Ghidra -- Reverse Engineering Tool used by NSA

On Kali Linux's latest 2021.2 update Kali Linux included Ghidra on Kali Linux large image and repository, means now it's more easier to install and use Ghidra on our Kali Linux system. But, what is Ghidra? A dragon?

What is Ghidra ?

Ghidra is an open-source software reverse engineering (SRE) framework developed by National Security Agency (NSA) Research Directorate of United States, for NSA's Cyberseurity mission.

The binaries were released at RSA Conference in March 2019; the sources were published one month later on GitHub. Ghidra is seen by many security researchers as a competitor to IDA Pro. The software is written in Java using the Swing framework for the GUI. The decompiler component is written in C++. Ghidra plugins can be developed in Java or in Python (provided via Jython).

It is a Java based GUI reverse engineering framework, it is able to de-compile a application from binary and understand the logic of the code. NSA used it to find malwares inside a application, it also very useful for finding bugs on applications.

How to Install Ghidra on Kali Linux 2021

Ghidra on Kali Linux install and use
If we wrote this article before Ghidra comes with Kali (June, 2021, then the installation process will be larger and complex.

But now we just need one command to install it on our Kali Linux system. We need to use following command:

sudo apt install -y ghidra

The above command will install Ghidra on our Kali Linux system. It will download more than 250 MB and take almost 750 MB disk space on our system. So installing it will consume some time depending on our network speed and system configuration. Coffee Break 🍵.

Ghidra installation on Kali Linux

How to use Ghidra on Kali Linux

After installing Ghidra on our Kali Linux system we can open this GUI based tool by using following command to open it up:

ghidra

The above command will open Ghidra on our Kali Linux system, or we can search for it on Application menu. As we can see on the following screenshot:

Ghidra User agreement
Here Ghidra is showing us the "User agreement" to use this tool. We need to read it carefully then click on "I agree" for the very first time of using Ghidra.

After clicking on 'I agree' Ghidra will open two window, one for help another is the Ghidra framework's main screen, we can check the help if we want, but here we close it and focus on Ghidra. It looks like the following screenshot:

ghidra main screen

Here we can see that we don't have any active project on our Ghidra. So we need to import a project. We have an exe file here to test. First of all we need to go to  the menu File>New Project, as shown in the following screenshot.

Ghidra new project

Then we need to select our new project type, here we are choosing non-shared project.

project type on ghidra

We click on "Next", now we need to select the project location and name. We have chosen the default home path and named the project as we wish, see the following screenshot below.

ghidra project name and location

Then we click on "Finish", to complete creating a new project.

New project on ghidra created

On the above screenshot we can see that a new project created on Ghidra.

Now here we can import an application file. For an example we have an exe file. We can directly drag & drop the application file over the project or we can simply press I to import application file for testing, We can also choose from menu File>Import File.

Then we need to choose application file to test as shown in the following screenshot:

ghidra import application file

Here we have choose an shell.exe file for testing. We select it to import.

import file summary on ghidra

We can see some details of importing file, we click on "OK".

import file summary on ghidra
Here in this window we can see the import file summary on Ghidra. We press 'Enter' ↩ key here.

Now Ghidra will import the file and prompt to analyze the application file on CodeBrowser.

Ghidra prompt for analysis

We click on "Yes". Then on a new window we need to select analyzers. There are lots of analysis configuration options do exist. We can see a description of every option by clicking on it, the description is displayed in the upper-right Description section.

Analysis options on Ghidra

Let's click on Analyze to perform the analysis of the file. Then, we can see the Ghidra CodeBrowser window. We shouldn't worry if we forget to analyze something, we can reanalyze the program later (by going to the Analysis tab and then Auto Analyze 'shell.exe').

analysis again on ghidra

Ghidra CodeBrowser

Here we are in Ghidra CodeBrowser. From here we can analysis application data and logic. Ghidra CodeBrowser has a good and well-chosen interface. Let's briefly know about it.

Ghidra codebrowser details

Let's see how CodeBrowser is distributed by default:

  1. Usually, by default in reverse engineering frameworks, in the center of the screen, Ghidra shows a disassembly view of the application file.
  2. As the disassembly level is sometimes a too low-level perspective, Ghidra incorporates its own de-compiler, which is located to the right of the disassembly window. The main function of the program was recognized by a Ghidra signature, and then parameters were automatically generated. Ghidra also allow us to manipulate de-compiled code in a lot of aspects. Of course, a hexadecimal view of the file is also available in the corresponding tab. These three windows (disassembly, de-compiler, and the hexadecimal window) are synchronized, offering different perspectives of the same thing.
  3. Ghidra also allow us to easily navigate in the program. For instance, to go to another program section, we can refer to the Program Trees window located in the upper-left margin of CodeBrowser.
  4. If we prefer to navigate to a symbol (for example, a program function), then we need to go just below that, to where the Symbols Tree pane is located.
  5. If we want to work with data types, then we need to go just below that again, to Data Type Manager.
  6. As Ghidra allows scripting reverse engineering tasks, script results are shown in the corresponding window at the bottom. Of-course, the Bookmarks tab is available in the same position, allowing us to create pretty well-documented and organized bookmarks of any memory location for quick access.
  7. Ghidra has also a quick access bar at the top.
  8. At the topmost part of CodeBrowser, the main bar is located. Now we know the default perspective of Ghidra.
  9. Following the current address, the current function is shown.
  10. In addition to the current address and the current function, the current disassembly line is shown to complete the contextual information.
  11. Finally, at the bottom right, the first field indicates the current address.

Ghidra is highly customizable framework. It has tons of features and also we can run our own scripts on it. Covering every details of Ghidra is not possible on an article. Ghidra is a huge topic we must need an entire book to learn it clearly.

What just we said? A BOOK? We have it. We have a very good book on Ghidra, which one covers Ghidra in total. Check our Telegram Group to get the book. Here is the Ghidra official Cheat Sheet.

Love our articles? Make sure to follow us to get all our articles directly on notification. We are also available on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

author-img
Kali Linux

Comments

No comments
Post a Comment
    google-playkhamsatmostaqltradent