Ghidra - NSA Cadre d'ingénierie inverse
Ghidra représente une avancée révolutionnaire dans les outils d'ingénierie inverse, développés par l'Agence de sécurité nationale (ANS) et publiés sous forme de logiciel open-source en 2019. Ce cadre complet d'ingénierie inverse de logiciel fournit une suite complète d'outils d'analyse logicielle haut de gamme qui permettent aux utilisateurs d'analyser le code compilé sur une variété de plateformes, y compris Windows, macOS et Linux. Les capacités de Ghidra englobent le démontage, l'assemblage, la décompilation, le graphique et le script, ainsi que des centaines d'autres fonctionnalités qui en font une formidable alternative aux outils commerciaux comme IDA Pro. Ce qui distingue Ghidra n'est pas seulement son coût zéro et la nature open-source, mais aussi ses fonctionnalités de collaboration avancées, le support de processeur étendu, et décompilateur sophistiqué qui peut reconstruire le code de haut niveau de type C à partir d'exécutables binaires. Le cadre prend en charge l'analyse des binaires pour des dizaines d'architectures processeurs et peut gérer divers formats exécutables, ce qui en fait un outil inestimable pour l'analyse des logiciels malveillants, la recherche de vulnérabilité, l'audit logiciel et les tâches générales d'ingénierie inverse.
Installation et configuration
Installation de Ghidra
# Prerequisites - Java 17 or later required
# Check Java version
java -version
# Install OpenJDK 17 (Ubuntu/Debian)
sudo apt update
sudo apt install openjdk-17-jdk
# Install OpenJDK 17 (CentOS/RHEL/Fedora)
sudo dnf install java-17-openjdk-devel
# macOS - Install via Homebrew
brew install openjdk@17
# Download Ghidra from official NSA GitHub
# Visit: https://github.com/NationalSecurityAgency/ghidra/releases
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.4_build/ghidra_10.4_PUBLIC_20230928.zip
# Extract Ghidra
unzip ghidra_10.4_PUBLIC_20230928.zip
cd ghidra_10.4_PUBLIC
# Set execute permissions (Linux/macOS)
chmod +x ghidraRun
chmod +x support/analyzeHeadless
# Launch Ghidra GUI
./ghidraRun
# Launch Ghidra (Windows)
# ghidraRun.bat
# Verify installation
./ghidraRun --help
# Set JAVA_HOME if needed
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
export PATH=$JAVA_HOME/bin:$PATH
# Create desktop shortcut (Linux)
cat > ~/.local/share/applications/ghidra.desktop << EOF
[Desktop Entry]
Name=Ghidra
Comment=Software Reverse Engineering Framework
Exec=/path/to/ghidra/ghidraRun
Icon=/path/to/ghidra/support/ghidra.png
Terminal=false
Type=Application
Categories=Development;
EOF
Configuration initiale
# Ghidra configuration directory
# Linux: ~/.ghidra/.ghidra_10.4_PUBLIC
# Windows: %USERPROFILE%\.ghidra\.ghidra_10.4_PUBLIC
# macOS: ~/.ghidra/.ghidra_10.4_PUBLIC
# Memory settings (edit ghidraRun script)
# Increase heap size for large binaries
# -Xmx4G for 4GB heap (default is usually 1GB)
# Create Ghidra project directory
mkdir ~/ghidra_projects
# Environment variables
export GHIDRA_INSTALL_DIR=/path/to/ghidra
export PATH=$GHIDRA_INSTALL_DIR:$PATH
# Headless analysis setup
export GHIDRA_HEADLESS=$GHIDRA_INSTALL_DIR/support/analyzeHeadless
# Plugin development setup
export GHIDRA_DEV_DIR=/path/to/ghidra_dev
```_
## Commencer avec Ghidra
### Création et gestion de projets
```bash
# Launch Ghidra and create new project
# File -> New Project -> Non-Shared Project
# Choose project directory and name
# Import binary file
# File -> Import File
# Select binary executable, library, or firmware
# Supported file formats:
# - PE (Windows executables)
# - ELF (Linux executables)
# - Mach-O (macOS executables)
# - Raw binary files
# - Firmware images
# - Java class files
# - And many more
# Batch import multiple files
# File -> Batch Import
# Project management via GUI:
# - Right-click files to rename, delete, or export
# - Drag and drop files between folders
# - Use filters to find specific files
# Command-line project operations
$GHIDRA_INSTALL_DIR/support/analyzeHeadless /path/to/project ProjectName \
-import /path/to/binary \
-postScript AnalyzeAll.java
# Export project
# File -> Export -> Ghidra Project Archive (.gpr)
# Import project
# File -> Import -> Ghidra Project Archive
```_
### Flux de travail d'analyse de base
```bash
# 1. Import binary file
# 2. Double-click file to open in CodeBrowser
# 3. Analysis options dialog appears:
# - Analyze Now (recommended for most cases)
# - Configure analysis options
# - Analyze later
# Key analysis components:
# - Disassembly: Convert machine code to assembly
# - Function identification: Find function boundaries
# - String analysis: Identify string literals
# - Symbol resolution: Resolve function and variable names
# - Cross-references: Find code and data references
# - Decompilation: Generate C-like pseudocode
# Manual analysis trigger
# Analysis -> Auto Analyze (if not done during import)
# Analysis options configuration:
# Analysis -> Auto Analyze -> Configure
# Enable/disable specific analyzers:
# - ASCII Strings
# - Function ID
# - Decompiler Parameter ID
# - Stack
# - Reference
# - And many more
Aperçu de l'interface Ghidra
Principales fenêtres et vues
# CodeBrowser - Main analysis interface
# Key components:
# 1. Program Tree - Hierarchical view of program structure
# 2. Symbol Tree - Functions, labels, and symbols
# 3. Data Type Manager - Data types and structures
# 4. Listing - Disassembly and decompiled code
# 5. Decompiler - High-level C-like code view
# 6. Console - Script output and messages
# Navigation shortcuts:
# G - Go to address/symbol
# Ctrl+G - Go to address
# Alt+Left/Right - Navigate back/forward
# Ctrl+E - Edit mode toggle
# Space - Toggle between listing and decompiler
# Window management:
# Window -> New Window - Create additional CodeBrowser
# Window -> Clone Window - Clone current view
# Drag tabs to rearrange or create new windows
# Docking and undocking windows:
# Right-click window tab -> Undock
# Drag window to dock in different position
Opérations d'affichage des listes
# Listing view keyboard shortcuts:
# Arrow keys - Navigate instructions
# Page Up/Down - Navigate by page
# Ctrl+Home/End - Go to beginning/end
# Enter - Follow reference or jump
# Esc - Return from reference
# F2 - Edit label/comment
# ; - Add comment
# L - Add label
# Code units and formatting:
# D - Disassemble at cursor
# C - Clear code units
# B - Create byte data
# W - Create word data
# DW - Create dword data
# QW - Create qword data
# F - Create float data
# T - Create string data
# Cross-references:
# Ctrl+Shift+F - Find references to
# Ctrl+Shift+R - Find references from
# Right-click -> References -> Show References to
# Bookmarks:
# Ctrl+D - Toggle bookmark
# Ctrl+Shift+B - Show bookmarks window
# Bookmarks can have types: Info, Analysis, Error, Warning
Opérations de décompilateur
# Decompiler window shortcuts:
# Ctrl+E - Edit function signature
# Right-click variable -> Rename Variable
# Right-click -> Retype Variable
# Right-click -> Retype Return Type
# Function analysis:
# Right-click function -> Edit Function Signature
# Set calling convention (cdecl, stdcall, fastcall, etc.)
# Define parameters and return types
# Add function comments
# Variable management:
# Local variables automatically identified
# Stack variables shown with offsets
# Global variables linked to memory addresses
# Rename variables for clarity
# Decompiler options:
# Edit -> Tool Options -> Decompiler
# Configure display options:
# - Show namespaces
# - Display line numbers
# - Syntax highlighting
# - Maximum instruction display
Analyse et génie inverse
Analyse des fonctions
# Function identification and management:
# Functions automatically identified during analysis
# Manual function creation:
# - Position cursor at function start
# - Press 'F' or right-click -> Create Function
# Function signature editing:
# Right-click function name -> Edit Function Signature
# Define parameters:
# - Parameter names
# - Data types
# - Calling convention
# - Return type
# Function graph view:
# Right-click function -> Display Function Graph
# Shows control flow graph
# Navigate with mouse or keyboard
# Zoom with mouse wheel
# Function comparison:
# Window -> Function Comparison
# Compare functions side by side
# Useful for identifying similar functions or variants
# Function tags and categories:
# Right-click function -> Set Function Tag
# Organize functions by purpose or analysis status
# Filter functions by tags in Symbol Tree
Gestion du type de données
# Data Type Manager operations:
# Built-in data types available
# Create custom structures:
# - Right-click in Data Type Manager
# - New -> Structure
# - Add fields with names and types
# Structure definition example:
# struct MyStruct \\\\{
# int field1;
# char field2[16];
# void* field3;
# \\\\};
# Apply data types:
# Select data in listing
# Right-click -> Data -> Choose Data Type
# Or drag data type from manager to listing
# Import data types:
# File -> Parse C Source
# Import header files to create data types
# Useful for analyzing programs with known APIs
# Export data types:
# Right-click data type -> Export
# Save as C header file or Ghidra data type archive
# Enum creation:
# Right-click -> New -> Enum
# Add enum values
# Apply to constants in code for better readability
Chaîne et analyse constante
# String analysis:
# Automatically performed during initial analysis
# Window -> Defined Strings
# Shows all identified strings with addresses and references
# String search:
# Search -> For Strings
# Configure search parameters:
# - Minimum length
# - Character encoding (ASCII, Unicode, etc.)
# - Null termination requirements
# Constant analysis:
# Identify numeric constants
# Right-click constant -> Convert
# Convert to different representations:
# - Hexadecimal
# - Decimal
# - Character
# - Enum value
# Cross-reference analysis:
# Find where strings and constants are used
# Right-click -> References -> Show References to
# Understand data flow and usage patterns
Analyse de la disposition de la mémoire
# Memory map view:
# Window -> Memory Map
# Shows program sections:
# - .text (code)
# - .data (initialized data)
# - .bss (uninitialized data)
# - .rodata (read-only data)
# - Import/export tables
# Section analysis:
# Right-click section -> Set Image Base
# Adjust base address if needed
# Important for position-independent code
# Memory search:
# Search -> Memory
# Search for byte patterns, strings, or values
# Useful for finding specific data or code patterns
# Overlay management:
# For complex binaries with overlays
# Window -> Program Tree
# Manage different memory layouts
Scénario et automatisation
Ghidra Scripting Basics
# Script Manager:
# Window -> Script Manager
# Browse available scripts by category:
# - Analysis
# - Examples
# - Data
# - Decompiler
# - Search
# Running scripts:
# Select script and click Run
# Or double-click script name
# Scripts can be run on current program or selection
# Script development:
# Create new script: Script Manager -> New
# Choose language: Java or Python
# Edit in built-in editor or external IDE
# Script locations:
# User scripts: ~/.ghidra/.ghidra_10.4_PUBLIC/scripts
# System scripts: $GHIDRA_INSTALL_DIR/Ghidra/Features/*/ghidra_scripts
Exemples de scripts de Python
# Basic Python script template
#@category Examples
#@author Your Name
#@description Script description
from ghidra.program.model.symbol import SourceType
# Get current program
program = getCurrentProgram()
# Get current address
currentAddress = currentLocation.getAddress()
# Print basic information
print("Program: " + program.getName())
print("Current address: " + str(currentAddress))
# Iterate through functions
fm = program.getFunctionManager()
functions = fm.getFunctions(True) # True for forward iteration
for function in functions:
print("Function: " + function.getName() + " at " + str(function.getEntryPoint()))
# Find strings
stringTable = program.getListing().getDefinedData(True)
for data in stringTable:
if data.hasStringValue():
print("String at " + str(data.getAddress()) + ": " + data.getValue())
# Create label
symbolTable = program.getSymbolTable()
symbolTable.createLabel(currentAddress, "MyLabel", SourceType.USER_DEFINED)
# Add comment
listing = program.getListing()
listing.setComment(currentAddress, listing.PLATE_COMMENT, "My comment")
Exemples de script Java
// Basic Java script template
//@category Examples
//@author Your Name
//@description Script description
import ghidra.app.script.GhidraScript;
import ghidra.program.model.address.Address;
import ghidra.program.model.listing.Function;
import ghidra.program.model.listing.FunctionManager;
import ghidra.program.model.symbol.SourceType;
public class MyScript extends GhidraScript \\\\{
@Override
public void run() throws Exception \\\\{
// Get current program
Program program = getCurrentProgram();
// Get function manager
FunctionManager fm = program.getFunctionManager();
// Iterate through functions
for (Function function : fm.getFunctions(true)) \\\\{
printf("Function: %s at %s\n",
function.getName(),
function.getEntryPoint().toString());
// Analyze function parameters
int paramCount = function.getParameterCount();
printf(" Parameters: %d\n", paramCount);
// Check if function has return value
if (!function.getReturnType().isVoid()) \\\\{
printf(" Return type: %s\n", function.getReturnType().getName());
\\\\}
\\\\}
// Create bookmark
Address currentAddr = currentLocation.getAddress();
program.getBookmarkManager().setBookmark(
currentAddr,
"Analysis",
"Script",
"Analyzed by script"
);
\\\\}
\\\\}
Techniques avancées de Scripting
# Advanced analysis script
#@category Analysis
#@description Advanced binary analysis
from ghidra.program.model.address import AddressSet
from ghidra.program.model.block import BasicBlockModel
from ghidra.program.model.pcode import HighFunction
from ghidra.app.decompiler import DecompInterface
# Initialize decompiler
decompiler = DecompInterface()
decompiler.openProgram(getCurrentProgram())
# Analyze control flow
bbModel = BasicBlockModel(getCurrentProgram())
functions = getCurrentProgram().getFunctionManager().getFunctions(True)
for function in functions:
print("\nAnalyzing function: " + function.getName())
# Get basic blocks
blocks = bbModel.getCodeBlocksContaining(function.getBody(), monitor)
print("Basic blocks: " + str(len(list(blocks))))
# Decompile function
results = decompiler.decompileFunction(function, 30, monitor)
if results.decompileCompleted():
highFunction = results.getHighFunction()
if highFunction:
# Analyze local variables
localSymbols = highFunction.getLocalSymbolMap()
print("Local variables: " + str(localSymbols.getNumSymbols()))
# Analyze function calls
pcodeOps = highFunction.getPcodeOps()
callCount = 0
for op in pcodeOps:
if op.getOpcode() == op.CALL:
callCount += 1
print("Function calls: " + str(callCount))
# Cleanup
decompiler.dispose()
Caractéristiques de collaboration
Configuration du serveur Ghidra
# Server installation (requires separate download)
# Download Ghidra Server from NSA GitHub releases
# Extract server
unzip ghidra_10.4_PUBLIC_20230928_server.zip
cd ghidra_10.4_PUBLIC_server
# Initialize server repository
./svrAdmin -add /path/to/repository
# Start Ghidra Server
./ghidraSvr console
# Server runs on port 13100 by default
# Configure firewall to allow connections
# Server administration
./svrAdmin -list # List repositories
./svrAdmin -add repo_name # Add repository
./svrAdmin -remove repo_name # Remove repository
./svrAdmin -users repo_name # List users
./svrAdmin -grant repo_name user # Grant access
./svrAdmin -revoke repo_name user # Revoke access
Flux de travail du projet partagé
# Create shared project (client side):
# File -> New Project -> Shared Project
# Enter server details:
# - Server name/IP
# - Port (default 13100)
# - Repository name
# - User credentials
# Check out files for editing:
# Right-click file -> Check Out Exclusive
# Or Check Out (allows concurrent read access)
# Commit changes:
# Right-click modified file -> Check In
# Add commit comment describing changes
# Update from server:
# Right-click file -> Update
# Merge changes from other users
# View file history:
# Right-click file -> Show History
# See all versions and changes
# Merge conflicts:
# Ghidra provides merge tools for conflicts
# Review changes and select appropriate version
# Manual merge may be required for complex conflicts
# Branching and versioning:
# Files maintain complete version history
# Can revert to previous versions
# Compare different versions side by side
Techniques d'analyse avancées
Analyse des logiciels malveillants
# Safe analysis environment setup:
# - Use isolated VM or sandbox
# - Disable network connections
# - Take VM snapshots before analysis
# Import malware sample:
# File -> Import File
# Select suspicious executable
# Choose appropriate processor architecture
# Initial triage:
# 1. Check file properties and metadata
# 2. Examine imports and exports
# 3. Look for strings and constants
# 4. Identify packing or obfuscation
# String analysis for malware:
# Window -> Defined Strings
# Look for:
# - URLs and IP addresses
# - Registry keys
# - File paths
# - Cryptographic constants
# - Error messages
# Import analysis:
# Window -> Symbol Tree -> Imports
# Identify suspicious API calls:
# - Network functions (socket, connect)
# - File operations (CreateFile, WriteFile)
# - Registry operations (RegOpenKey, RegSetValue)
# - Process manipulation (CreateProcess, OpenProcess)
# Behavioral analysis through decompilation:
# Focus on main function and entry points
# Trace execution flow
# Identify payload delivery mechanisms
# Look for persistence mechanisms
Analyse du firmware
# Firmware image preparation:
# Extract firmware from device or download
# Identify architecture (ARM, MIPS, x86, etc.)
# Determine endianness (little/big endian)
# Import raw firmware:
# File -> Import File
# Select "Raw Binary" format
# Configure:
# - Base address (often 0x0 or specific load address)
# - Processor architecture
# - Endianness
# Identify entry points:
# Look for reset vectors
# Check interrupt vector tables
# Find bootloader code
# Memory layout analysis:
# Identify different sections:
# - Bootloader
# - Kernel/OS
# - Application code
# - Configuration data
# - File systems
# String analysis for firmware:
# Look for:
# - Version information
# - Debug messages
# - Configuration parameters
# - Network protocols
# - Cryptographic keys
# Cross-reference analysis:
# Find references to interesting strings
# Trace data flow
# Identify critical functions
Recherche sur la vulnérabilité
# Input validation analysis:
# Identify input sources:
# - Command line arguments
# - File inputs
# - Network inputs
# - User interface inputs
# Trace data flow:
# Follow input data through program
# Look for dangerous functions:
# - strcpy, sprintf (buffer overflows)
# - malloc, free (memory management)
# - system, exec (command injection)
# Control flow analysis:
# Examine conditional branches
# Look for authentication bypasses
# Check error handling paths
# Identify race conditions
# Memory corruption detection:
# Look for:
# - Buffer overflows
# - Integer overflows
# - Use-after-free
# - Double-free
# - Format string vulnerabilities
# Cryptographic analysis:
# Identify crypto implementations
# Look for:
# - Weak random number generation
# - Hard-coded keys
# - Weak algorithms
# - Implementation flaws
Intégration et extensions
Intégration des outils
# IDA Pro integration:
# Export from IDA: File -> Produce file -> Create MAP file
# Import to Ghidra: File -> Import File -> Select MAP file
# Radare2 integration:
# Export r2 analysis: r2 -c "aaa; afn" binary > functions.txt
# Import function names to Ghidra via script
# Binary Ninja integration:
# Use community plugins for data exchange
# Export/import function signatures and comments
# Debugger integration:
# GDB integration via scripts
# Export symbols for debugging
# Import debugging information
# Disassembler comparison:
# Use multiple tools for verification
# Cross-reference findings
# Validate analysis results
Développement de plugins
# Plugin structure:
# Ghidra plugins are Java-based
# Extend GhidraPlugin class
# Implement required methods
# Plugin development setup:
# Install Ghidra development environment
# Set up Eclipse or IntelliJ IDEA
# Configure Ghidra SDK
# Basic plugin template:
# Create new Java project
# Add Ghidra libraries to classpath
# Implement plugin functionality
# Build and install plugin
# Plugin installation:
# Copy plugin JAR to Ghidra Extensions directory
# Restart Ghidra
# Enable plugin in Tool -> Configure Tool
# Extension development:
# Create custom analyzers
# Add new file format support
# Implement custom processors
# Develop specialized analysis tools
L'ensemble complet de fonctionnalités de Ghidra, la nature open-source et les puissantes capacités de décompilation en font un outil exceptionnel pour l'ingénierie inverse et l'analyse binaire. Ses fonctionnalités collaboratives permettent des projets d'analyse en équipe, tandis que ses capacités de script permettent l'automatisation et la personnalisation. Qu'il soit utilisé pour l'analyse des logiciels malveillants, la recherche sur la vulnérabilité, l'ingénierie inverse du firmware ou l'analyse générale des logiciels, Ghidra fournit la profondeur et la flexibilité nécessaires pour comprendre les programmes binaires complexes. Le développement continu de l'outil par la NSA et la communauté open-source garantit qu'il reste à la fine pointe de la technologie d'ingénierie inverse, rendant les capacités d'analyse avancées accessibles aux chercheurs, aux professionnels de la sécurité et aux développeurs du monde entier.