top of page
  • Writer's pictureotw

Reverse Engineering Malware: Getting Started with Ghidra, Part 1

Updated: Dec 28, 2022

Welcome back, my aspiring cyber warriors!

There are a number of excellent tools available to use in the field of reverse engineering (see Reverse Engineering, Part 3: Getting Started with IDA Pro and Part 5: Getting Started with OllyDbg ), but now we have an excellent new option known as Ghidra. Ghidra was developed by the US National Security Agency (the US's leading domestic spy agency and the agency responsible for developing Stuxnet malware and EternalBlue), one of the top espionage agencies in the world.

We first learned of Ghidra in the Wikileaks Vault 7 leak of 2017 and it was released as free and open-source (under the Apache License) software in spring 2019. It is an excellent reverse engineering tool and unlike Ida Pro, it's free!

Ghidra has nearly all the functionality of Ida Pro without the cost, so if you are starting out in reverse engineering this is probably the software to use.

Due to its effectiveness and attractive price point, I will be using Ghidra to do a series of tutorials in Reverse Engineering Malware here at Hackers-Arise.

I strongly recommend that you read the following tutorials before proceeding here to work with Ghidra:

Step #1: Download Ghidra

You can download Ghidra here. Since it is written in Java it is available for nearly every platform including Window, Mac OS and Linux. I'll be using Windows 10 to demonstrate Ghidra.

As Ghidra is a Java application and requires JDK 11. Make certain that your JDK is up to date and, if not, download the it from Oracle.

Step #2: Start Ghidra

Once you have downloaded Ghidra, you can start it by clicking on the .bat file (kind of old school).

Ghidra opens up by displaying this logo for a brief time...

...and then displays this window to start your first project. Projects are similar to folders and can contain multiple files that you are working on.

Click "New Project".

This opens a window like that below. One of the features of Ghidra is the ability to collaborate on a file or project. In that case, click "Shared Project". Here we will be working individually on a project, so click "Non-Shared Project". Then Click Next.

Then, you will be asked for the location and name of your project. In Windows, by default, the project will be placed in your C:\User\<Name>\ghidra directory. I will use that. Then enter your project name. Here I will call my project "MyFirstGhidraProject".

Next, we need to Import a file. This is the software or malware you want to analyze. Go to File -->Import File.

Select the file you want to analyze. In this case, I will analyzing the crackme0x00.exe (These simple crackme's are available at

When you select your file, Ghidra will respond with the information below. Click OK.

Ghidra then displays a screen like below with the key information about the file.

Next, this screen pops up with your project and imported file. You can either double-click on the file or "drag and drop" the file to the green Ghidra dragon above it.

Ghidra then begins its work. First, it displays the assembler language of the program in the center Listing window and then asks whether you want to analyze the file. Click "Yes".

Ghidra will now analyze your file and display the information similar to the four windows below.

These four windows are;

Window #1 is the Symbol Tree

This window allows you to see the Imports, Exports, Functions, Labels, Classes and Namespaces of the binary.

Window #2 is the Listing Window

This window displays the breakdown of the code in assembler language.

Window #3 is the Decompiler Window

The Decompiler enables you to see what the high-level language would likely look like.

Window #4 is the Data Type Manager Window

The Data Type manager allows you to see all the defined data types.

Now, you are ready to begin analyzing and reverse engineering this file!


Reverse engineering malware is one of the highest level skill sets within the discipline of cybersecurity and one of the highest paid. Ghidra is an excellent reverse engineering tool capable of running on nearly any platform and priced very attractively (free). In this series on Reverse Engineering, we will be using this tool from the US NSA to reverse engineer multiple pieces of malware beginning with the simple and progressing to the more advanced.

18,121 views3 comments

Recent Posts

See All


Jan 03, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and on whatsapp him on +1262-236-7526...


You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker at gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.


Yeah, no NSA back door in that software what so ever.

bottom of page