Sign In Start Free Trial
Account

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Ghidra Software Reverse Engineering for Beginners
  • Table Of Contents Toc
  • Feedback & Rating feedback
Ghidra Software Reverse Engineering for Beginners

Ghidra Software Reverse Engineering for Beginners

By : A. P. David
4.6 (8)
close
close
Ghidra Software Reverse Engineering for Beginners

Ghidra Software Reverse Engineering for Beginners

4.6 (8)
By: A. P. David

Overview of this book

Ghidra, an open source software reverse engineering (SRE) framework created by the NSA research directorate, enables users to analyze compiled code on any platform, whether Linux, Windows, or macOS. This book is a starting point for developers interested in leveraging Ghidra to create patches and extend tool capabilities to meet their cybersecurity needs. You'll begin by installing Ghidra and exploring its features, and gradually learn how to automate reverse engineering tasks using Ghidra plug-ins. You’ll then see how to set up an environment to perform malware analysis using Ghidra and how to use it in the headless mode. As you progress, you’ll use Ghidra scripting to automate the task of identifying vulnerabilities in executable binaries. The book also covers advanced topics such as developing Ghidra plug-ins, developing your own GUI, incorporating new process architectures if needed, and contributing to the Ghidra project. By the end of this Ghidra book, you’ll have developed the skills you need to harness the power of Ghidra for analyzing and avoiding potential vulnerabilities in code and networks.
Table of Contents (20 chapters)
close
close
1
Section 1: Introduction to Ghidra
6
Section 2: Reverse Engineering
12
Section 3: Extending Ghidra

WikiLeaks Vault 7

On March 7, 2017, WikiLeaks started to leak Vault 7, which became the biggest leak of confidential documents on the US Central Intelligence Agency (CIA). This leak included secret cyber-weapons and spying techniques divided into 24 parts, named Year Zero, Dark Matter, Marble, Grasshopper, HIVE, Weeping Angel, Scribbles, Archimedes, AfterMidnight and Assassin, Athena, Pandemic, Cherry Blossom, Brutal Kangaroo, Elsa, OutlawCountry, BothanSpy, Highrise, UCL/Raytheon, Imperial, Dumbo, CouchPotato, ExpressLane, Angelfire, and Protego.

While Michael Vincent Hayden, the director of the CIA between 2006 and 2009 and director of the NSA between 1999 and 2005, as the spokesperson, did not confirm or deny the authenticity of this enormous leak, some NSA intelligence officials anonymously did leak the material.

The existence of Ghidra was leaked in the first part of Vault 7: Year Zero. This first part consists of a huge leak of documents and files stolen from the CIA's Center for Cyber Intelligence in Langley, Virginia. The leak's content is about the CIA's malware arsenal, zero-day weaponized exploits, and how Apple's iPhone, Google's Android, devices Microsoft's Windows devices, and even Samsung TVs are turned into covert microphones.

Ghidra was referenced three times in this leak (https://wikileaks.org/ciav7p1/cms/index.html), showing things such as how to install it, a step-by-step tutorial (with screenshots) of how to perform a manual analysis of a 64-bit kernel cache by using Ghidra, and the latest Ghidra version available at the time, which was Ghidra 7.0.2.

NSA release

As announced during RSA Conference 2019 in San Francisco, Rob Joyce, senior advisor for cybersecurity at NSA, explained the unique capabilities and features of Ghidra during a session called Get your free NSA reverse engineering tool, and Ghidra program binaries were also published.

During this session, some features were explained:

  • Team collaboration on a single project feature
  • The capabilities to extend and scale Ghidra
  • The generic processor model, also known as SLEIGH
  • The two working modes: interactive and non-GUI
  • The powerful analysis features of Ghidra

Finally, on April 4, 2019, the NSA released the source code of Ghidra on GitHub (https://github.com/NationalSecurityAgency/ghidra), as well as on the Ghidra website, where you can download Ghidra release versions that are ready to use: https://ghidra-sre.org. The first version of Ghidra that was available on this website was Ghidra 9.0. Ghidra's website is probably not available to visitors outside the US; if this is the case, you can access it by using a VPN or an online proxy such as HideMyAss (https://www.hidemyass.com/).

Unfortunately for the NSA, a few hours later, the first Ghidra vulnerability was published by Matthew Hickey, also known as @hackerfantastic, at 1:20 AM, March 6, 2019. He said the following via Twitter:

Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely (Man facepalming). to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://github.com/hackerhouse-opensource/exploits/blob/master/jdwp-exploit.txt.

Then, a lot of suspicions about the NSA and Ghidra arose. However, taking into account the cyber-espionage capabilities of the NSA, do you think the NSA needs to include a backdoor in its own software in order to hack its users?

Obviously, no. They don't need to do this because they already have cyber-weapons for that.

You can feel comfortable when using Ghidra; probably, the NSA only wanted to do something honorable to improve its own image and, since Ghidra's existence was leaked by WikiLeaks, what better way to do that than to publish it at RSA Conference and release it as open source?

bookmark search playlist download font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected

Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY