Taking malicious code apart helps analysts understand how the code works. Reverse engineering reveals the original software design, helping security teams better assess vulnerabilities in the systems and networks they defend. The National Security Agency (NSA) and other organizations use reverse engineering all the time.
To make the process easier and faster, the NSA created Ghidra, a reverse engineering framework that allows users to decompile software and understand its logic and structure. In 2019, the agency released the source code of Ghidra to the public in an effort to help the security community while also driving recruitment.
Ghidra: Packed with Features
Ghidra is full of capabilities that include disassembly, assembly, and decompilation. Contextual help menus and an intuitive user interface allow even those without years of reverse engineering experience to edit, assemble, and recompile binaries. A major advantage is that the tool decompiles the object back to source code. That way, you don’t have to read the assembly language.
Unlike commercial alternatives, Ghidra is open source, so you can deploy it for free on as many workstations as you need. It is cross-platform and handles programs compiled for Windows, Linux, and Mac. Additionally, it supports SPARC, PowerPC, Intel, and a range of other processor families.
The tool offers a headless mode feature. You can reverse engineer at scale by running numerous cloud instances. With Ghidra’s collaboration features, different teams can share repositories and analyze large binaries in tandem.
Furthermore, engineers can use scripting languages to customize the tool and bend it to their will. This extends the usefulness of Ghidra and makes it a framework, rather than just a disassembler. Teams can use the exposed API to build plug-in components and scripts.
The undo/redo mechanism is popular as well because it allows users to try out how the code they analyze may behave and reverse their actions if the idea doesn’t work out.
Applications for Ghidra
Ghidra can be applied in a number of powerful ways. For one, it allows engineers to overcome the tactics hackers use to obscure the functionality of malicious software. A classic example is when criminals add a little stub program that decrypts or decompresses the actual program which is stored as data. This allows attackers to get past anti-malware defenses. Engineers can enhance Ghidra with tools that can decrypt or decompress the data and inspect the real code.
Ghidra also enables compiler comparison. Compilers are tasked with converting source code into object code, the latter consisting of numeric values that instruct the processor which function to call. Each compiler handles this conversion uniquely. Being able to see how compilers handle the same source code helps engineers determine the efficiency of these tools. Ghidra helps engineers by looking at the assembly language and the decompiled program.
This practice can be applied to learning as well. Reverse engineering a compiled binary and reviewing the actual code is invaluable for understanding how the program functions. It improves programming skills and helps users grasp how programs have been constructed in the first place. By enabling everyone to install and practice reverse engineering, the NSA has lowered entry barriers for the security research field.
Ghidra can be especially useful for improving large programming projects. For instance, a Function Graph feature lets you review how various functions within the program interact, and you might notice a function that’s heavily used. By making this function more efficient, your team can make the entire program run faster. On the other hand, you may spot subroutines and functions that are unused. You can then make an informed decision on how best to tackle this issue.
The applications discussed here present just a sample of the value Ghidra can bring to teams. Mastering Ghidra is an invaluable skill for anyone looking to enter the reverse engineering field.
You can learn how to use Ghidra with RangeForce’s hands-on training modules.