Ghidra - NSA Reverse Engineering Framework¶
Ghidra stellt eine revolutionäre Weiterentwicklung in der Reverse Engineering-Tools dar, die von der National Security Agency (NSA) entwickelt und 2019 als Open-Source-Software veröffentlicht wird. Dieses umfassende Software-Reverse-Engineering-Framework bietet eine komplette Suite mit High-End-Software-Analyse-Tools, die es Benutzern ermöglichen, kompilierten Code auf einer Vielzahl von Plattformen wie Windows, MacOS und Linux zu analysieren. Ghidras Fähigkeiten umfassen Demontage, Montage, Dekompilation, Graphik und Skripting, zusammen mit Hunderten von anderen Features, die es zu einer formidable Alternative zu kommerziellen Werkzeugen wie IDA Pro machen. Was Ghidra auseinander setzt, ist nicht nur seine Null-Kosten und Open-Source- Natur, sondern auch seine fortgeschrittenen kollaborativen Funktionen, umfangreiche Prozessorunterstützung und anspruchsvolle Dekompiler, die hochrangige C-ähnliche Code aus binären Ausführbaren rekonstruieren kann. Der Rahmen unterstützt die Analyse von Binaries für Dutzende von Prozessor-Architekturen und kann verschiedene ausführbare Formate behandeln, so dass es ein unschätzbares Werkzeug für Malware-Analyse, Sicherheitsforschung, Software-Auditing und allgemeine Reverse Engineering-Aufgaben.
Installation und Inbetriebnahme¶
Installation von Ghidra¶
```bash
Prerequisites - Java 17 or later required¶
Check Java version¶
java -version
Install OpenJDK 17 (Ubuntu/Debian)¶
sudo apt update sudo apt install openjdk-17-jdk
Install OpenJDK 17 (CentOS/RHEL/Fedora)¶
sudo dnf install java-17-openjdk-devel
macOS - Install via Homebrew¶
brew install openjdk@17
Download Ghidra from official NSA GitHub¶
Visit: https://github.com/NationalSecurityAgency/ghidra/releases¶
Extract Ghidra¶
unzip ghidra_10.4_PUBLIC_20230928.zip cd ghidra_10.4_PUBLIC
Set execute permissions (Linux/macOS)¶
chmod +x ghidraRun chmod +x support/analyzeHeadless
Launch Ghidra GUI¶
./ghidraRun
Launch Ghidra (Windows)¶
ghidraRun.bat¶
Verify installation¶
./ghidraRun --help
Set JAVA_HOME if needed¶
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 export PATH=\(JAVA_HOME/bin:\)PATH
Create desktop shortcut (Linux)¶
cat > ~/.local/share/applications/ghidra.desktop << EOF [Desktop Entry] Name=Ghidra Comment=Software Reverse Engineering Framework Exec=/path/to/ghidra/ghidraRun Icon=/path/to/ghidra/support/ghidra.png Terminal=false Type=Application Categories=Development; EOF ```_
Erstkonfiguration¶
```bash
Ghidra configuration directory¶
Linux: ~/.ghidra/.ghidra_10.4_PUBLIC¶
Windows: %USERPROFILE%.ghidra.ghidra_10.4_PUBLIC¶
macOS: ~/.ghidra/.ghidra_10.4_PUBLIC¶
Memory settings (edit ghidraRun script)¶
Increase heap size for large binaries¶
-Xmx4G for 4GB heap (default is usually 1GB)¶
Create Ghidra project directory¶
mkdir ~/ghidra_projects
Environment variables¶
export GHIDRA_INSTALL_DIR=/path/to/ghidra export PATH=\(GHIDRA_INSTALL_DIR:\)PATH
Headless analysis setup¶
export GHIDRA_HEADLESS=$GHIDRA_INSTALL_DIR/support/analyzeHeadless
Plugin development setup¶
export GHIDRA_DEV_DIR=/path/to/ghidra_dev ```_
Erste Schritte mit Ghidra¶
Projekte erstellen und verwalten¶
```bash
Launch Ghidra and create new project¶
File -> New Project -> Non-Shared Project¶
Choose project directory and name¶
Import binary file¶
File -> Import File¶
Select binary executable, library, or firmware¶
Supported file formats:¶
- PE (Windows executables)¶
- ELF (Linux executables)¶
- Mach-O (macOS executables)¶
- Raw binary files¶
- Firmware images¶
- Java class files¶
- And many more¶
Batch import multiple files¶
File -> Batch Import¶
Project management via GUI:¶
- Right-click files to rename, delete, or export¶
- Drag and drop files between folders¶
- Use filters to find specific files¶
Command-line project operations¶
$GHIDRA_INSTALL_DIR/support/analyzeHeadless /path/to/project ProjectName \ -import /path/to/binary \ -postScript AnalyzeAll.java
Export project¶
File -> Export -> Ghidra Project Archive (.gpr)¶
Import project¶
File -> Import -> Ghidra Project Archive¶
```_
Basisanalyse Workflow¶
```bash
1. Import binary file¶
2. Double-click file to open in CodeBrowser¶
3. Analysis options dialog appears:¶
- Analyze Now (recommended for most cases)¶
- Configure analysis options¶
- Analyze later¶
Key analysis components:¶
- Disassembly: Convert machine code to assembly¶
- Function identification: Find function boundaries¶
- String analysis: Identify string literals¶
- Symbol resolution: Resolve function and variable names¶
- Cross-references: Find code and data references¶
- Decompilation: Generate C-like pseudocode¶
Manual analysis trigger¶
Analysis -> Auto Analyze (if not done during import)¶
Analysis options configuration:¶
Analysis -> Auto Analyze -> Configure¶
Enable/disable specific analyzers:¶
- ASCII Strings¶
- Function ID¶
- Decompiler Parameter ID¶
- Stack¶
- Reference¶
- And many more¶
```_
Ghidra Interface Übersicht¶
Hauptfenster und Ansichten¶
```bash
CodeBrowser - Main analysis interface¶
Key components:¶
1. Program Tree - Hierarchical view of program structure¶
2. Symbol Tree - Functions, labels, and symbols¶
3. Data Type Manager - Data types and structures¶
4. Listing - Disassembly and decompiled code¶
5. Decompiler - High-level C-like code view¶
6. Console - Script output and messages¶
Navigation shortcuts:¶
G - Go to address/symbol¶
Ctrl+G - Go to address¶
Alt+Left/Right - Navigate back/forward¶
Ctrl+E - Edit mode toggle¶
Space - Toggle between listing and decompiler¶
Window management:¶
Window -> New Window - Create additional CodeBrowser¶
Window -> Clone Window - Clone current view¶
Drag tabs to rearrange or create new windows¶
Docking and undocking windows:¶
Right-click window tab -> Undock¶
Drag window to dock in different position¶
```_
Eintrag Operationen anzeigen¶
```bash
Listing view keyboard shortcuts:¶
Arrow keys - Navigate instructions¶
Page Up/Down - Navigate by page¶
Ctrl+Home/End - Go to beginning/end¶
Enter - Follow reference or jump¶
Esc - Return from reference¶
F2 - Edit label/comment¶
; - Add comment¶
L - Add label¶
Code units and formatting:¶
D - Disassemble at cursor¶
C - Clear code units¶
B - Create byte data¶
W - Create word data¶
DW - Create dword data¶
QW - Create qword data¶
F - Create float data¶
T - Create string data¶
Cross-references:¶
Ctrl+Shift+F - Find references to¶
Ctrl+Shift+R - Find references from¶
Right-click -> References -> Show References to¶
Bookmarks:¶
Ctrl+D - Toggle bookmark¶
Ctrl+Shift+B - Show bookmarks window¶
Bookmarks can have types: Info, Analysis, Error, Warning¶
```_
Dekompilierte Operationen¶
```bash
Decompiler window shortcuts:¶
Ctrl+E - Edit function signature¶
Right-click variable -> Rename Variable¶
Right-click -> Retype Variable¶
Right-click -> Retype Return Type¶
Function analysis:¶
Right-click function -> Edit Function Signature¶
Set calling convention (cdecl, stdcall, fastcall, etc.)¶
Define parameters and return types¶
Add function comments¶
Variable management:¶
Local variables automatically identified¶
Stack variables shown with offsets¶
Global variables linked to memory addresses¶
Rename variables for clarity¶
Decompiler options:¶
Edit -> Tool Options -> Decompiler¶
Configure display options:¶
- Show namespaces¶
- Display line numbers¶
- Syntax highlighting¶
- Maximum instruction display¶
```_
Analyse und Reverse Engineering¶
Funktionsanalyse¶
```bash
Function identification and management:¶
Functions automatically identified during analysis¶
Manual function creation:¶
- Position cursor at function start¶
- Press 'F' or right-click -> Create Function¶
Function signature editing:¶
Right-click function name -> Edit Function Signature¶
Define parameters:¶
- Parameter names¶
- Data types¶
- Calling convention¶
- Return type¶
Function graph view:¶
Right-click function -> Display Function Graph¶
Shows control flow graph¶
Navigate with mouse or keyboard¶
Zoom with mouse wheel¶
Function comparison:¶
Window -> Function Comparison¶
Compare functions side by side¶
Useful for identifying similar functions or variants¶
Function tags and categories:¶
Right-click function -> Set Function Tag¶
Organize functions by purpose or analysis status¶
Filter functions by tags in Symbol Tree¶
```_
Datentyp Management¶
```bash
Data Type Manager operations:¶
Built-in data types available¶
Create custom structures:¶
- Right-click in Data Type Manager¶
- New -> Structure¶
- Add fields with names and types¶
Structure definition example:¶
struct MyStruct \\{¶
int field1;¶
char field2[16];¶
void* field3;¶
\\};¶
Apply data types:¶
Select data in listing¶
Right-click -> Data -> Choose Data Type¶
Or drag data type from manager to listing¶
Import data types:¶
File -> Parse C Source¶
Import header files to create data types¶
Useful for analyzing programs with known APIs¶
Export data types:¶
Right-click data type -> Export¶
Save as C header file or Ghidra data type archive¶
Enum creation:¶
Right-click -> New -> Enum¶
Add enum values¶
Apply to constants in code for better readability¶
```_
String und konstante Analyse¶
```bash
String analysis:¶
Automatically performed during initial analysis¶
Window -> Defined Strings¶
Shows all identified strings with addresses and references¶
String search:¶
Search -> For Strings¶
Configure search parameters:¶
- Minimum length¶
- Character encoding (ASCII, Unicode, etc.)¶
- Null termination requirements¶
Constant analysis:¶
Identify numeric constants¶
Right-click constant -> Convert¶
Convert to different representations:¶
- Hexadecimal¶
- Decimal¶
- Character¶
- Enum value¶
Cross-reference analysis:¶
Find where strings and constants are used¶
Right-click -> References -> Show References to¶
Understand data flow and usage patterns¶
```_
Analyse des Speichers¶
```bash
Memory map view:¶
Window -> Memory Map¶
Shows program sections:¶
- .text (code)¶
- .data (initialized data)¶
- .bss (uninitialized data)¶
- .rodata (read-only data)¶
- Import/export tables¶
Section analysis:¶
Right-click section -> Set Image Base¶
Adjust base address if needed¶
Important for position-independent code¶
Memory search:¶
Search -> Memory¶
Search for byte patterns, strings, or values¶
Useful for finding specific data or code patterns¶
Overlay management:¶
For complex binaries with overlays¶
Window -> Program Tree¶
Manage different memory layouts¶
```_
Skript und Automatisierung¶
Ghidra Scripting Basics¶
```bash
Script Manager:¶
Window -> Script Manager¶
Browse available scripts by category:¶
- Analysis¶
- Examples¶
- Data¶
- Decompiler¶
- Search¶
Running scripts:¶
Select script and click Run¶
Or double-click script name¶
Scripts can be run on current program or selection¶
Script development:¶
Create new script: Script Manager -> New¶
Choose language: Java or Python¶
Edit in built-in editor or external IDE¶
Script locations:¶
User scripts: ~/.ghidra/.ghidra_10.4_PUBLIC/scripts¶
System scripts: $GHIDRA_INSTALL_DIR/Ghidra/Features/*/ghidra_scripts¶
```_
Python Scripting Beispiele¶
```python
Basic Python script template¶
@category Examples¶
@author Your Name¶
@description Script description¶
from ghidra.program.model.symbol import SourceType
Get current program¶
program = getCurrentProgram()
Get current address¶
currentAddress = currentLocation.getAddress()
Print basic information¶
print("Program: " + program.getName()) print("Current address: " + str(currentAddress))
Iterate through functions¶
fm = program.getFunctionManager() functions = fm.getFunctions(True) # True for forward iteration
for function in functions: print("Function: " + function.getName() + " at " + str(function.getEntryPoint()))
Find strings¶
stringTable = program.getListing().getDefinedData(True) for data in stringTable: if data.hasStringValue(): print("String at " + str(data.getAddress()) + ": " + data.getValue())
Create label¶
symbolTable = program.getSymbolTable() symbolTable.createLabel(currentAddress, "MyLabel", SourceType.USER_DEFINED)
Add comment¶
listing = program.getListing() listing.setComment(currentAddress, listing.PLATE_COMMENT, "My comment") ```_
Java Scripting Beispiele¶
```java // Basic Java script template //@category Examples //@author Your Name //@description Script description
import ghidra.app.script.GhidraScript; import ghidra.program.model.address.Address; import ghidra.program.model.listing.Function; import ghidra.program.model.listing.FunctionManager; import ghidra.program.model.symbol.SourceType;
public class MyScript extends GhidraScript \\{
@Override
public void run() throws Exception \\\\{
// Get current program
Program program = getCurrentProgram();
// Get function manager
FunctionManager fm = program.getFunctionManager();
// Iterate through functions
for (Function function : fm.getFunctions(true)) \\\\{
printf("Function: %s at %s\n",
function.getName(),
function.getEntryPoint().toString());
// Analyze function parameters
int paramCount = function.getParameterCount();
printf(" Parameters: %d\n", paramCount);
// Check if function has return value
if (!function.getReturnType().isVoid()) \\\\{
printf(" Return type: %s\n", function.getReturnType().getName());
\\\\}
\\\\}
// Create bookmark
Address currentAddr = currentLocation.getAddress();
program.getBookmarkManager().setBookmark(
currentAddr,
"Analysis",
"Script",
"Analyzed by script"
);
\\\\}
\\} ```_
Erweiterte Skripttechniken¶
```python
Advanced analysis script¶
@category Analysis¶
@description Advanced binary analysis¶
from ghidra.program.model.address import AddressSet from ghidra.program.model.block import BasicBlockModel from ghidra.program.model.pcode import HighFunction from ghidra.app.decompiler import DecompInterface
Initialize decompiler¶
decompiler = DecompInterface() decompiler.openProgram(getCurrentProgram())
Analyze control flow¶
bbModel = BasicBlockModel(getCurrentProgram()) functions = getCurrentProgram().getFunctionManager().getFunctions(True)
for function in functions: print("\nAnalyzing function: " + function.getName())
# Get basic blocks
blocks = bbModel.getCodeBlocksContaining(function.getBody(), monitor)
print("Basic blocks: " + str(len(list(blocks))))
# Decompile function
results = decompiler.decompileFunction(function, 30, monitor)
if results.decompileCompleted():
highFunction = results.getHighFunction()
if highFunction:
# Analyze local variables
localSymbols = highFunction.getLocalSymbolMap()
print("Local variables: " + str(localSymbols.getNumSymbols()))
# Analyze function calls
pcodeOps = highFunction.getPcodeOps()
callCount = 0
for op in pcodeOps:
if op.getOpcode() == op.CALL:
callCount += 1
print("Function calls: " + str(callCount))
Cleanup¶
decompiler.dispose() ```_
Besondere Merkmale¶
Ghidra Server Setup¶
```bash
Server installation (requires separate download)¶
Download Ghidra Server from NSA GitHub releases¶
Extract server¶
unzip ghidra_10.4_PUBLIC_20230928_server.zip cd ghidra_10.4_PUBLIC_server
Initialize server repository¶
./svrAdmin -add /path/to/repository
Start Ghidra Server¶
./ghidraSvr console
Server runs on port 13100 by default¶
Configure firewall to allow connections¶
Server administration¶
./svrAdmin -list # List repositories ./svrAdmin -add repo_name # Add repository ./svrAdmin -remove repo_name # Remove repository ./svrAdmin -users repo_name # List users ./svrAdmin -grant repo_name user # Grant access ./svrAdmin -revoke repo_name user # Revoke access ```_
Gemeinsames Projekt Workflow¶
```bash
Create shared project (client side):¶
File -> New Project -> Shared Project¶
Enter server details:¶
- Server name/IP¶
- Port (default 13100)¶
- Repository name¶
- User credentials¶
Check out files for editing:¶
Right-click file -> Check Out Exclusive¶
Or Check Out (allows concurrent read access)¶
Commit changes:¶
Right-click modified file -> Check In¶
Add commit comment describing changes¶
Update from server:¶
Right-click file -> Update¶
Merge changes from other users¶
View file history:¶
Right-click file -> Show History¶
See all versions and changes¶
Merge conflicts:¶
Ghidra provides merge tools for conflicts¶
Review changes and select appropriate version¶
Manual merge may be required for complex conflicts¶
Branching and versioning:¶
Files maintain complete version history¶
Can revert to previous versions¶
Compare different versions side by side¶
```_
Erweiterte Analysetechniken¶
Analyse von Dateien¶
```bash
Safe analysis environment setup:¶
- Use isolated VM or sandbox¶
- Disable network connections¶
- Take VM snapshots before analysis¶
Import malware sample:¶
File -> Import File¶
Select suspicious executable¶
Choose appropriate processor architecture¶
Initial triage:¶
1. Check file properties and metadata¶
2. Examine imports and exports¶
3. Look for strings and constants¶
4. Identify packing or obfuscation¶
String analysis for malware:¶
Window -> Defined Strings¶
Look for:¶
- URLs and IP addresses¶
- Registry keys¶
- File paths¶
- Cryptographic constants¶
- Error messages¶
Import analysis:¶
Window -> Symbol Tree -> Imports¶
Identify suspicious API calls:¶
- Network functions (socket, connect)¶
- File operations (CreateFile, WriteFile)¶
- Registry operations (RegOpenKey, RegSetValue)¶
- Process manipulation (CreateProcess, OpenProcess)¶
Behavioral analysis through decompilation:¶
Focus on main function and entry points¶
Trace execution flow¶
Identify payload delivery mechanisms¶
Look for persistence mechanisms¶
```_
Firmware Analyse¶
```bash
Firmware image preparation:¶
Extract firmware from device or download¶
Identify architecture (ARM, MIPS, x86, etc.)¶
Determine endianness (little/big endian)¶
Import raw firmware:¶
File -> Import File¶
Select "Raw Binary" format¶
Configure:¶
- Base address (often 0x0 or specific load address)¶
- Processor architecture¶
- Endianness¶
Identify entry points:¶
Look for reset vectors¶
Check interrupt vector tables¶
Find bootloader code¶
Memory layout analysis:¶
Identify different sections:¶
- Bootloader¶
- Kernel/OS¶
- Application code¶
- Configuration data¶
- File systems¶
String analysis for firmware:¶
Look for:¶
- Version information¶
- Debug messages¶
- Configuration parameters¶
- Network protocols¶
- Cryptographic keys¶
Cross-reference analysis:¶
Find references to interesting strings¶
Trace data flow¶
Identify critical functions¶
```_
Schwachstelle Forschung¶
```bash
Input validation analysis:¶
Identify input sources:¶
- Command line arguments¶
- File inputs¶
- Network inputs¶
- User interface inputs¶
Trace data flow:¶
Follow input data through program¶
Look for dangerous functions:¶
- strcpy, sprintf (buffer overflows)¶
- malloc, free (memory management)¶
- system, exec (command injection)¶
Control flow analysis:¶
Examine conditional branches¶
Look for authentication bypasses¶
Check error handling paths¶
Identify race conditions¶
Memory corruption detection:¶
Look for:¶
- Buffer overflows¶
- Integer overflows¶
- Use-after-free¶
- Double-free¶
- Format string vulnerabilities¶
Cryptographic analysis:¶
Identify crypto implementations¶
Look for:¶
- Weak random number generation¶
- Hard-coded keys¶
- Weak algorithms¶
- Implementation flaws¶
```_
Integration und Erweiterungen¶
Werkzeugintegration¶
```bash
IDA Pro integration:¶
Export from IDA: File -> Produce file -> Create MAP file¶
Import to Ghidra: File -> Import File -> Select MAP file¶
Radare2 integration:¶
Export r2 analysis: r2 -c "aaa; afn" binary > functions.txt¶
Import function names to Ghidra via script¶
Binary Ninja integration:¶
Use community plugins for data exchange¶
Export/import function signatures and comments¶
Debugger integration:¶
GDB integration via scripts¶
Export symbols for debugging¶
Import debugging information¶
Disassembler comparison:¶
Use multiple tools for verification¶
Cross-reference findings¶
Validate analysis results¶
```_
Plugin-Entwicklung¶
```bash
Plugin structure:¶
Ghidra plugins are Java-based¶
Extend GhidraPlugin class¶
Implement required methods¶
Plugin development setup:¶
Install Ghidra development environment¶
Set up Eclipse or IntelliJ IDEA¶
Configure Ghidra SDK¶
Basic plugin template:¶
Create new Java project¶
Add Ghidra libraries to classpath¶
Implement plugin functionality¶
Build and install plugin¶
Plugin installation:¶
Copy plugin JAR to Ghidra Extensions directory¶
Restart Ghidra¶
Enable plugin in Tool -> Configure Tool¶
Extension development:¶
Create custom analyzers¶
Add new file format support¶
Implement custom processors¶
Develop specialized analysis tools¶
```_
Ghidras umfangreiches Feature-Set, Open-Source-Natur und leistungsfähige Dekompilationsfunktionen machen es zu einem außergewöhnlichen Werkzeug für Reverse Engineering und binäre Analyse. Seine kollaborativen Funktionen ermöglichen teambasierte Analyseprojekte, während ihre Skriptfähigkeiten Automatisierung und Anpassung ermöglichen. Ob für Malware-Analyse, Schwachstellenforschung, Firmware-Reverse-Engineering oder allgemeine Software-Analyse verwendet, Ghidra bietet die Tiefe und Flexibilität erforderlich, um komplexe binäre Programme zu verstehen. Die Weiterentwicklung des Werkzeugs durch die NSA und die Open-Source-Community sorgt dafür, dass es an der Spitze der Reverse Engineering-Technologie bleibt, wodurch fortschrittliche Analysemöglichkeiten für Forscher, Sicherheitsexperten und Entwickler weltweit zugänglich gemacht werden.