Ghidra Software Reverse-Engineering for Beginners, Second Edition: Master the Art of Debugging, from Understanding Code to Mitigating Threats

Ghidra Software Reverse-Engineering for Beginners
Contributors
About the authors
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Reviews
Share Your Thoughts
Download a free PDF copy of this book
Part 1: Introduction to Ghidra
Chapter 1: Getting Started with Ghidra
Technical requirements
WikiLeaks Vault 7
NSA release
Ghidra versus IDA and many other competitors
Ghidra overview
Installing Ghidra
Running Ghidra
Overview of Ghidra’s features
Summary
Questions
Chapter 2: Automating RE Tasks with Ghidra Scripts
Technical requirements
Using and adapting existing scripts
The script class
Script development
Summary
Questions
Chapter 3: Ghidra Debug Mode
Technical requirements
Setting up the Ghidra development environment
Overview of the software requirements
Installing the JDK
Installing the Eclipse IDE
Installing PyDev
Installing GhidraDev
Debugging the Ghidra code and Ghidra scripts
Debugging Ghidra scripts from Eclipse
Debugging any Ghidra component from Eclipse
Ghidra RCE vulnerability
Explaining the Ghidra RCE vulnerability
Exploiting the Ghidra RCE vulnerability
Fixing the Ghidra RCE vulnerability
Looking for vulnerable computers
Summary
Questions
Further reading
Chapter 4: Using Ghidra Extensions
Technical requirements
Installing existing Ghidra extensions
Analyzing the source code of the Sample Table Provider plugin
Understanding the Ghidra extension skeleton
Analyzers
Filesystems
Plugins
Exporters
Loaders
Developing a Ghidra extension
Summary
Questions
Further reading
Part 2: Reverse-Engineering
Chapter 5: Reversing Malware Using Ghidra
Technical requirements
Setting up the environment
Looking for malware indicators
Looking for strings
Intelligence information and external sources
Checking import functions
Dissecting interesting malware sample parts
The entry point function
Analyzing the 0x00453340 function
Analyzing the 0x00453C10 function
Analyzing the 0x0046EA60 function
Analyzing the 0x0046BEB0 function
Analyzing the 0x0046E3A0 function
Analyzing the 0x004559B0 function
Analyzing the 0x004554E0 function
Analyzing the 0x0046C860 function
Analyzing the 0x0046A100 function
Summary
Questions
Further reading
Chapter 6: Scripting Malware Analysis
Technical requirements
Using the Ghidra scripting API
Writing scripts using the Java programming language
Writing scripts using the Python programming language
Deobfuscating malware samples using scripts
The delta offset
Translating API hashes into addresses
Deobfuscating the hash table using Ghidra scripting
Improving the scripting results
Summary
Questions
Further reading
Chapter 7: Using Ghidra’s Headless Analyzer
Technical requirements
Why use headless mode?
Creating and populating projects
Analyzing imported or existing binaries
Running non-GUI scripts in a project
Summary
Questions
Further reading
Part 3: Binary Analysis
Chapter 8: Binary Diffing
Technical requirements
Using Ghidra BSim
Getting BSim up and running
Finding similar functions
Querying the BSim database
Finding patched code – function comparison
Binary diffing usage in vulnerability research
Summary
Questions
Further reading
Chapter 9: Auditing Program Binaries
Technical requirements
Understanding memory corruption vulnerabilities
Understanding the stack
Stack-based buffer overflow
Understanding the heap
Heap-based buffer overflow
Format strings
Finding vulnerabilities using Ghidra
Exploiting a simple stack-based buffer overflow
Summary
Questions
Further reading
Chapter 10: Scripting Binary Audits
Technical requirements
Looking for vulnerable functions
Retrieving unsafe C/C++ functions from the symbols table
Decompiling the program using scripting
Looking for sscanf callers
Enumerating caller functions
Analyzing the caller function using P-Code
P-Code versus assembly language
Retrieving P-Code and analyzing it
Using the same P-Code-based script in multiple architectures
Summary
Questions
Further reading
Part 4: Extending Ghidra for Advanced Reverse-Engineering
Chapter 11: Developing Ghidra Plugins
Technical requirements
Overview of existing plugins
Plugins included with the Ghidra distribution
Third-party plugins
The Ghidra plugin skeleton
The plugin documentation
Writing the plugin code
The provider for a plugin
Developing a Ghidra plugin
Documenting the plugin
Implementing the plugin class
Implementing the provider
Summary
Questions
Further reading
Chapter 12: Incorporating New Binary Formats
Technical requirements
Understanding the difference between raw binaries and formatted binaries
Understanding raw binaries
Understanding formatted binaries
Developing a Ghidra loader
The old-style DOS executable (MZ) parser
The old-style DOS executable (MZ) loader
Understanding filesystem loaders
FileSystem Resource Locator
Summary
Questions
Further reading
Chapter 13: Analyzing Processor Modules
Technical requirements
Understanding the existing Ghidra processor modules
Overviewing the Ghidra processor module skeleton
Setting up the processor module development environment
Creating a processor module skeleton
Developing Ghidra processors
Documenting processors
Identifying functions and code using patterns
Specifying the language and its variants
Summary
Questions
Further reading
Chapter 14: Contributing to the Ghidra Community
Technical requirements
Overviewing the Ghidra project
The Ghidra community
Exploring contributions
Understanding legal aspects
Submitting a bug report
Suggesting new features
Submitting questions
Submitting a pull request to the Ghidra project
Summary
Questions
Further reading
Chapter 15: Extending Ghidra for Advanced Reverse-Engineering
Technical requirements
Learning the basics of advanced reverse-engineering
Learning about symbolic execution
Learning about SMT solvers
Learning about concolic execution
Using Ghidra for Advanced reverse-engineering
Adding symbolic execution capabilities to Ghidra with AngryGhidra
Converting from PCode into LLVM with pcode-to-llvm
Summary
Questions
Further reading
Part 5: Debugging and Applied Malware Analysis
Chapter 16: Debugging
Technical requirements
Ghidra debugger overview
Starting the Ghidra debugger
Debugger windows and toolbar
Debugger specific toolbar
Execution flow control
Stepping
Breakpoint
Debugging the simple_encoder.exe application
Remote debugging
Debugging a Windows kernel
Summary
Further reading
Chapter 17: Unpacking in-the-Wild Malware
Technical requirements
Malware overview
Unpacking malware
Summary
Further reading
Chapter 18: Reverse-Engineering Ransomware
Technical requirements
General working principles of ransomware
Initial infection vector
Installation and execution
Encryption
C2 communication and exfiltration of data
Ransom demand notification
Identifying encryption algorithms
Initial exploration
Identifying imported libraries and functions
Tracing calls to cryptographic functions
Identifying custom or embedded encryption algorithms
Using plugins to find known crypto signatures and constants
Summary
Further reading
Appendix A: Answer Key
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Index