Ghidra Wiki

java
reverse_engineering
malware-analysis
Tags: #<Tag:0x00007f0ca6613690> #<Tag:0x00007f0ca6613500> #<Tag:0x00007f0ca6613398>

#1

This is an article to learn. My experience with Ghidra is still minimal.


##Table of Contents

Ghidra

A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission

(Source: https://ghidra-sre.org/)

Ghidra is an integrated reverse engineering environment, that can allow reverse engineers to collaborate on projects. Mostly to work on disassembly listings, call- and flow-graphs and ways to gain insights on the functionality of target binaries.

Setup and runtime environment

    % java --version
    openjdk 11.0.2 2018-10-16
    OpenJDK Runtime Environment (build 11.0.2+7)
    OpenJDK 64-Bit Server VM (build 11.0.2+7, mixed mode)

Linux version and userland

    % uname -a
    Linux datsheep 5.0.0-arch1-1-ARCH #1 SMP PREEMPT Mon Mar 4 14:11:43 UTC 2019 x86_64 GNU/Linux

Userland is supplied via Arch Linux offical repositories.

During the tests I found out that Ghidra’s Java windows jump around under Enlightenment 17. Therefore I switched to my other window manager, which is Awesome wm.
Tiling window management may provide a useful layout workflow for Ghidra’s corresponding windows and View-elements.

Mac OS X version and Java Development Kit

Some screenshots are done on Mac OS X 10.14 with an up to date JDK 11.

Ghidra version and license

Startup configuration

% ghidra_9.0 diff support/launch.sh ../ghdira_orginal/ghidra_9.0/support/launch.sh
30c30
< VMARG_LIST="-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dsun.java2d.dpiaware=false -Dswing.plaf.metal.controlFont=Tahoma -Dswing.plaf.metal.userFont=Tahoma"
---
> VMARG_LIST=
150c150
< 	VMARG_LIST+=" -Xrunjdwp:transport=dt_socket,server=y,suspend=${SUSPEND},address=127.0.0.1:${DEBUG_PORT}"
---
> 	VMARG_LIST+=" -Xrunjdwp:transport=dt_socket,server=y,suspend=${SUSPEND},address=*:${DEBUG_PORT}"
  • I have bound the JDWP socket to 127.0.0.1 instead of 0.0.0.0
  • Plus I supplied Swing specific command-line flags to enhance the font rendering. Effectively the first 3 matter and the following options may not work

The NSA backdoor debate

In my lab I run the HELK stack with an osquery configuration that largely incorporates the queries published by Palantir:

I have not seen Ghidra to “phone home”. To be sure, keep an eye on the osquery.results.json logs. Threat hunting is a modern challenge in information security. Doing this requires an open mind, and we shouldn’t exclude anything.

Ghidra 9.0

The is the release from the RSA conference.

Panels left to right, top to bottom:

  • Program Trees (the screenshot shows PE segments)
  • Symbol Tree (the entry-point is named entry)
  • Listing (shows x86 32bit assembly)
  • Function graph (identifies the program flow automatically from the assembly)
  • Decompile (decompiles the assembly listing to C code)

The screenshot shows a Malware sample. If you are the author, feel free to reach out to the lawyers :stuck_out_tongue:

PE header gets listed in the disassembly

Ghidra lists the PE header fields in the Listing panel, which is useful if you must unpack Malware samples before the analysis.

That being said the overall project consists of 1000s of Java classes and probably millions of lines of code.

Callgraphs and Cross-referencing - synced tools for reachability modelling

The tools are synchronised with each other and provide interactive views. If you highlight a listing section in the Listing panel, its corresponding code will also be highlighted in the Decompile panel.

This is also true for Callgraphs: Ghidra supports function cross-referencing (and the shortcuts can be changed to mimic IDA’s workflows). This can enable decisions on how to guide input generators to reach certain blocks or instructions, for example for Fuzzing.

Decompiler and Static Single Assignment

Static Single Assignment enables the efficient implementation of many important decompiler components, including expression propagation, preservation analysis, type analysis, and the analysis of indirect jumps and calls.

(Source: Michael James Van Emmerik, The University of Queensland, dissertation, 2007)

Ghidra’s decompiler doesn’t use SSA (as far as I have seen). This puts limitations upon the propagation of aliased registers.
A function in a target binary may return a value into a register (EAX on x86 for example). The decompiler would not propagate this value into an extra label. Therefore keeping track of this is more difficult than it needs to be.

Extensions, scripts and automation

I have been disappointed by Vector 35’s decision to limit the headless usage of the Binary Ninja API to enterprise customers. Ghidra goes a different way of course:

Ghidra ships with over 200 scripts, that you can just run:

Successfully compiled: PortableExecutableRichPrintScript.java
PortableExecutableRichPrintScript.java> Running...
 Index   @comp.id     Ref. Count     Product Code Type             Description
     0     957809              7               95 Assembler        Assembler from VS2008, build 30729
     1     937809              2               93 Linker           Linker from VS2008, build 30729
     2     837809             68               83 C Compiler       C Compiler from VS2008, build 30729
     3     5d0fc3             11               5d Linker           Linker from VS2003 (.NET), build 4035
     4      10000            145                1 Unknown          Unmarked objects
     5     847809             19               84 C++ Compiler     C++ Compiler from VS2008, build 30729
     6     7ec627              1               7e Unknown          Unknown Product (7e)
     7     947809              1               94 CVTRes           CVTRes from VS2008, build 30729
     8     917809              1               91 Linker           Linker from VS2008, build 30729
PortableExecutableRichPrintScript.java> Finished!

The analyzeHeadless script supports script execution in client - server mode, which means that you can not only collaborate upon reverse engineering projects but also wrap the functionality into server endpoints and provide simpler client tools.

Use cases

I hope that Ghidra will be adopted to push Malware Analysis further so that it gets harder for criminals to infect systems.

Since I do like Java programming, I think this might come in handy.

Busting the myth: Ghidra cannot analyse Stuxnet?

There is a joke on Twitter, that was taken seriously enough by some people to send inquiries to the NSA. And to retweet it 1000s of times.

Supposedly Ghidra prevents analysts from disassembling or decompiling the world’s most popular Malware: Stuxnet. – A sabotage software that some people attribute to nations with advanced offensive technological capabilities.

Supposedly you get this popup instead of the Ghidra analysis views:

image

In order to verify this you should get copies of Stuxnet from here:

And long story short…

λ ~/Downloads/ghidra/ gmd5sum 743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1.bin
74ddc49a7c121a61b8d06c03f92d0c13  743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1.bin

https://www.virustotal.com/en/file/743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1/analysis/
And for fun:

λ ~/Downloads/ghidra/bins/ gmd5sum lsass1_lsass.exe.livebin.exe
92ee3db5ab1c145f09146a61d34e0bbb  lsass1_lsass.exe.livebin.exe

https://www.virustotal.com/en/file/f4aec3e60026c29d27517628820473365651f22de50e309fe6af4e3aafe414a2/analysis/

Exciting, I know… if this isn’t enough, please refer to the projects section. There is a 30 minute video about Stuxnet reverse engineering with Ghidra.

Other reverse engineering tools in comparison

There is no other freely available OpenSource reverse engineering framework with comparable features.

Heyrays' IDA Pro

One of IDA’s key features is the F.L.I.R.T.[1] analysis, which lets it detect library functions. You can see in the screenshot that it detects common C library functions and actually in the freeware version disassembles x86-64 binaries.

22

In my experience IDA’s analysis features reliably determine the used compiler toolchains of x86 and x86-64 target binaries (in the freely available version since IDA 7).
Ghidra will have to proof itself performing these common static binary analysis tasks reliably before I can adopt it.

The “IDA Freeware” feature set [2] includes a debugger since March 2019, which Ghidra’s public release (9.0) does not seem to offer at this point in time. The debugger only matters on Windows for me, given that I don’t come across Mac OS X or Linux malware target binaries.
The debugger with a combined disassembly graph and code / block coverage information is very powerful in order to speed up reverse engineering tasks.

Besides a disassembler Hexrays also offers a decompiler product, which produces less generic code listings than Ghidra’s decompiler[3]. – Today Ghidra is the most advanced freely available OpenSource decompiler as well.

The graph view looks comparable, but I have not been able to find theme settings for it in Ghidra. In IDA I use to set grey backgrounds, that resemble the Coding Horror theme. I use this theme across IntelliJ IDEs and terminals as well.

IDA Pro is also used to patch binaries (for example to remove certain anti-Debugging checks during Malware Analysis). Ghidra’s disassembly and assembly don’t appear to be paired. This may cause surprises.
If you are generally interested in the topic, please refer to the respective tutorial video in the projects section.

Real world challenges and large binaries

IDA Pro has got the Zynamics / Goog tools BinDiff and BinNavi. These can add a lot of features on top of a robust disassembler. Ghidra’s disassembler might be a future candidate.

BinNavi has a differential debugger as well, but I have rarely used it. It’s primary use case is graph querying and reachability modeling to adjust fuzzers or other input generators.

BinDiff is the most useful tool to compare binaries via disassembly. This can also be useful for software similarity analysis.

https://www.zynamics.com/bindiff.html

Diaphora can also be used for Patch-Differential analysis on Binaries with IDA Pro:

Vector 35'S Binary Ninja

In version 1.1x Binary Ninja uses Intel XED to decode x86 and x86-64 instructions. It uses yasm for encoding.

Binary Ninja (alias Binja) also does not include a debugger (in it’s core feature set). But there are tested plugins for x64dbg (which supports x86-32 as well).

Binja does not include a decompiler, but an Intermediate Language (IL) that can be used for Abstract Analysis for example. I haven’t seen an IL from Ghidra.

This screenshot shows the Medium Level IL on the simple Crackme [4] used in the Quick Start video I posted below. This is not as high-level as a decompiler of course, but in some cases it may provide a more reliable perspective.

– I also haven’t seen the RetDec (popular decompiler) plugin for Binary Ninja to work (it is deprecated due to API changes). Maybe this (or something similar) is needed in order to remain competitive, because Ghidra’s decompiler produces a much more insightful perspective on the same target binary.

sen's HIEW

HIEW (Hacker’s view) is a tool that I always like to start with. Of course Ghidra has a Hexadecimal view as well, but if you need to eliminate all distractions and just want to read a disassembled code block, Hiew is great.

We should keep in mind that the goal isn’t to use the greatest and most complex tools. It’s about using insights, that can be gained by static, dynamic or environmental observations.

First impressions from experienced reversers

First impressions

Interface tour with a Crackme-binary

Quick overview about Ghidra's windows and Views (writeup)

Control-flow de-obfuscation via Abstract Interpretation with Ghidra

Port of the tool (repo):

Ghidra scripts to integrate common Reverse Engineering and Digital Forensics tools

  • Binwalk script to enable firmware analysis / IoT security
  • Yara support to enable Malware Forensics
  • Swift Demangler to enable Mobile Malware analysis
  • Golang Renamer to enable the analysis of Go-based software

Ghida - automated discovery of banned functions (insecure coding indicators)

https://www.vdalabs.com/2019/03/09/automating-ghidra-writing-a-script-to-find-banned-functions/

Linux exploit development - Use-After-Free "Secret Keeper - Pragyan CTF 19"

WIP - writing a WASM loader for Ghidra (RU)

DLL hijacking and attack surface enumeration with Ghidra (writeup)

https://liberty-shell.com/sec/2019/03/12/dll-hijacking/

An analysis of Stuxnet using Ghidra

Reverse engineering with Ghidra: Breaking an embedded firmware encryption scheme (Moxa industrial control gateways)

Writing more Maplestory cheats - play with Ghidra and WinDBG

Patching binaries with Ghirda

I cannot say that this satisfies my needs at this point in time.

Known bugs and fixes

Mac OS X scrolling issue

It’s safe to say the NSA doesn’t use Mac OS X.

Summary

It’s too early for a summary…

Changelog
  • 7.3.2019 - just tried it out
  • 11.3.2019 - added more information about the Java source and tutorials
  • 14.3.2019 - added new things I found
  • 15.3.2019 - added and referenced “Patching binaries with Ghirda”, corrected the IDA Freeware feature set description because the x86 and x86-64 debugger now is included

Process finished with exit code 0


  1. https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml ↩︎

  2. https://twitter.com/ilfak/status/1106285550699450369 ↩︎

  3. https://hex-rays.com/products/ida/support/ppt/recon2018.ppt ↩︎

  4. https://crackmes.one/crackme/5b8a37a433c5d45fc286ad83 ↩︎