There are many excellent tools available in the field of reverse engineering (such as IDA Pro and OllyDbg), but now we have a new option – Ghidra. Developed by the US National Security Agency (the main US spy agency responsible for the development of the Stuxnet malware and EternalBlue), Ghidra is one of the top spy agencies in the world.
We first learned about Ghidra in 2017 during the WikiLeaks Vault 7 leak, which was released as free and open source (under the Apache license) software in the spring of 2019. It's an excellent reverse engineering tool, and unlike IDA Pro, it's free!
Ghidra has almost all the features of the Ida Pro, so if you're in reverse engineering, Ghidra is an excellent choice.
#下载Ghidra
You can download it from the official website: https://ghidra-sre.org/, since it is written in Java, it can be used on almost all platforms, including Windows, Mac OS, and Linux. Here's a Windows 10 demonstration of Ghidra.
Since Ghidra is a Java application, JDK 11 or later is required. Please download and install the JDK from Oracle.
#启动Ghidra
Once downloaded and unzipped, launch it by double-clicking on the ghidraRun.bat
Agree to the agreement
Then this window will be displayed to start your first project. A project is similar to a folder and can contain multiple files that you are working on.
点击"File"-->"New Project" 新建项目
This will open a window like the one below. One of the features of Ghidra is the ability to collaborate on a file or project. In this case, click on "Shared Project". Here, we don't need to share, so choose "No-Shared Project". Then click "Next".
Select the location where the project will be saved, enter the project name, and click "Finish".
Next, we need to import a file. This is the software or malware you want to analyze. "File" -->"Import File"。
Select the binaries you want to import, and then import
After selecting Import, Ghidra will prompt you with the basic information of the file and click "OK"
Ghidra will then display a window like the one below, showing key information about the file.
Next, your project and imported files are displayed. You can double-click on the file or drag it onto the green Ghidra dragon icon above to start the analysis.
Then Ghidra got to work. It displays the assembly code of the program in the central list window and then asks you if you want to analyze the file. Click "Yes".
Ghidra will analyze your file and display information similar to the four windows below.
窗口1是符号树(Symbol Tree)
This window allows you to view the imports, exports, functions, tags, classes, and namespaces of the binary.
Window 2 is the list window
This window shows the assembly language code breakdown
Window 3 is the decompiler window
The decompiler enables you to see what a high-level language might look like
Window 4 is the Data Type Manager window
The Data Type Manager allows you to view all the defined data types.
Now you're ready and ready to start analyzing and reversing this file!
#本节概括
Malware reverse engineering is one of the highest levels of skill in the discipline of cybersecurity, as well as one of the highest-paying skills. Ghidra is a great reverse engineering tool that works on almost any platform and is very cost-effective (for free). In this reverse engineering series, we'll use this tool from the NSA to reverse engineer multiple pieces of malware, from simple to hard.