Ghidra Software Reverse-Engineering for Beginners E-Book

Ghidra Software Reverse-Engineering for Beginners

Master the art of debugging, from understanding code to mitigating threats

David Álvarez Pérez

Ravikant Tiwari

Ghidra Software Reverse-Engineering for Beginners

Copyright © 2025 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

The authors acknowledge the use of cutting-edge AI, such as ChatGPT and Microsoft Copilot, with the sole aim of enhancing the language and clarity within the book, thereby ensuring a smooth reading experience for the readers. It’s important to note that the content itself has been crafted by the authors and edited by a professional publishing team.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv Jagdish Kataria

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwini Gowda

Lead Editor: Runcil Rebello

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Proofreader: Runcil Rebello

Indexer: Pratik Shirodkar

Production Designer: Aparna Bhagat

Senior DevRel Marketing Executive: Marylou De Mello

First published: January 2021

Second edition: January 2025

Production reference: 1201224

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-83588-982-4

www.packtpub.com

This book is dedicated to my father, Lakshman Tiwary, whose unwavering support, and determination have been my foundation, and in loving memory of my mother, Urmila Tiwary, whose enduring love and sacrifices are forever cherished.

– Ravikant Tiwari

Contributors

About the authors

David Álvarez Pérez is a senior malware analyst and reverse engineer. He has more than 12 years of experience in IT, having worked on his own antivirus product, and later as a malware analyst. He started working for a company that mostly reverse-engineered banking malware, and he helped to automate the process. After that, he joined the critical malware department of an antivirus company and then moved to a Galician research center, while doing his malware-related PhD at the University of Vigo. He has also hunted vulnerabilities in software products like Microsoft's Windows 10 and the National Security Agency's Ghidra project. David is currently working as a senior malware analyst at Gen Digital Inc.

Ravikant Tiwari is a senior security researcher at Microsoft, with over a decade of expertise in malware analysis and reverse-engineering. His professional background includes tenures at prominent cybersecurity firms such as McAfee, FireEye, and Acronis, where he specialized in safeguarding users and systems from malicious threats and developing innovative protection mechanisms against advanced malware. He has authored numerous blogs and articles on threat research and holds a patent for designing novel detection mechanisms for malicious crypto miners.

I want to thank the people who have been close to me and supported me, especially my parents.

About the reviewers

Todd Cullum has 8 years of professional experience in the software security field in an engineering or research capacity. Currently, Todd is a penetration tester who has worked on all types of software, from native code projects in C/C++ to web applications in C#, Go, Python, JavaScript, Android and iOS mobile applications, cloud and container orchestration software, single sign-on, and device firmware. Todd is currently on the Red Hat Product Security Research team and has previously worked as an analyst in Product Security Incident Response, was in a CVE working group, and has worked at GoPro as the Product Application Security Technical Lead. Prior to that, he has been a malware researcher at anti-malware companies. He loves reversing.

I would like to thank my close friends, family, and the open source software community for their continued support, facilitating quality work and enjoyment.

Shawn Kwak is a seasoned cybersecurity professional with over a decade of expertise in threat intelligence, malware analysis, and reverse-engineering. Currently serving as a Staff Security Engineer at Coupang, Shawn specializes in threat hunting: proactively identifying and neutralizing threats. He has previously led security teams at NCSOFT and NSHC, contributing to groundbreaking work in mobile game security, APT analysis, and cyber-defense strategies. Shawn is an award-winning expert with accolades, such as finalist positions at global CTF events. He has also served as an instructor and speaker at numerous cybersecurity conferences, including Secuinside and the NCSOFT Development Conference.

I want to express my deepest gratitude to my beloved wife, who has always been my silent yet steadfast supporter. Her unwavering encouragement and presence have been my most significant source of strength. I thank her for standing by me through every challenge and triumph and being my constant companion in this life journey.

Table of Contents

Preface

Part 1: Introduction to Ghidra

1

Getting Started with Ghidra

Technical requi rements

WikiLeaks Vault 7

NSA release

Ghidra versus IDA and many other competitors

Ghidra overview

Installing Ghidra

Running Ghidra

Overview of Ghidra’s features

Summary

Questions

2

Automating RE Tasks with Ghidra Scripts

Technical requirements

Using and adapting existing scripts

The script class

Script development

Summary

Questions

3

Ghidra Debug Mode

Technical requirements

Setting up the Ghidra development environment

Overview of the software requirements

Installing the JDK

Installing the Eclipse IDE

Installing PyDev

Installing GhidraDev

Debugging the Ghidra code and Ghidra scripts

Debugging Ghidra scripts from Eclipse

Debugging any Ghidra component from Eclipse

Ghidra RCE vulnerability

Explaining the Ghidra RCE vulnerability

Exploiting the Ghidra RCE vulnerability

Fixing the Ghidra RCE vulnerability

Looking for vulnerable computers

Summary

Questions

Further reading

4

Using Ghidra Extensions

Technical requirements

Installing existing Ghidra extensions

Analyzing the source code of the Sample Table Provider plugin

Understanding the Ghidra extension skeleton

Analyzers

Filesystems

Plugins

Exporters

Loaders

Developing a Ghidra extension

Summary

Questions

Further reading

Part 2: Reverse-Engineering

5

Reversing Malware Using Ghidra

Technical requirements

Setting up the environment

Looking for malware indicators

Looking for strings

Intelligence information and external sources

Checking import functions

Dissecting interesting malware sample parts

The entry point function

Analyzing the 0x00453340 function

Analyzing the 0x00453C10 function

Analyzing the 0x0046EA60 function

Analyzing the 0x0046BEB0 function

Analyzing the 0x0046E3A0 function

Analyzing the 0x004559B0 function

Analyzing the 0x004554E0 function

Analyzing the 0x0046C860 function

Analyzing the 0x0046A100 function

Summary

Questions

Further reading

6

Scripting Malware Analysis

Technical requirements

Using the Ghidra scripting API

Writing scripts using the Java programming language

Writing scripts using the Python programming language

Deobfuscating malware samples using scripts

The delta offset

Translating API hashes into addresses

Deobfuscating the hash table using Ghidra scripting

Improving the scripting results

Summary

Questions

Further reading

7

Using Ghidra’s Headless Analyzer

Technical requirements

Why use headless mode?

Creating and populating projects

Analyzing imported or existing binaries

Running non-GUI scripts in a project

Summary

Questions

Further reading

Part 3: Binary Analysis

8

Binary Diffing

Technical requirements

Using Ghidra BSim

Getting BSim up and running

Finding similar functions

Querying the BSim database

Finding patched code – function comparison

Binary diffing usage in vulnerability research

Summary

Questions

Further reading

9

Auditing Program Binaries

Technical requirements

Understanding memory corruption vulnerabilities

Understanding the stack

Stack-based buffer overflow

Understanding the heap

Heap-based buffer overflow

Format strings

Finding vulnerabilities using Ghidra

Exploiting a simple stack-based buffer overflow

Summary

Questions

Further reading

10

Scripting Binary Audits

Technical requirements

Looking for vulnerable functions

Retrieving unsafe C/C++ functions from the symbols table

Decompiling the program using scripting

Looking for sscanf callers

Enumerating caller functions

Analyzing the caller function using P-Code

P-Code versus assembly language

Retrieving P-Code and analyzing it

Using the same P-Code-based script in multiple architectures

Summary

Questions

Further reading

Part 4: Extending Ghidra for Advanced Reverse-Engineering

11

Developing Ghidra Plugins

Technical requirements

Overview of existing plugins

Plugins included with the Ghidra distribution

Third-party plugins

The Ghidra plugin skeleton

The plugin documentation

Writing the plugin code

The provider for a plugin

Developing a Ghidra plugin

Documenting the plugin

Implementing the plugin class

Implementing the provider

Summary

Questions

Further reading

12

Incorporating New Binary Formats

Technical requirements

Understanding the difference between raw binaries and formatted binaries

Understanding raw binaries

Understanding formatted binaries

Developing a Ghidra loader

The old-style DOS executable (MZ) parser

The old-style DOS executable (MZ) loader

Understanding filesystem loaders

FileSystem Resource Locator

Summary

Questions

Further reading

13

Analyzing Processor Modules

Technical requirements

Understanding the existing Ghidra processor modules

Overviewing the Ghidra processor module skeleton

Setting up the processor module development environment

Creating a processor module skeleton

Developing Ghidra processors

Documenting processors

Identifying functions and code using patterns

Specifying the language and its variants

Summary

Questions

Further reading

14

Contributing to the Ghidra Community

Technical requirements

Overviewing the Ghidra project

The Ghidra community

Exploring contributions

Understanding legal aspects

Submitting a bug report

Suggesting new features

Submitting questions

Submitting a pull request to the Ghidra project

Summary

Questions

Further reading

15

Extending Ghidra for Advanced Reverse-Engineering

Technical requirements

Learning the basics of advanced reverse-engineering

Learning about symbolic execution

Learning about SMT solvers

Learning about concolic execution

Using Ghidra for Advanced reverse-engineering

Adding symbolic execution capabilities to Ghidra with AngryGhidra

Converting from PCode into LLVM with pcode-to-llvm

Summary

Questions

Further reading

Part 5: Debugging and Applied Malware Analysis

16

Debugging

Technical requirements

Ghidra debugger overview

Starting the Ghidra debugger

Debugger windows and toolbar

Debugger specific toolbar

Execution flow control

Stepping

Breakpoint

Debugging the simple_encoder.exe application

Remote debugging

Debugging a Windows kernel

Summary

Further reading

17

Unpacking in-the-Wild Malware

Technical requirements

Malware overview

Unpacking malware

Summary

Further reading

18

Reverse-Engineering Ransomware

Technical requirements

General working principles of ransomware

Initial infection vector

Installation and execution

Encryption

C2 communication and exfiltration of data

Ransom demand notification

Identifying encryption algorithms

Initial exploration

Identifying imported libraries and functions

Tracing calls to cryptographic functions

Identifying custom or embedded encryption algorithms

Using plugins to find known crypto signatures and constants

Summary

Further reading

Appendix A: Answer Key

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Index

Other Books You May Enjoy

Preface

In the realm of cybersecurity, the ability to dissect and understand software, especially malware and vulnerable applications, is of paramount importance. Ghidra, the powerful open source reverse-engineering tool developed by the National Security Agency (NSA), has rapidly become an essential resource for professionals aiming to analyze code to find vulnerabilities, examine malicious software, and develop robust security solutions. This second edition builds upon the foundational knowledge of reverse-engineering, providing deeper insights into advanced techniques such as binary diffing, debugging, and real-world malware analysis, including ransomware.

This book is a comprehensive guide that not only introduces you to the core functionalities of Ghidra but also empowers you to extend its capabilities through scripting and plugin development. Whether you’re aiming to uncover vulnerabilities in software, analyze malicious code, or contribute to the Ghidra community, this book will equip you with the skills and knowledge needed to excel in the field of software reverse-engineering.

Who this book is for

This book is intended for security researchers, malware analysts, bug hunters, software engineers, and cybersecurity professionals or students who are involved in software development, testing, and security analysis. It is also suitable for individuals aspiring to enter the security industry as malware or vulnerability researchers. In fact, any person who wants to learn Ghidra by minimizing the learning curve and starting to write their own tools will certainly enjoy this book and accomplish their goal. Readers should have prior knowledge of programming in Java or Python and experience with software development or application programming to fully benefit from the concepts and practical examples presented here.

What this book covers

Chapter 1, Getting Started with Ghidra, introduces you to the Ghidra platform and its history, covering installation procedures and a basic overview of the program from the user perspective.

Chapter 2, Automating RE Tasks with Ghidra Scripts, explores how to use Ghidra’s scripting capabilities to automate reverse-engineering tasks, and introduces script development.

Chapter 3, Ghidra Debug Mode, delves into how to set up a Ghidra development environment, the methods for debugging Ghidra, and details regarding the Ghidra debug mode vulnerability.

Chapter 4, Using Ghidra Extensions, provides you with background for developing Ghidra extensions, as well as showing you how to install and use them.

Chapter 5, Reversing Malware Using Ghidra, demonstrates how to use Ghidra for malware analysis by reversing a real-world malware sample.

Chapter 6, Scripting Malware Analysis, teaches you how to automate malware analysis with Java and Python scripts. It builds on the previous chapter by providing scripts for analyzing shellcode in malware samples.

Chapter 7, Using Ghidra’s Headless Analyzer, explains how to run Ghidra in headless mode for automated batch processing and analyzing malware samples using a script developed during the chapter.

Chapter 8, Binary Diffing, explains the Ghidra BSim feature, detailing how to set it up and use it for analysis. It covers techniques for comparing binaries to identify changes, analyze patches, and discover vulnerabilities.

Chapter 9, Auditing Program Binaries, introduces the topic of finding memory corruption vulnerabilities using Ghidra and how to exploit them.

Chapter 10, Scripting Binary Audits, continues the previous chapter, teaching how to automate the bug-hunting process via scripting, taking advantage of the powerful PCode intermediate representation.

Chapter 11, Developing Ghidra Plugins, provides insights into creating custom plugins to extend Ghidra’s functionality and tailor it to specific reverse-engineering needs.

Chapter 12, Incorporating New Binary Formats, shows you how to add support for new and custom binary formats within Ghidra using a real-world example, broadening the scope of your analyses.

Chapter 13, Analyzing Processor Modules, discusses how to write Ghidra processor modules using the SLEIGH processor specification language.

Chapter 14, Contributing to the Ghidra Community, explains how to interact with the community using social networks, chats, and how to contribute with your own development, feedback, bug reports, comments, and so on.

Chapter 15, Extending Ghidra for Advanced Reverse-Engineering, introduces advanced reverse-engineering topics and tools such as SMT solvers, Microsoft Z3, static and dynamic symbex, LLVM, and Angr, and explains how to incorporate them with Ghidra.

Chapter 16, Debugging, covers the Ghidra debugging tool and outlines various debugging strategies. It also describes different debugging modes, including remote and kernel debugging, for analyzing complex code execution scenarios.

Chapter 17, Unpacking in-the-Wild Malware, teaches you how to unpack and analyze real-world malware samples, revealing the techniques used by threat actors.

Chapter 18, Reverse-Engineering Ransomware, delves into a detailed analysis of ransomware to comprehend its internal mechanisms. The chapter also offers an overview of the encryption techniques utilized by ransomware and methods for identifying encryption algorithms using Ghidra.

Appendix A, Answer Key, provides answers to the questions posed in the various chapters of the book.

To get the most out of this book

To maximize the benefits from this book, you should have a sufficient understanding of the Assembly, C, Python, and Java languages to be able to read the code in the book. Access to a computer where you can install Ghidra and other necessary tools is essential, as the book includes hands-on exercises and practical examples that require active participation.

Software/hardware covered in the book

OS requirement

Ghidra 11.0.1 and Ghidra 11.2

Windows OS and Linux

Git

Windows OS and Linux

Java JDK 17 and 21

Windows OS and Linux

Eclipse IDE for Java developers

Windows OS and Linux

Gradle

Windows OS and Linux

MinGW32 and MinGW64

Windows OS

X64Dbg or Olly debugger

Windows OS

Elasticsearch

Windows OS

The required software is listed in the Technical requirements section of the applicable chapter.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Ghidra-Software-Reverse-Engineering-for-Beginners---Second-Edition. If there’s an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalogue of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “To fix the vulnerability, the DEBUG_ADDRESS variable is set to 127.0.0.1:18001, which restricts the incoming debugging connections to localhost.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Launch the executable from the menu bar using Debugger | dbgeng.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com

Share Your Thoughts

Once you’ve read Ghidra Software Reverse Engineering for Beginners, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835889824

Part 1: Introduction to Ghidra

This part aims to introduce you to Ghidra and its history, the project structure, scripting capabilities, and extension development. Additionally, it covers the essential process of debugging the Ghidra tool itself.

This part contains the following chapters:

1

Getting Started with Ghidra

In this introductory chapter, we will provide an overview of Ghidra in some respects. Before starting, it would be convenient to know how to acquire and install the program. This is obviously something simple and trivial if you want to install a release version of the program. However, you probably want to know this program in depth. In that case, I can tell you in advance that it is possible to compile the program by yourself from the source code.

Since the source code of Ghidra is available and ready to be modified and extended, you will probably also be interested in knowing how it is structured, what kinds of pieces of code exist, and so on. This is a great opportunity to discover the enormous possibilities that Ghidra offers us.

It is also interesting to review the main functionalities of Ghidra from the point of view of a reverse engineer. This will spark your interest in this tool since it has its own peculiarities, and this is precisely the most interesting thing about Ghidra.

In this chapter, we’re going to cover the following main topics:

Technical requirements

WikiLeaks Vault 7

On March 7, 2017, WikiLeaks started to leak Vault 7, which became the biggest leak of confidential documents on the US Central Intelligence Agency (CIA). This leak included secret cyber-weapons and spying techniques divided into 24 parts, named Year Zero, Dark Matter, Marble, Grasshopper, HIVE, Weeping Angel, Scribbles, Archimedes, AfterMidnight and Assassin, Athena, Pandemic, Cherry Blossom, Brutal Kangaroo, Elsa, OutlawCountry, BothanSpy, Highrise, UCL/Raytheon, Imperial, Dumbo, CouchPotato, ExpressLane, Angelfire, and Protego.

It is believed that NSA intelligence officials leaked the confidential CIA documents, but this was never officially confirmed or denied by CIA Director Michael Vincent Hayden, who served between 2006 and 2009.

The existence of Ghidra was leaked in the first part of Vault 7: Year Zero. This first part consists of a huge leak of documents and files stolen from the CIA’s Center for Cyber Intelligence in Langley, Virginia. The leak’s content is about the CIA’s malware arsenal and zero-day weaponized exploits, as well as how Apple’s iPhone, Google’s Android, Microsoft’s Windows devices, and even Samsung TVs are turned into covert microphones.

Ghidra was referenced three times in this leak (https://wikileaks.org/ciav7p1/cms/index.html), showing how to install it, a step-by-step tutorial (with screenshots) of how to perform a manual analysis of a 64-bit kernel cache by using Ghidra, and the latest Ghidra version available at the time, which was Ghidra 7.0.2.

NSA release

As announced during RSA Conference 2019 in San Francisco, Rob Joyce, senior advisor for cybersecurity at NSA, explained the unique capabilities and features of Ghidra during a session called Get your free NSA reverse engineering tool, and Ghidra program binaries were also published.

During this session, some features were explained:

Finally, on April 4, 2019, the NSA released the source code of Ghidra on GitHub (https://github.com/NationalSecurityAgency/ghidra), as well as on the Ghidra website, where you can download Ghidra release versions that are ready to use (https://ghidra-sre.org). The first version of Ghidra that was available on this website was Ghidra 9.0. Ghidra’s website may or may not be available to visitors outside the US, depending on your country; if this is the case, you can access it by using a VPN or an online proxy such as HideMyAss (https://www.hidemyass.com/).

Unfortunately for the NSA, a few hours later, the first Ghidra vulnerability was published by Matthew Hickey, also known as @hackerfantastic, at 1:20 AM, March 6, 2019. He said the following via X (formerly Twitter):

Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely (Man facepalming). to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://github.com/hackerhouse-opensource/exploits/blob/master/jdwp-exploit.txt.

Then, a lot of suspicions about the NSA and Ghidra arose. However, taking into account the cyber-espionage capabilities of the NSA, do you think the NSA needs to include a backdoor in its own software in order to hack its users?

Obviously, no. They don’t need to do this because they already have cyberweapons for that.

You can feel comfortable when using Ghidra; probably, the NSA only wanted to do something honorable to improve its own image. Since Ghidra’s existence was leaked by WikiLeaks, what better way to do that than to publish it at RSA Conference and release it asopen source?

Ghidra versus IDA and many other competitors

Even if you have already mastered a powerful reverse-engineering framework, such as Interactive Disassembler (IDA), Binary Ninja, or Radare2, there are good reasons to start learning Ghidra.

No single reverse-engineering framework is the ultimate one. Each reverse-engineering framework has its own strengths and weaknesses. Some of them are even incomparable to each other because they were conceived with different philosophies (for instance, GUI-based frameworks versus command line-based frameworks).

On the other hand, you will see how those products are competing with and learning from each other all the time. For instance, IDA Pro 7.3 incorporated the undo feature, which was previously made available by its competitor, Ghidra.

In the following screenshot, you can see the epic and full-of-humor @GHIDRA_RE official X (formerly Twitter) account’s response to IDA Pro’s undo feature:

Figure 1.1 – IDA Pro 7.3 added an undo feature to compete with Ghidra

Differences between frameworks are susceptible to change due to the competition, but we can mention some current strengths of Ghidra:

In conclusion, it is recommended to learn as many frameworks as possible to know and take advantage of each one. In this sense, Ghidra is a powerful framework that you must know.

Ghidra overview

In a similar way to what happened at RSA Conference, we will provide a Ghidra overview to present the tool and its capabilities. You will soon realize how powerful Ghidra is and why this tool is not simply yet another open source reverse-engineering framework.

At the time of writing this book, the latest available version of Ghidra is 11.0.1, which can be downloaded from the official website mentioned in the previous section of this chapter.

Note

It is recommended that readers download the same version of Ghidra and other software while going through the exercises in this book.

Installing Ghidra

It is recommended to download the latest version of Ghidra (https://ghidra-sre.org/) by clicking on the red Download from GitHub button, which will take you to the Ghidra release page on GitHub where you will find all the released versions of Ghidra, including the older ones:

Figure 1.2 – Downloading Ghidra from the official website

Clicking on the download button will take you to the GitHub release page, as shown in the following figure. Under the Assets section, you will have a link to download the Ghidra ZIP file:

Figure 1.3 – GitHub release page for Ghidra

After downloading the Ghidra archive file (ghidra_11.0.1_PUBLIC_20240130.zip) and decompressing it, you will see the following file structure:

Figure 1.4 – The Ghidra 11.0.1 structure after it is decompressed

The content can be described as follows (https://ghidra-sre.org/InstallationGuide.html):

In addition to downloading a release version of Ghidra (which is precompiled), you can compile the program on your own, as will be explained in the next section.

Compiling Ghidra on your own

To build Ghidra by yourself, you need to follow the instructions in the Build section of the Ghidra’s GitHub page (https://github.com/NationalSecurityAgency/ghidra?tab=readme-ov-file#build).

The first step is to install the following build tools:

Once the build tools are installed properly, download and extract the source code from https://github.com/NationalSecurityAgency/ghidra/archive/refs/heads/master.zip or use the following Git command to clone the repository:

Then navigate to the extracted or cloned directory and use Gradle to build Ghidra. Here is the list of commands to be executed:

Once the build completes, you will see a BUILD SUCCESSFUL message as shown in the following figure:

Figure 1.5 – Build successful message

This will produce a compressed file containing the compiled version of Ghidra:

Running Ghidra

Before starting Ghidra, make sure your computer meets the following requirements:

Since Ghidra is written in Java, if it is executed before installing the Java 17 64-bit runtime and development kit, some of the following error messages could be displayed:

Figure 1.6 – Missing JDK error

Therefore, if you get any of those messages, please download the JDK from https://adoptium.net/en-GB/temurin/releases/?os=windows&arch=x64&package=jdk&version=17.

How to solve installation issues

Ghidra’s step-by-step installation guide, including known issues, can be found in Ghidra’s documentation directory at docs\InstallationGuide.html.

It is also available online at https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/InstallationGuide.html.

Note that you can report new issues you find in Ghidra at https://github.com/NationalSecurityAgency/ghidra/issues.

After installing Ghidra, you will be able to launch it using ghidraRun on Linux and macOS and ghidraRun.baton Windows.

Overview of Ghidra’s features

In this section, we will look at an overview of some fundamental Ghidra features in order to understand the overall functionality of the program. It is also a good starting point to get familiar with it.

Creating a new Ghidra project

As you will notice, unlike other reverse-engineering tools, Ghidra doesn’t work with files directly. Instead, Ghidra works with projects. Let’s create a new project by clicking on File | New Project…. You can also do this faster by pressing the Ctrl + N hotkey (the complete list of Ghidra hotkeys is available at https://ghidra-sre.org/CheatSheet.html and also in Ghidra’s documentation directory):

Figure 1.7 – Creating a new Ghidra project

Furthermore, projects can be non-shared or shared. Since we want to analyze a hello world program without collaboration with other reverse engineers, we will choose Non-Shared Project, and then click on the Next>> button. Then, the program asks us to choose a project name (hello world) and where to store it:

Figure 1.8 – Choosing a project name and directory

The project is composed of a hello world.gpr file and a hello world.rep folder:

Figure 1.9 – Ghidra project structure

A Ghidra project (the *.gpr file) can only be opened by a single user. Therefore, if you try to open the same project twice at the same time, the concurrency lock implemented using the hello world.lock and hello world.lock~ files will prevent you from doing so, as shown in the following screenshot:

Figure 1.10 – Ghidra’s project locked

In the next section, we will cover how to add binary files to our project.

Importing files to a Ghidra project

We can start to add files to our hello world project. In order to analyze an extremely simple application with Ghidra, we will compile the following hello world program (hello_world.c) written in the C programming language:

We use the following command to compile it:

Let’s analyze the resulting Microsoft Windows Portable Executable file: hello_world.exe.

Let’s import our hello world.exe file to the project; to do that, we have to go to File | Import file. Alternatively, we can press the I key:

Figure 1.11 – Importing a file to the Ghidra project

Ghidra automatically identified the hello_world.exe program as an x86 Portable Executable binary for 32-bit architectures. As it was successfully recognized, we can click OK to continue. After importing it, you will see a summary of the file:

Figure 1.12 – Ghidra project file import result summary

By double-clicking the hello_world.exe file or clicking on the green Ghidra icon of Tool Chest, the file will be opened and loaded by Ghidra:

Figure 1.13 – A Ghidra project containing a Portable Executable file

After importing files into your project, you can start to reverse-engineer them. This is a cool feature of Ghidra, allowing you to import more than one file into a single project because you can apply some operation (for example, search) over multiple files (for example, an executable binary and its dependencies). In the next section, we will see how to analyze those files using Ghidra.

Configuring and performing Ghidra analysis

You will be asked whether to analyze the file, and you probably want to answer Yes to this because the analysis operation recognizes functions, parameters, strings, and more. Usually, you will want to let Ghidra get this information for you. A lot of analysis configuration options do exist. You can see a description of every option by clicking on it; the description is displayed in the upper-right Description section:

Figure 1.14 – File analysis options

Let’s click on Analyze to perform the analysis of the file. Then, you will see the Ghidra CodeBrowser window. Don’t worry if you forget to analyze something; you can reanalyze the program later (go to the Analysis tab and then Auto Analyze ‘hello_world.exe’…).

Exploring Ghidra CodeBrowser

Ghidra CodeBrowser has, by default, a pretty well-chosen distribution of dock windows, as shown in the following screenshot:

Figure 1.15 – Ghidra’s CodeBrowser window

Let’s see how CodeBrowser is distributed by default:

Now that you know the default perspective of Ghidra, it’s a good time to learn how to customize it. Let’s address this in the following section.

Customizing Ghidra

This is the default perspective of Ghidra, but you can also modify it. For instance, you can add more windows to Ghidra by clicking on the Window menu and choosing one that you desire:

Figure 1.16 – Some items in the Ghidra Window submenu

Ghidra has a lot of awesome functionalities. For instance, the bar located on the upper-right bar of the disassembly window allows you to customize the disassembly view by moving fields, adding new fields, extending the size of a field in the disassembly listing, and more:

Figure 1.17 – Disassembly listing configuration

It also allows you to enable a very interesting feature of Ghidra, which is its intermediate representation or intermediate language, called PCode. It allows you to develop assembly language-agnostic tools and to develop automated analysis tools in a more comfortable language:

Figure 1.18 – Enabling the PCode field in the disassembly listing

If it is enabled, then PCode will be shown in the listing. As you will soon realize, PCodeis less human-readable, but it is sometimes better for scripting reverse-engineering tasks:

Figure 1.19 – Disassembly listing with PCode enabled

Discovering more Ghidra functionalities

Some powerful features available in other reverse-engineering frameworks are also included in Ghidra. For instance, as in other reverse-engineering frameworks, you also have a graph view:

Figure 1.20 – Graph view of a hello world program’s main function

As you will notice, Ghidra has a lot of features and windows; we will not cover all of them in this chapter, nor modify and/or extend them all. In fact, we haven’t mentioned all of them yet. Instead, we will learn about them through practice in the following chapters.

Summary

In this chapter, we addressed the exciting and quirky origins of Ghidra. Then, we covered how to download, install, and compile it on our own from the source code. You also learned how to solve issues and how to report new ones to the Ghidra open source project.

Finally, you learned about the structure of Ghidra and its main functionalities (some of them have not been covered yet). Now, you are in a position to investigate and experiment a little bit with Ghidra on your own.

This chapter helped you understand the bigger picture of Ghidra, which will be useful in the following chapters generally, as those are more focused on specifics.

In the next chapter, we will cover how to automate reverse-engineering tasks by using, modifying, and creating Ghidra scripts.

Questions