We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Ghidra - An Open Source Reverse Engineering Tool

Formal Metadata

Title
Ghidra - An Open Source Reverse Engineering Tool
Subtitle
How the NSA open-sourced all software in 2019
Title of Series
Number of Parts
94
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The NSA released a tool called Ghidra both for free usage as well as in source code format. It is a software reverse engineering framework with advance capabilities like a powerful decompiler. This lecture will give a short introduction into Ghidra and cover examples of both benign executables as well as malware with a focus on the Windows operating system. Reverse engineering - more specifically software reverse engineering - is the process of deconstructing computer programs with the purpose of understanding their feature set. This especially includes software that is not available as source code but only as binary executables. These files can be analyzed by executing them, which is often referred to as "dynamic analysis" or by translating them into another language, like assembly, which the reverse engineer then tries to reason about. The second approach is often referred to as "static analysis". While it is - in principle - possible for a human to fully understand and statically analyze a binary by reading raw assembly, this approach does not scale well: The x86 assembly language for example - which is used in most desktop computers and servers - is made up of thousands of different instructions. Each of these instructions only performs a very small task, like adding two integers. One can imagine that a binary - even as mundane as a tool to list the current directory content - is made up of a large number of these instructions. In practice, the reverse engineering therefore heavily relies on tooling. The Vault 7 leak by WikiLeaks in 2017 suggested that the NSA owns or develops a reverse engineering tool called "Ghidra". Two years later, at the RSAConference in 2019, the NSA released the tool to the public, first as ready-to use software, then even all its source code. For the reverse engineering community, this is a huge thing: All tools available until that point in time where either very expensive or lack advanced capabilities. While this lecture will only cover executables for the Microsoft Windows operating system, Ghidra also supports a very wide variety of platforms reaching from ARM - used in many IoT devices - over DEX - for Android-based devices to more exotic architectures as PowerPC, MIPS or SPARC. This versatility is a huge pro for Ghidra when compared to its main competing software product like the Hex-Rays decompiler. A lot of people think, that reverse engineering is a dark art only a few selected individuals are chosen to be gifted in. I honestly think that it is just another skill and would even go as far as saying that maintaining a legacy software product without good documentation - which is a common scenario in the software development industry - is much harder than understanding how WannaCry worked.