otw

Jul 173 min

Reverse Engineering Malware: Getting Started with Ghidra, Part 1

Updated: Aug 21

Welcome back, my aspiring cyber warriors!

There are a number of excellent tools available to use in the field of reverse engineering (see Reverse Engineering, Part 3: Getting Started with Ida Pro and Part 5: Getting Started with OllyDbg ), but now we have an excellent new option known as Ghidra. Ghidra was developed by the US National Security Agency (the US's leading domestic spy agency and the agency responsible for developing Stuxnet malware and EternalBlue), one of the top espionage agencies in the world.

We first learned of Ghidra in the Wikileaks Vault 7 leak of 2017 and it was released as free and open-source (under the Apache License) software in spring 2019. It is an excellent reverse engineering tool and unlike Ida Pro, it's free!

Ghidra has nearly all the functionality of Ida Pro without the cost, so if you are starting out in reverse engineering this is probably the software to use.

Due to its effectiveness and attractive price point, I will be using Ghidra to do a series of tutorials in Reverse Engineering Malware here at Hackers-Arise.

I strongly recommend that you read the following tutorials before proceeding here to work with Ghidra:

  1. Reverse Engineering Malware, Part 1: Getting Started

  2. Reverse Engineering Malware, Part 2: Assembler Basics

  3. Reverse Engineering Malware, Part 4: Windows Internals

Step #1: Download Ghidra

You can download Ghidra here. Since it is written in Java it is available for nearly every platform including Window, Mac OS and Linux. I'll be using Windows 10 to demonstrate Ghidra.

As Ghidra is a Java application and requires JDK 11. Make certain that your JDK is up to date and, if not, download the it from Oracle.

Step #2: Start Ghidra

Once you have downloaded Ghidra, you can start it by clicking on the .bat file (kind of old school).

Ghidra opens up by displaying this logo for a brief time...

...and then displays this window to start your first project. Projects are similar to folders and can contain multiple files that you are working on.

Click "New Project".

This opens a window like that below. One of the features of Ghidra is the ability to collaborate on a file or project. In that case, click "Shared Project". Here we will be working individually on a project, so click "Non-Shared Project". Then Click Next.

Then, you will be asked for the location and name of your project. In Windows, by default, the project will be placed in your C:\User\<Name>\ghidra directory. I will use that. Then enter your project name. Here I will call my project "MyFirstGhidraProject".

Next, we need to Import a file. This is the software or malware you want to analyze. Go to File -->Import File.

Select the file you want to analyze. In this case, I will analyzing the crackme0x00.exe (These simple crackme's are available athttps://github.com/Maijin/radare2-workshop-2015/tree/master/IOLI-crackme).

When you select your file, Ghidra will respond with the information below. Click OK.

Ghidra then displays a screen like below with the key information about the file.

Next, this screen pops up with your project and imported file. You can either double-click on the file or "drag and drop" the file to the green Ghidra dragon above it.

Ghidra then begins its work. First, it displays the assembler language of the program in the center Listing window and then asks whether you want to analyze the file. Click "Yes".

Ghidra will now analyze your file and display the information similar to the four windows below.

These four windows are;

Window #1 is the Symbol Tree

This window allows you to see the Imports, Exports, Functions, Labels, Classes and Namespaces of the binary.

Window #2 is the Listing Window

This window displays the breakdown of the code in assembler language.

Window #3 is the Decompiler Window

The Decompiler enables you to see what the high-level language would likely look like.

Window #4 is the Data Type Manager Window

The Data Type manager allows you to see all the defined data types.

Now, you are ready to begin analyzing and reverse engineering this file!

Summary

Reverse engineering malware is one of the highest level skill sets within the discipline of cybersecurity and one of the highest paid. Ghidra is an excellent reverse engineering tool capable of running on nearly any platform and priced very attractively (free). In this series, we will be suing this tool from the US NSA to reverse engineer multiple pieces of malware beginning with the simple and progressing to the advanced.

    14930
    3