index value, 150, 153, 156, 160, 161, 165
member access, 150
example, 155
static assignments, 156
of structures, 164
Array type option (Ghidra), 156
articulation, 200
ASCII format export (Ghidra), 514, 522, 523
askAddress method, 300
askDirectory method, 301
askFile method, 301
askInt method, 300
askYesNo method, 300
ASProtect, 479
assembler (Ghidra), 513, 515–518, 528
Assembler Rating, 516
assembly language
directives, 4
-a strings option, 29
Attach existing FidDb, 275
attaching FidDbs, 275
authentication
functions, 512
Ghidra Server, 219, 221, 227, 228, 230, 231
auto analysis, 52–53, 90, 107, 110, 261, 265, 268, 273
options, 50
results, 51
Auto Analysis Summary dialog, 50
Auto Create Structure, 439, 441
automated structure creation, 437
automatic storage class (C++), 177
B
back references, 184, 185, 195
backward navigation (Go To Previous Location)
hotkey OPTION-left arrow (Mac), 93
backward slice, 435
base address, 47
base address (array), 150, 152, 153, 158, 159, 160, 170
Base Library (FidDb), 277
base virtual address (PE files), 367, 369
basic block, 66, 67, 190, 198, 199, 203–208, 428, 436
basic data transformations, 140
basic disassembly algorithm, 8
batch import, 226, 227, 346, 359
Batch Import dialog, 282
batch import (Ghidra), 282
batch import (headless analyzer), 346, 347, 359
Batch mode (import), 226, 227, 282
binaries, 4
ELF, 92
binary differencing, 529
Binary format export (Ghidra), 522, 523, 525
bitness, 263
breakpoints
software, 490
Browser Field Formatter, 65, 66, 133, 134, 247, 248, 419
buildLanguage.xml, 404
build options (compiler), 152, 444, 451, 455
BuiltInTypes, 268
byte code, 4
Byte Viewer, 514
editing, 513
Bytes window, 78, 79, 513, 514
options, 244
C
C/C++ format export (Ghidra), 522
C hotkey (Clear Code Bytes), 139, 473, 503
C language
calling conventions, 96
compilers, 160, 173, 176, 178, 181, 443, 448–451, 453, 456, 459, 463, 465
format export (Ghidra), 522
malloc function, 157
strcpy function, 194
C++
abstract base class, 174
calling conventions, 99
compilers, 160, 443, 448–451, 453–457, 463–465
compiler variations
function overloading, 458
RTTI, 459
constructor, 173, 177, 178, 181
delete operator, 178
dynamic_cast, 180, 181, 458–460
inheritance, 172, 173, 179–182, 459
multiple inheritance, 180
name mangling, 27, 179–181, 458, 459
object life cycle, 177
pure virtual function, 174, 175
reversing, 172
RTTI analyzer, 181
RTTI (Runtime Type Identification), 180, 181, 459–461
storage class, 177
vftable pointer, 173–176, 178, 179
vftables, 173–179, 181, 182, 191, 192, 194, 459, 460, 462, 463
vftables indexing, 176
virtual functions, 173–176, 178, 179, 191, 192, 195, 459, 460, 463
callee-saved registers. See no-clobber register, 100, 101
caller-saved registers. See clobber register, 100, 101
calling conventions, 94–95, 100–101, 113, 139
C, 96
C++
cdecl, 96, 97, 99, 102, 103, 105
standard calling convention, 98
call mechanics, 94
cdecl, 96, 97, 99, 102, 103, 105
changing appearance (windows), 250, 251
Characteristics field (PE files), 374
CheatSheet.html, 35
checkpoint, 487
child processes, 475
Choose active FidDbs, 275
Choose Data Type (hotkey T), 366
Classes folder (Symbol Tree), 74, 75, 192, 459, 460
classification tools, 15
Clear Code Bytes (hotkey C), 139, 473, 503
clipboard icon (Eclipse), 320
Close (display windows), 242
Close View (Ghidra Project), 229
code caves, 519
code cross-reference, 186, 187, 190, 192
code display options, 133
code optimization, 99, 109, 453, 455, 466
CodeBrowser, 48, 49, 50, 52–54
CodeBrowser menu
Analysis menu, 57
Analyze All Open, 261, 265, 268, 273, 283
Auto Analyze, 48–53, 261, 265, 268, 273
One Shot, 110
File menu, 56
Export Program, 522
Help menu, 58
About Ghidra, 34
Search menu, 58
For Direct References, 508
For Instruction Patterns, 508–511
Function ID menu, 274
Program Differences, 530
Window menu. See also CodeBrowser windows, 58–87
CodeBrowser toolbar
Navigation toolbar, 70, 92, 93
Redo, 120
Undo, 120
CodeBrowser windows
options, 244
Console, 75
Data Type Manager, 48, 52, 75, 148, 149, 167, 169, 176, 214, 267–269, 271, 272, 279
Decompiler, 59, 75–78, 427–432, 434–437, 439, 442
Function Graph, 66–69, 197–202, 205, 207, 208
Listing, 52, 472, 481, 482, 500, 503, 509, 514–522, 526
Memory Map, 48, 85, 86, 368–374
Script Manager, 286–297, 314–319, 321, 326, 327
Symbol Tree, 48, 49, 58–60, 72–75, 90–92, 121–124, 148, 181, 192, 214, 272–280, 459–461
collaborative SRE, 33, 37, 217–222, 224, 227, 228, 230, 231, 235, 240
collapse sections (Eclipse), 318
collapsing blocks (Function Graph View), 68, 69
color customization (Function Graph), 208
Color Editor, 244
command line options (headless analyzer), 347
comments (Eclipse), 332
comments (Ghidra), 125, 137, 145
Symbol option, 153
EOL (end-of-line) comments, 128, 129, 132, 134, 302, 463
repeatable comments, 128, 131, 302
-commit (headless analyzer), 353
Common Symbols File, 278
Compare Selected Functions (hotkey SHIFT-C), 538, 539, 541–543, 545, 546
comparing functions, 538, 539, 541–543, 545, 546
compilers
compiler field, 263
compiler options, 452
debug versions, 443, 450, 452, 453
Delphi, 443
GNU gcc/g++, 160, 443, 448–451, 453–455, 464
identification, 52
linker options, 452
Microsoft C/C++, 160, 173, 176, 178, 181, 443, 448–451, 453, 456, 459, 463, 465
release versions, 452
validation, 7
compiler-specific behavior, 466
compiler variations, 443
compiler-specific behavior, 466
C++, 458
C++ Function Overloading, 458
C++ RTTI, 459
main(), 463
conditional branching instructions, 11
conditional jump, 474
configurations (Ghidra)
Configure Tool window, 255
Ghidra Core, 34, 252, 255, 256
ImporterPlugin, 253
Configure Gradle (Eclipse), 338
Configure Tool (Ghidra), 255
-connect (headless analyzer), 353
Console window (CodeBrowser), 75
constant indices, 153, 154, 159, 160
constructors
inline, 181
SLEIGH, 408
control flow, 197, 200, 205, 208
converting data and code
Clear Code Bytes (hotkey C), 139, 473, 503
Disassemble (hotkey D), 140, 374, 378, 473, 503
Convert to Shared (Ghidra Server), 231
createAsciiString method, 305
createByte method, 304
createData method, 395
Create Function (hotkey F), 137
createFunction method, 305
Create Ghidra Script, 356
createMemoryBlock method, 383, 389, 395
createMemoryReference method, 396
Create new empty FidDb, 275, 277
Create Tool
example, 254
createUnicodeString method, 305
creating
analyzer modules (Eclipse), 329
Create Array (hotkey [), 144
Create Structure (hotkey SHIFT-[), 166, 167
Create Structure window, 166, 167
data type archives, 269
file archives, 271
Ghidra tools, 253
example, 254
module projects (Eclipse), 322
project archives, 272
projects (Ghidra), 43
script projects (Eclipse), 321
scripts (Eclipse), 317, 319, 321
shared projects (Ghidra Server), 221, 222
Close View, 229
cross-references, 64, 69, 80, 86, 183–184, 188–189, 193, 195, 196, 401, 461–463, 508, 512, 521, 523
data, 185, 187, 190, 191, 459, 460
enumerating, 308
jump, 190
read, 191
suffix (R), 185
suffix (T), 212
suffix (W), 185
write, 191
-cspec (headless analyzer), 351, 352
C-style structs. See structures.
CTRL-L hotkey (Retype), 434
CTRL-SHIFT-Z hotkey (redo), 120
CTRL-Z hotkey (undo), 120
Cuckoo Sandbox, 479
current file location, 64
currentLocation, 299
currentProgram, 293, 296, 299, 305, 307–310
customizing (Function Graph View), 69
cycle groups, 141
D
data cross-reference, 185, 187, 190, 191, 459, 460
Data Execution Prevention (DEP), 330
data/languages directory, 397
data structures, 147, 150, 164, 172, 182
data type archives, 267, 269, 272
BuiltInTypes, 268
opening, 268
Data Type Manager window, 48, 52, 75, 148, 149, 167, 169, 176, 214, 267, 279
BuiltInTypes, 268
data type archives, 268
creating, 269
opening, 268
New File Archive, 271
New Project Archive, 272
data types, 147, 150, 153, 169, 182, 431, 432
DAT_ prefix, 91, 120, 126, 144
dead listings, 90
debug mode, 443, 450, 452, 453
debuggers, 280, 476, 477, 480, 490–491, 503, 504, 525–528
OllyDbg, 478
preventing debugging, 489
WinDbg, 11
debugging displays, 7
debugging registers (x86), 477
decompiler-assisted stack frame analysis, 109
Decompiler Parameter ID, 50, 53, 109, 113
PE files, 110
decompilers, 5
Decompiler Switch Analysis, 50, 53
Decompiler window, 59, 75–78, 427
analysis engine, 430
analysis options, 436
Eliminate unreachable code, 428, 429
Simplify predication, 428, 430
Auto Create Structure, 439, 441
automated structure creation, 437
backward slice, 435
Edit Function Signature, 437
editing in the Decompiler window, 431
editing variable types and names, 434
error bookmark, 437
forward slice, 435
function prototypes, 432
highlighting slices, 435
non-returning function, 436, 437
Override Signature, 433
overriding function signatures, 433
program slice, 435
Structure Editor window, 442
Decompile View (Function Comparison), 539, 542
deep inspection tools, 27
defined data, 507
Defined Data window, 75, 80, 81
Defined Strings window, 81, 82, 144
Delete Function (hotkey DEL), 137
delete operator (C++), 178
Delete Project (Ghidra), 225
-deleteProject (headless analyzer), 349
Delphi, 443
deobfuscation, 479–490, 492–495, 503, 504
emulation-oriented, 496
script-oriented, 491
deobfuscation stub, 479, 480, 483, 485, 496
DEP (Data Execution Prevention), 330
Destination Folder field (Import File), 45
desynchronization, 471, 474, 478
Detach existing FidDb, 275
detaching FidDbs, 275
Determine Program Differences dialog, 530
Developer configuration, 34
Developer configuration (Ghidra), 252
D hotkey (Disassemble), 140, 374, 378, 473, 503
Diff Details window, 531, 532, 534–535
EOL-Comment section, 536
Diff View, 259, 530, 532, 534, 538, 546
directives, 4
direct references search, 462, 508
Disassemble (hotkey D), 140, 374, 378, 473, 503
disassemble method, 304
diStorm, 29
MASM, 9
NASM, 29
disassembly
basic algorithm, 8
conditional branching instructions, 11
desynchronization, 471
function call instructions, 12
navigation, 90
return instructions, 13
sequential flow, 11
theory, 4
tools, 15
unconditional branching instructions, 11
diStorm, 29
divide-by-zero exception, 477
DLL (dynamic link library), 484, 485
downloading Ghidra, 35
-d strings option, 29
dynamic_cast, 180, 181, 458–460
dynamic linking, 22, 23, 209, 212, 213
dynamic link library (DLL), 484, 485
dynamic memory allocation, 157, 178
E
Eclipse
analyzer module template, 323, 328, 331
clipboard icon, 320
collapse sections, 318
comments, 332
Create Ghidra Script dialog, 319, 321
creating module projects, 322
creating script projects, 321
creating scripts, 317, 319, 321
directories
module projects, 327
error tag, 320
Exporter, 337
exporter module template, 323
export module, 337
file system module template, 323
GhidraDev, 315–322, 324, 331, 337, 402, 403, 409
loader module template, 323, 328
Package Explorer, 322–326, 331
plugins module template, 323
processor module template, 323
Quick Fix options, 315, 320, 321
task tag, 320, 323, 328, 332, 333
testing modules, 385
TODO comments, 320, 332–334, 403, 410, 411
tutorials, 316
Eclipse menus
edge color (Function Graph), 207
edges, 184
Edit function (hotkey F), 137–139
Edit Function Signature, 437
editing
in the decompiler window, 431
structure members, 169
the tool (Tool Options), 246
variable types and names, 434
Edit menu (CodeBrowser), 57, 59, 62
Edit menu (Ghidra Project), 227
Edit Plugin Path (Ghidra Project), 227
Edit Tool Options (Ghidra Project), 227
educational content, 36
EEPROM, 523
E hotkey (Set Equate), 136
ELF binaries
file format, 8, 17, 23, 25, 268, 392
obfuscation, 276–279, 479, 490, 492, 496
utilities 17, 23, 25, 28, 29, 280
Eliminate unreachable code, 428, 429
emulating assembly language behavior, 311
emulation, 469, 495–497, 500, 501, 503, 504
emulation-oriented deobfuscation, 496
SimpleEmulator example, 497–499
dispose method, 502
enableMemoryWriteTracking method, 500
getEmulateExecutionState method, 501
getTrackedMemoryWriteSet method, 501
readMemoryByte method, 502
setBreakpoint method, 500
encode, 478
encrypt, 478
endianness, 263
end-of-line (EOL) comment, 128, 129, 132, 134, 302, 463
end-user license agreement (EULA), 37
Entropy bar (Ghidra), 62
entry point, 8, 73, 85, 463, 464
enumerating cross-references, 308
enumerating functions, 307
enumerating instructions, 308
EOL-Comment section, 536
EOL (end-of-line) comment, 128, 129, 132, 134, 302, 463
error messages (headless analyzer), 344
error tag (Eclipse), 320
-e strings option, 29
EULA (end-user license agreement), 37
exceptions, 476, 477, 490, 494, 502, 504
Executable and Linkable Format. See ELF.
Expand Down (Memory Map toolbar), 373, 374
expand lines (Eclipse), 318, 328
Experimental configuration (Ghidra), 34, 252
explicit forward reference, 195
Export dialog, 522
Exporter (Eclipse), 337
exporter module template (Eclipse), 323
exporting files (Ghidra), 506
C/C++ format, 522
HTML format, 523
Intel Hex format, 523
XML format, 523
zip format, 522
export module (Eclipse), 337
Export Program menu (CodeBrowser), 522
Exports folder (Symbol Tree), 73
Export Tool, 257
external references, 195
F
Failed to disassemble (Ghidra error message), 472
fallthrough, 518
override, 473
F hotkey (Create/Edit Function), 137–139
F1 hotkey (Ghidra Help), 34, 58, 186, 196, 270, 273, 506, 516, 549
F2 hotkey (Apply Selection), 537
F5 hotkey (Program Diff toolbar), 532, 534
FidDbs (Function ID databases), 272, 273, 276, 278–280, 282–284, 466
attaching, 275
detaching, 275
populating FidDbs from programs, 275, 277
FidPlugin, 274
file extensions, 16
File menu (CodeBrowser), 56, 522
File menu (Ghidra Project), 224, 225
file offset, 47
files
extensions, 363
.class, 268
.cspec, 404
.drv, 26
.fidb, 277
.gif, 257
.gpr, 232
.jpg, 257
.keep, 238
.o, 280
.png, 257
.prf, 270
.slaspec, 404, 405, 408, 412, 415, 418
.so, 23
.tar, 227
.xml, 404
hijacked (Ghidra Server), 236, 238
loading (Ghidra), 44
private (Ghidra Server), 238, 239
filesystem paths, 342
file system mode (import), 281
file system module template (Eclipse), 323
filesystem paths, 342
findBytes method, 303
findSupportedLoadSpecs method, 381, 382
first-generation languages, 4
Flat API, 297, 299, 301, 302, 304, 308
FlatProgramAPI class, 297–300, 306
addEntryPoint method, 383, 396
clearListing method, 304
createAsciiString method, 305
createByte method, 304
createData method, 395
createFunction method, 305
createMemoryBlock method, 383, 389, 395
createMemoryReference method, 396
createUnicodeString method, 305
disassemble method, 304
findBytes method, 303
getBytes method, 301
getDataAfter method, 302
getFirstData method, 302
getFirstFunction method, 303, 307
getFirstInstruction method, 302
getFunctionAfter method, 304, 307
getFunctionAt method, 304, 310
getInstructionAfter method, 302
getInstructionAt method, 302
getInt method, 301
getLong method, 302
getReferencesFrom method, 304, 309
getReferencesTo method, 304, 310
getSymbols method, 303
removeFunctionAt method, 304
setEOLComment method, 305
flow arrow, 64
flow types
jump, 190
sequential, 186, 187, 189, 190, 198, 205
footprints icon (Version Tracking), 547
forbidden labels and names, 123
For Direct References (Search menu), 462
For Instruction Patterns (Search menu), 508, 509, 512
Format option, 263
formatting instruction operands, 133, 135
formatting XREFs, 186
forward navigation (Go To Next Location)
hotkey ALT-right arrow, 92, 93
hotkey OPTION-right arrow (Mac), 93
forward references, 184, 195, 196
forward slice, 435
fourth-generation languages, 4
fragment, 71
frame pointer, 95, 103–106, 113, 114
FrontEndPlugin. See Ghidra Project window.
full hash, 272
Function Call Graph window, 86, 87, 197, 210–211, 213, 214
satellite view, 67, 68, 199, 208, 209
function call instructions, 12
Function Call Tree window, 87, 214
Function Comparison toolbar, 540
Function Comparison window
Function Graph View, 66
Function Graph window, 66, 197–198, 201, 205, 207, 447
articulation, 200
basic block toolbar
background color, 208
combine vertices, 203
restore group, 203
color customization, 208
edge color, 207
Function Graph View zooming, 58, 60, 68
interaction threshold, 202
satellite view, 67, 68, 199, 208, 209
Function ID analyzer, 73, 272–283
Function ID configuration (Ghidra), 34, 73, 74, 254
Function ID database (FidDb), 272–283, 466
Function ID menu, 274
Attach existing FidDb, 275
Choose active FidDbs, 275
Create new empty FidDb, 275, 277
Detach existing FidDb, 275
Function ID plugin
Populate FidDb from programs, 275, 277
Function ID plugin, 273
Function IDs, 272
Function interface
getPrototypeString method, 306
getStackFrame method, 306, 307
functions
arguments, 94, 96, 98, 105, 106, 110
identifying, 52
call mechanics, 94
comparing, 538, 539, 541–543, 545, 546
Create (hotkey F), 137
Delete (hotkey DEL), 137
header, 535
library, 52, 178, 212, 482, 483
locating main, 452, 455, 457, 460, 463–466
modifying signatures, 433, 434, 436, 437
namespace, 124
parameters, 148, 158, 173, 179, 457, 458
prologue, 95, 100, 102, 104, 105, 110, 375
prototypes, 127, 140, 148, 179, 432
signature, 434, 437, 535, 537, 543, 546
variable number of arguments, 97, 179, 432, 433
Functions folder (Symbol Tree), 73, 74
fuzzing, 6
G
Gaobot worm, 19
gcc, 443, 448–451, 453–457, 464
gcc/ld (-s option), 152
getBytes method, 301
getComment method, 307
getDataAfter method, 302
getDefaultOptions method, 384
getFirstData method, 302
getFirstFunction method, 303, 307
getFirstInstruction method, 302
getFromAddress method, 299, 310
getFunctionAfter method, 304, 307
getFunctionAt method, 304, 310
getFunctionManager method, 305
getInstructionAfter method, 302
getInstructionAt method, 302
getInt method, 301
getLanguageID method, 306
getListing method, 293, 305, 308, 309
getLong method, 302
getMaxAddress method, 306, 307
getMemory method, 305
getMinAddress method, 306, 307, 309
getMnemonicString method, 306
getName method, 293, 298, 307–310, 381, 388, 392, 394
getNumOperands method, 307
getOperandType method, 307
GetProcAddress function (Windows), 483–487
getPrototypeString method, 306
getReferenceManager method, 306
getReferencesFrom method, 304, 309
getReferencesTo method, 304, 310
getReferenceType method, 299, 309, 310
getStackFrame method, 306, 307
getSymbols method, 303
getSymbolTable method, 305, 310
getTierPriority method, 382, 388
Ghidra
Address Type overview bar, 480
CheatSheet.html, 35
directory structure, 36
download
releases, 35
educational content, 36
Entropy bar, 62
error
bookmarks, 502
error message
Failed to disassemble, 472
file loading, 44
icon, 37
known structure layouts, 171
Module
server
directory, 35
installation, 35
source code, 35
source repository, 316
startup script, 37
tutorials, 35
versions, 35
Ghidra.app.script.GhidraScript, 289, 294
Ghidra Core configuration, 34, 255, 256
Plugin Path, 252
ImporterPlugin, 253
Ghidra data displays, 55
GhidraDev, 315–316, 318, 324, 337, 402, 403, 409
New menu
Ghidra Module Project, 319, 322, 323, 331
Ghidra Script, 317, 319, 321, 326, 327
Ghidra Script Project, 319, 321
GhidraDev_README.html, 316
GhidraDevUser Consent, 317
Ghidra directories
data, 397
data/languages, 397
Ghidra/Features, 316, 326, 334
languages, 397, 404, 407, 409, 415, 418
Ghidra directory structure, 36
Ghidra, 37
GPL, 37
licenses, 37
server, 37
support, 37
Ghidra extensions
Gradle, 337
install, 338
Ghidra/Features directory, 316, 326, 334
Ghidra GUI, 341, 345–348, 351, 353, 355
Ghidra Help (F1 hotkey), 58, 186, 196, 270, 273, 506, 516, 549
Ghidra Help menu
About, 51
Contents (F1 hotkey), 34
$GHIDRA_HOME, 354
ghidra.ico, 37
Ghidra installation directory, 354
Ghidra Module Extension
Export, 337
Ghidra Module Project, 322
Exporter, 323
FileSystem, 323
plugins, 323
Processor, 323
Ghidra Project menu
Edit
Plugin Path, 227
Edit menu
Tool Options, 227
File menu, 224
Archive Current Project, 225
Delete Project, 225
Import File, 44
Help menu
About Ghidra, 34
Project
View Recent, 229
View Repository, 229
Ghidra Project window, 41–42, 48, 52, 242, 253
creating projects, 43
Table View, 223
Tool Options
Eclipse Integration, 250
Recovery, 250
Tool, 250
Ghidra releases, 35
ghidraRun, 37
Ghidra Script, 319, 321, 326, 327
GhidraScript class, 289, 292, 294, 296
askAddress method, 300
askDirectory method, 301
askFile method, 301
askInt method, 300
askYesNo method, 300
currentAddress instance variable, 299, 308, 309
currentLocation instance variable, 299
currentProgram instance variable, 293, 296, 299, 305, 307–310
currentSelection instance variable, 293, 300
goTo method, 301
printf method, 293, 300, 307, 309, 310
Ghidra Script Project, 321
ghidra_scripts, 286
Ghidra Server, 217, 230, 235, 240
authentication methods, 219, 221, 227, 228
configuration file, 218
Convert to Shared, 231
example, 219
headless analyzer options, 352–353
hostname, 222
installation, 219
IP address, 222
platforms, 219
server administrator, 224
-u parameter, 220
Ghidra Server project, 235
Ghidra site, 35
Ghidra source code, 35, 316, 549
Ghidra Tools
Version Tracking, 529, 546–549
Ghidra Tools menu
Create Tool
example, 254
Export Tool, 257
Import Tool, 257
Ghidra User Agreement, 34, 37, 38
Ghidra versions, 34
G hotkey (Go To Address/Label), 92, 93, 214
Ghidra source code, 35
global namespace, 124
global structures, 161, 162, 166
global variable, 151–153, 161, 167
GNU gcc/g++, 443, 448–451, 453–457, 464
packed attribute, 160
pack pragma, 160
goTo method, 301
GPL directory, 37
GPL (GNU General Public License), 34, 37
Gradle Wrapper option, 337
grep, 280
grouping blocks
Function Graph window, 68, 203
H
hardware breakpoints, 477, 489
hashing
full hash, 272
hash values, 487
specific hash, 272
headless analyzer, 340–341, 345
batch import, 347
command line options, 347
error messages, 344
example
Ghidra Server options, 352
launching, 342–344, 347–352, 354, 357–360
scripting, 355
wildcards, 350
headless analyzer options
general
-analysisTimeoutPerFile, 350, 351
-deleteProject, 349
-import, 343, 344, 347–352, 354, 355, 357–359
-loader, 352
-log, 348
-max-cpu, 352
-overwrite, 348
script
-postScript, 354, 355, 357–359
-preScript, 354
-process, 343, 348, 351–353, 359
-propertiesPath, 354
-scriptPath, 353, 354, 357–359
server
-commit, 353
-connect, 353
-keystore, 353
-p, 353
headless Ghidra. See headless analyzer.
headless mode. See headless analyzer.
heap-allocated array, 157, 158
heap-allocated structures, 162, 163
Help menu
About Ghidra, 34
Help menu (CodeBrowser), 58
hex editor. See Byte Viewer, 513, 528
H hotkey (Label History), 123, 127
highlighting slices, 435
hijacked file (Ghidra Server), 236, 238
Home scripts (Eclipse), 325, 499
hostname (Ghidra Server), 222
hotkeys, 59
ALT-left arrow (Go To Previous Location), 92, 93
ALT-right arrow (Go To Next Location), 92, 93
C (Clear Code Bytes), 139, 473, 503
[ (Create Array), 144
CTRL-L (Retype), 434
CTRL-SHIFT-Z (Redo), 120
CTRL-Z (Undo), 120
D (Disassemble), 140, 374, 378, 473, 503
E (Set Equate), 136
F (Create/Edit Function), 137–139
F1 (Ghidra Help), 34, 58, 186, 196, 270, 273, 506, 516, 549
F3 (Apply Selection), 537
F5 (Program Diff toolbar), 532, 534
G (Go To Address/Label), 92, 93, 214
L (Label), 120, 123–128, 206, 434
OPTION-left arrow (Go To Previous Location; Mac), 93
OPTION-right arrow (Go To Next Location; Mac), 93
SHIFT-C (Compare Selected Functions), 538, 539, 541–543, 545, 546
SHIFT-[ (Create Structure), 166, 167
S (Search), 58, 116, 117, 507–511
T (Choose Data Type), 366
hotkey SHIFT-C (Compare Selected Functions), 538, 539, 541–543, 545, 546
HTML format export (Ghidra), 523
I
ia.sinc, 409–413, 415, 416, 418–421, 423–425
IDA
.idata section, 373
IDE (integrated development environment), 316–318, 327, 328, 333, 340
IL (intermediate language), 418
IMAGE_DOS_HEADER, 366
IMAGE_SECTION_HEADER, 369, 370, 372
imported function obfuscation, 482
Imported libraries (Symbol Tree), 73
importer loader poll, 364, 381
ImporterPlugin, 253
Import File (Ghidra), 44
-import (headless analyzer), 343, 344, 347–352, 354, 355, 357–359
importing
Batch Import dialog, 282
ELF binaries, 262, 264, 276, 278
files
override recommendations, 262
File System mode, 281
PE files, 262
Import Results Summary, 45, 46, 264
Imports folder (Symbol Tree), 72, 73, 280
Import Tool, 257
index (array), 150, 153, 156, 160, 161, 165
inheritance (C++), 172, 173, 179, 180, 181, 182, 459
inline constructors, 181
inline functions, 181, 457, 458
inlining (compiler variations), 457
installing Ghidra
Instruction Info window, 405
Instruction interface
getComment method, 307
getMnemonicString method, 306
getNumOperands method, 307
getOperandType method, 307
toString method, 307
instruction patching, 505, 507, 508, 512, 515, 517, 518, 519
instruction patterns, 508, 509, 512
instruction pattern search, 508–511
Instruction Pattern Search dialog, 509–511
instruction set architectures, 33
integrated development environment (IDE), 316–318, 327, 328, 333, 340
Intel Hex format export (Ghidra), 523
Intel x86. See x86, 8
interaction threshold, 202
inter-function alignment gap, 520
intermediate language (IL), 418
intermediate representation (IR), 418
interprocess communication (IPC), 475
IP address, 148
IP address (Ghidra Server), 222
IPC (interprocess communication), 475
IR (intermediate representation), 418
IsDebuggerPresent, 489
J
JDK (Java Development Kit), 37
jump
conditional, 474
cross-reference, 190
flow, 190
hook, 519
to XREF (Function Graph), 208
K
kernel32.dll, 465
GetModulehandleA, 483, 485, 486
GetProcAddress function, 483–487
LoadLibrary function, 483, 485
-keystore (headless analyzer), 353
L
manipulating, 120
navigating, 128
pinned, 127
prefix
SUB_, 126
removing, 127
rules for, 123
Labels folder (Symbol Tree), 74
LAB_ prefix, 91, 120, 126, 131
language/compiler specification, 44, 265, 366, 377, 386, 394, 396–399
architecture size, 263
compiler field, 263
endian field, 263
language field, 263
processor name field, 263
processor variant/mode field, 263
language definition file (ldef), 396, 397
Language field, 263
Language field (Import File), 44
language generations, 4
languages directory, 397, 404, 407, 409, 415, 418
layouts, 171
ldd (list dynamic dependencies), 22–26, 483
ldef (language definition file), 396, 397
L hotkey (Label), 120, 123–128, 206, 434
libraries
functions, 52, 148, 178, 482, 483
dynamically linked, 212
imported, 73
libc, 282
libcrypto.so, 264
lib.so.6, 264
libssl.so, 264
loading external, 45
shared, 482
type libraries, 149
Library Family Name (populating FidDbs), 277
library functions
Library Variant (populating FidDbs), 277
Library Version (populating FidDbs), 277
licenses directory, 37
lifting, 418
linear sweep disassembly, 9–13
linker, 152
Link options (Eclipse), 322, 324, 325
list dynamic dependencies (ldd), 22–26, 483
Listing View (Function Comparison), 539, 542, 543
Listing window, 52, 427, 428, 430, 431, 436, 437, 442, 472, 481, 482, 500, 503, 509, 514, 516, 517, 519, 520, 522, 526
editing, 247
rearranging fields, 247
Listing window toolbar
Browser Field Formatter, 65, 66, 133, 134, 247, 248, 419
little-endian architecture, 11
liveness, 173
-loader (headless analyzer), 352
loader module, 365, 375, 376, 379, 387, 397, 398, 400
example, 381–384, 388, 392–394
loader module template (Eclipse), 323, 328, 379, 397
examples
unknown file type (PE), 366–375
option fields, 47
Raw Binary, 46, 48, 363–366, 368, 375–379, 382, 388, 391, 523
unknown file types, 365
load external libraries, 45
LoadLibrary function, 483, 485
local_ prefix, 120, 122, 123, 135, 136
local variables, 89, 94, 95, 102–108, 110, 111, 114, 152, 154, 156, 158, 535, 547
identifying, 52
layout, 101
locating main function, 452, 455, 457, 460, 463–466
-log (headless analyzer), 348
M
MAC address, 488
machine language, 4
magic file, 16
magic number, 16, 18, 363, 367, 381, 393, 398
main
locating, 452, 455, 457, 460, 463, 464, 465, 466
Make Char Array, 144
Make String, 144
malloc function (C), 157
malware, 6, 470, 476, 479, 487–489, 504
malware analysis, 6
manipulating functions, 133, 137
MASM (Microsoft Assembler), 9
-max-cpu (headless analyzer), 352
member functions
memory blocks, 85, 367–372, 383, 389, 395
memory layout
base address, 47
file offset, 47
memory leaks, 177
Add Block, 370
Move Block, 373
Set Image Base, 369
Split Block tool, 370
toolbar, 368
memory references, 195
memory (search), 507
merging analyzed files, 534
Metasploit, 30
Microsoft Assembler (MASM), 9
Microsoft C/C++, 173, 176, 178, 181, 443, 448–451, 453, 456, 459, 463, 465
pack pragma, 160
mnemonics, 4, 8, 302, 511, 516
modifying word models, 267
modules
analyzer, 323, 328, 329, 331, 337
loader, 365, 375, 376, 379, 387, 397, 398, 400
processor, 401–405, 407–409, 415, 418, 424, 426
modulo operator (compiler variations), 452, 453, 454
monitor.isCancelled, 293, 300, 307–309
Move Block (Memory Map toolbar), 373
Move (display windows), 243
MS-DOS header, 366
multiple inheritance, 180
N
name decoration. See name mangling, 179
name mangling (C++), 27, 179, 180, 181, 458, 459
names, 92, 108–110, 112, 116, 124, 127, 132, 145
examples, 126
manipulating, 120
prefix
local_, 120, 122, 123, 135, 136
param_, 120–123, 130, 131, 139
rules for, 123
function, 124
global, 124
Namespaces folder (Symbol Tree), 75
naming convention, 91
Ghidra decompiler, 109
NASM (Netwide Assembler), 29
National Security Agency (NSA), 33
navigable objects, 185
navigating labels, 128
navigating Package Explorer, 324
Navigation bar, 62
navigation marker, 62
Navigation toolbar (CodeBrowser), 70
navigational target, 90–93, 471, 474
Netwide Assembler (NASM), 29
New File Archive, 271
new operator (C++), 157, 175, 178
New Project Archive, 272
-noanalysis (headless analyzer), 344, 348, 353
nodes (Function Graph), 184, 199, 203, 205, 208, 209
nonbranching instruction, 186
Non-eXecutable (NX), 330
nonlinear flow, 64
non-returning functions, 437
Non-Returning Functions-Discovered, 436
Non-Returning Functions-Known, 436
nonshared projects, 34, 224, 232, 240
NSA (National Security Agency), 33
NX (Non-eXecutable), 330
O
obfuscation, 18, 470, 482, 489, 490
imported function, 482
obfuscated control flow, 475
obfuscated instruction, 478
utilities
ASProtect, 479
tElock, 476, 478, 479, 483, 485, 486, 496
UPX, 275–280, 282, 479–486, 496
VMProtect, 479
objdump, 11, 24, 25, 29, 90, 111, 483
object file, 152
object life cycle (C++), 177
offsets, 150, 153, 158–164, 166, 168, 170–172
-okToDelete (headless analyzer), 354, 355
OllyDbg, 478
opcode, 8, 410, 411, 413, 414, 419, 421, 422
opcode obfuscation, 478
Open (display windows), 242
Open File Archive, 268
OpenJDK, 219
open source, 33
operating systems
Linux, 34, 37, 490, 491, 495, 496
Windows, 34, 36, 47, 476, 477, 479, 480, 483, 485, 487–489, 496
optimized code, 99, 109, 453, 455, 466
OPTION-left arrow hotkey (Go To Previous Location; Mac), 93
OPTION-right arrow hotkey (Go To Next Location; Mac), 93
Options frame (analyzers), 50
organizationally unique identifier (OUI), 488
OUI (organizationally unique identifier), 488
Override fallthrough, 473
overriding function signatures
Override Signature, 433
oversized code patches, 519
overview bar, 62, 480, 481, 482
-overwrite (headless analyzer), 348
P
Package Explorer, 322–323, 325–326, 331
navigating, 324
packed attribute, 160
packet captures, 46
pack pragma, 160
panning (Function Graph View), 68
parameters. See also arguments. 94–112, 148, 158, 179, 457, 458
register-based, 113
liveness, 173
param_ prefix, 120–123, 130, 131, 139
parsing C header files
Parse to File, 270
Parse to Program, 270
patching, 506, 509, 520–522, 525, 528
basic patches
assembler, 515
byte viewer, 513
scripting, 515
complex patches, 519
example, 525
export formats, 522
generating patched files, 523
instructions, 505, 507, 508, 512, 515, 517–519
oversized code patches, 519
Patch Instruction, 515, 517, 527
script-assisted export, 523
scripted exports, 523
p-code, 411, 417–419, 424, 425, 428
PDB (Program Database), 50, 53
PE files,
analyzing, 110
base virtual address, 367, 369
Characteristics field, 374
IMAGE_DOS_HEADER, 366
IMAGE_SECTION_HEADER, 369, 370, 372
importing, 262
loader priority, 382, 385, 386
loading (manually) example, 366–375
patching, 523
PDB (Program Database), 50, 53
-p (headless analyzer), 353
pinned labels, 127
PKI certificates, 219, 221, 227, 228
Platforms (Ghidra Server), 219
plugin path, 252
plugins, 33, 34, 48, 242, 316, 402
dependencies, 256
FidDbPlugin, 274
FrontEndPlugin, 250
module template (Eclipse), 323
Plugin Path, 227
pointer arithmetic, 172
pointer cross-reference, 191, 192
PointerToRawData, 370
Populate Fid Database, 275, 277
Populate FidDb from programs, 275, 277
populating FidDbs
Populate Fid Database
Base Library, 277
Common Symbols File, 278
Library Family Name, 277
Library Variant, 277
Library Version, 277
Root Folder, 277
Populate FidDb from programs, 275, 277
Portable Executable (PE) format. See PE files, 8
-postScript (headless analyzer), 354, 355, 357–359
-preScript (headless analyzer), 354
preventing debugging, 489
printf method, 300, 307, 309, 310
private files (Ghidra Server), 238, 239
private headers, 24
-process (headless analyzer), 343, 348, 351–353, 359
Process Monitor (procmon), 488
-processor (headless analyzer), 351, 352, 359
processor manuals, 5, 58, 375, 406, 407, 409
processor modules, 401–403, 405, 408, 418, 426
adding an instruction, 409
adding a register, 424
files
buildLanguage.xml, 404
README.txt, 404
sleighArgs.txt, 404
modifying, 407
modifying an instruction, 415
template (Eclipse), 323
processor name field, 263
processors
ARM, 94–96, 113, 405, 418, 491
SuperH, 426
x86, 474, 476–478, 488, 490, 491, 494, 496
processor specification language, 36
processor type, 263
processor variant/mode field, 263
process tracing. See ptrace, 490
procmon (Process Monitor), 488
Program API, 297, 302, 304–306
getFunctionManager method, 305
getLanguageID method, 306
getListing method, 293, 305, 308, 309
getMaxAddress method, 306, 307
getMemory method, 305
getMinAddress method, 306, 307, 309
getReferenceManager method, 306
getSymbolTable method, 305, 310
Program Database (PDB), 50, 53
Program Differences, 530
Program Diff tool, 530–532, 534, 538, 540, 541, 546, 547, 549
Program Diff toolbar (hotkey F5), 532
Apply Differences, 534, 537, 538
Program Diff View, 532
program entry point, 8
program section, 71
program slice, 435
program stack pointer, 94, 95, 97, 98, 101–106, 108, 111, 113, 500
Program Trees window, 71, 214, 519
project (Ghidra Server), 235
Project menu (Ghidra Project), 229, 231
project repository, 221, 223, 232
projects
shared, 34
shared (Ghidra Server), 225
prologue, 95, 100, 102, 104, 105, 110, 375
-propertiesPath (headless analyzer), 354
ptrace, 490
pure virtual function, 174, 175
python_basics.py, 295
Q
Quick Fix options (Eclipse), 315, 320, 321
QuickUnpack, 480
R
race condition (Ghidra Server), 221, 233
Raw Binary loader, 46, 48, 363–366, 368, 375–379, 382, 388, 391, 523
option fields, 47
read cross-reference, 191
readelf, 25
Readme files
analyzeHeadlessREADME.html, 34, 342, 350, 352
GhidraDev_README.html, 316
server/svrREADME.html, 219–221, 228
README.txt (processor module), 404
-readOnly (headless analyzer), 348, 349, 359
Close, 242
Move, 243
Open, 242
redock, 243
Resize, 243
Stack, 243
Undock, 243
recognizing data structure use, 150
recursive descent disassembly, 11, 13, 140
-recursive (headless analyzer), 349, 358, 359
Red Pill, 488
redock (display windows), 243
Redo (CTRL-SHIFT-Z hotkey), 120
Reference Interface
getFromAddress method, 299, 310
getReferenceType method, 299, 309, 310
references
Add/Edit references, 195
Add Reference dialog, 196
Add Reference from, 195
cross-references, 64, 80, 86, 183–188, 190–193, 195, 196, 401, 459–463, 508, 512, 521, 523
explicit forward, 195
external, 195
formatting XREFs, 186
memory, 195
register, 195
stack, 195
to symbols, 153
References To window, 194
Refresh BuiltInTypes, 268
register-based parameters, 113
liveness, 173
register references, 195
register transfer language (RTL), 418
register transition, 473
register-to-memory transfer instructions, 11
registry keys, 488
RegOpenKey, 148
regparm, 100
relative virtual address (RVA), 369, 372, 374
release versions, 452
relocation table, 524
removeFunctionAt method, 304
removing a label, 127
renaming parameters and variables, 121, 122, 124, 125
renaming variables, 153
repeatable comments, 128, 131, 302
Resize (display windows), 243
Restore Defaults, 245
restore group (Function Graph), 203
return address, 94, 98, 103, 105, 106, 108, 112, 113
return instructions, 13
reversing
C++, 172
tools, 15
rollback capabilities, 487
ROM images, 30
Root Folder (populating FidDbs), 277
ROP gadget
analyzer module example, 329, 330, 332, 333, 335, 336
RTL (register transfer language), 418
RTTI (Runtime Type Identification), 460, 461
inheritance, 459
Run options (Eclipse), 327, 337
Runtime Type Identification. See RTTI.
RVA (relative virtual address), 369, 372, 374
S
satellite view (Graphs), 67, 68, 199, 208, 209
save layout changes, 248
Save Tool As, 257
scripting
headless mode, 355
Script Manager, 315, 317, 319, 321, 326, 327
Script Manager window, 286, 288–290, 292, 294, 295, 298
basic editor, 291
script-oriented deobfuscation, 491
-scriptPath (headless analyzer), 353, 354, 357–359
Search menu (CodeBrowser), 58, 114
For Direct References, 462, 508
For Instruction Patterns, 508, 509, 512
Next, 115
Previous, 115
Search All, 115
second-generation languages, 4
section headers, 24
sections
.idata, 373
semaphore, 475
sequential flow, 186, 187, 189, 190, 198, 205
sequential flow instructions, 11
server administrator (Ghidra Server), 224
server directory, 35
server/server.conf (Ghidra Server), 218
server/svrREADME.html, 219–221, 228
sessions, 548
setByte, 506
Set Data Type submenu, 141
Array, 156
setEOLComment method, 305
Set Equate, 136
Set Image Base (Memory Map toolbar), 369
Set Language, 367
Set Register Values, 473
-s (gcc/ld), 152
shared projects, 34, 217, 218, 224, 235–237, 240
archiving, 225
authentication, 219, 221, 227, 228, 230, 231
creating (Ghidra Server), 221, 222
deleting, 225
merging files
no conflict, 234
potential conflict, 234
project information, 231
projects and repositories, 221, 223, 229, 232
viewing project information, 231
shellcode, 363, 365, 375–379, 381–383, 385–394, 396–400, 485
SHIFT-[ hotkey (Create Structure), 166, 167
S hotkey (Search), 58, 116, 117, 507–511
Simplify predication, 428, 430
.slaspec file, 404, 405, 408, 412
constructors, 408
Editor (Eclipse), 408
register address space, 420
register definitions, 420
specification (slaspec), 428, 515, 516
tokens, 422
sleighArgs.txt, 404
software breakpoints, 490
software Interoperability, 7
source code, 444, 451, 452, 455, 457, 462
source code (Ghidra), 316
source code recovery, 5
source repository (Ghidra), 316
specific hash, 272
specifying data types
Create Array (hotkey [), 144
cycle groups, 141
Split Block tool (Memory Map toolbar), 370
stack, 471, 474–476, 492, 493, 495, 496, 500
stack-allocated array, 154, 162
example, 155
stack-allocated parameters, 172
stack-allocated structures, 162
Stack analyzer, 94
Stack (display windows), 243
stack frame, 52, 93–95, 100–106, 108–114, 401
stack frame analysis
decompiler-assisted, 109
Decompiler Parameter ID, 109, 113
PE files, 110
frame pointer, 95, 103–106, 113, 114
in Listing view, 106
register-based parameters, 113
stack-manipulation operations, 11
stack pointer, 94–98, 101–106, 108, 111, 113, 500
stack references, 195
stack view, 105, 108, 111, 112
stale graph, 205
standard calling convention, 98
static analysis, 6, 12, 90, 105, 486
static array assignments, 156
static linking, 22, 23, 213, 214, 465, 466
static member functions (C++), 99
static storage class (C++), 177
storage class, 177
strcpy function (C), 194
stream disassemblers
diStorm, 29
NASM (Netwide Assembler), 29
stream socket, 149
String Search results window, 265, 461
strings utility, 28
options, 29
stripped binary, 18, 152, 461, 465
structs. See structures.
Structure Editor window, 168–171, 442
structure pointers, 171
applying structure layouts, 171
arrays of, 164
decompiled, 160
disassembled, 157, 160, 163, 165
editing members, 169
globally allocated, 161, 162, 166
heap-allocated, 162
offsets, 150, 153, 158–164, 166, 168, 170–172
recognizing use, 150
size, 163
stack-allocated, 162
starting address, 153, 158, 162
Structure Editor window, 168–169, 171
Byte Offset, 170
Component Bits, 170
symbolic references, 150, 153, 158–164, 166, 168, 170–172
Union Editor window, 168
within structures, 164
SUB_ prefix, 126
superclasses, 175
SuperH4, 426
support directory (Ghidra), 37
switch statement
Symbol Interface
getName method, 293, 298, 307–310
Symbol option (annotations), 153
Symbol References window, 82–85, 90, 194, 195
symbols
renaming, 121, 122, 124, 125, 153
Symbol Table window, 82–86, 194
Symbol Tree window, 48, 49, 58–60, 90–92, 121–124, 148, 149, 181, 192, 214, 272–280, 459–461
Classes folder, 74, 75, 192, 459, 460
Exports folder, 73
imported libraries, 73
Labels folder, 74
Namespaces folder, 75
synchronization primitives, 475
syntax (headless analyzer), 343, 351, 355, 356
Sysinternals, 488
T
table lookup, 444
Table View (Ghidra Project window), 223
targets (navigational), 90–93, 471, 474
TaskMonitor, 300
task tag (Eclipse), 320, 323, 328, 332, 333
tElock, 476, 478, 479, 483, 485, 486, 496
ternary operator (compiler variations), 455, 456
testing modules (Eclipse), 337, 385
.text section, 62, 71, 370, 372, 519, 520
third-generation languages, 4
third-party components, 34, 37
this pointer, 99, 173, 176, 178, 181
T hotkey (Choose Data Type), 366
threads, 475
Tip of the Day, 42
TODO comments, 320, 332–334, 403, 410, 411
Toggle Overview Margin, 62
Tool Options
Restore Defaults, 245
Tool, 250
Tool Options window, 54, 244, 246
tools, 242
connecting Ghidra tools, 68
dumpbin utility, 24–26, 29, 483
Ghidra
Program Diff, 530–532, 534, 538, 540, 541, 546, 547, 549
objdump utility, 11, 24, 25, 29, 90, 111, 483
WinDbg, 11
WinDiff, 530
Tools menu (Ghidra)
custom, 253
Save Tool As, 257
Tools menu (CodeBrowser), 56, 58, 68
Tools Options
Color Editor, 244
toString method, 307
-t strings option, 29
tutorials
Python scripting, 295
Ghidra, 35
type libraries, 149
U
Ultimate Packer for eXecutables. See UPX.
unconditional branching instructions, 11
undefined data, 507
Undock (display windows), 243
Undo (CTRL-Z hotkey), 120
ungroup vertices (Function Graph), 203
union construct, 168
Union Editor window, 168
union type, 168
unknown file analysis, 365
unknown file formats, 360
unknown processor architectures, 360
unpack, 482, 495, 498, 501–503
-u parameter (Ghidra Server), 220
UPX, 275–280, 282, 479, 481, 483–486, 496
decompression stub, 482
unpacker, 482
user32.dll
MessageBoxA, 483
user agreement (Ghidra), 34, 37, 38
$USER_HOME, 354
user home directory, 354
utilization rate, 445
V
validateOptions method, 384
variable number of arguments, 97, 179, 432, 433
variables
layout, 101
local, 89, 94, 95, 101–108, 110, 111, 114, 152, 154, 156, 158
renaming, 121, 122, 124, 125, 153
version control, 232–233, 235–238
merging files, 234
no conflict, 234
potential conflict, 234
version tracking, 233
Version Tracking tool (Ghidra), 529, 546
footprints icon, 547
sessions, 548
Tool Chest, 547
vertices. See nodes.
vftables (C++), 181, 182, 191, 192, 194, 459, 460, 462, 463
indexing, 176
viewing
project information, 231
projects, 229
repositories, 229
View Project (Ghidra Project), 229, 231
View Recent (Ghidra Project), 229
View Repository (Ghidra Project), 229
virtual functions (C++), 173–179, 191, 192, 195, 459, 460, 463
virtualization, 479
detecting
processor-specific behavioral changes, 488
virtualization-specific hardware, 488
virtualization-specific software, 487
virtual machine extension (VMX), 408–411
virtual machine (VM), 487, 488
Visual Studio. See Microsoft C/C++, 452, 453, 454, 456
VM. See virtual machine.
VMProtect, 479
VMware Tools, 488
VMX (virtual machine extension), 408–411
volatile keyword, 455
vulnerability analysis, 6
W
WinDbg, 11
WinDiff, 530
windows
Windows, 47, 476, 477, 480, 483, 485, 487, 496
API, 166
GUI, 489
registry
RegOpenKey, 148
SDK, 269
Sysinternals, 488
Windows Subsystem for Linux (WSL), 16, 17, 25
WinMain, 463
winnt.h, 477
word models, 142, 262, 265–266, 284
modifying, 267
workspace
example, 258
write cross-reference, 191
X
x86
assembly syntax
AT&T vs. Intel, 9
processor files
x86.idx, 406
x86-64.slaspec, 412
x86.slaspec, 412
registers
debugging (DR0–DR7), 477
register-based parameters, 113
Z flag, 474
XML format export (Ghidra), 523
XREFs Field edit window, 186
XRefs window, 193
Z
Z flag (x86), 474
zip export format (Ghidra), 522