Chris Eagle - The Ghidra Book: The Definitive Guide

The Definitive Guide

by Chris Eagle and Kara Nance

San Francisco

THE GHIDRA BOOK.
Copyright 2020 Chris Eagle and Kara Nance.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-13: 978-1-71850-102-7 (print)
ISBN-13: 978-1-71850-103-4 (ebook)

Publisher: William Pollock
Executive Editor: Barbara Yien
Production Editors: Laurel Chun and Katrina Taylor
Cover Illustration: Gina Redman
Interior Design: Octopod Studios
Project Editor: Dapinder Dosanjh
Developmental Editor: Athabasca Witschi
Technical Reviewer: Brian Hay
Copyeditor: Barton D. Reed
Compositor: Danielle Foster
Proofreader: Sharon Wilkey

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900;
www.nostarch.com

Library of Congress Control Number: 2020938508

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To all those who believe in science and fact-based decision
making as well as all of the COVID-19 first responders
around the world whose hard work and sacrifice provided a
ray of hope in a time of global crisis.

To all girls who are passionate about investigating and
understanding technology and the men and women
who support and encourage them. Dream big and
keep exploring!

About the Authors

Chris Eagle has been reverse engineering software for 40 years. He is the author of The IDA Pro Book (No Starch Press) and is a highly sought-after provider of reverse engineering training. He has published numerous reverse engineering tools and given talks at conferences such as Blackhat, Defcon, and Shmoocon.

Kara Nance is a private security consultant. She has been a professor of computer science for many years. She has served on the Honeynet Project Board of Directors and given numerous talks at conferences around the world. She enjoys building Ghidra extensions and regularly provides Ghidra training.

About the Tech Reviewer

Brian Hay has been a reverse engineer, professor, and software developer for many years. He has spoken and taught at many conferences and is currently a senior researcher for a boutique security research company. He specializes in designing and developing virtualized environments for training and testing exciting new tools like Ghidra.

CONTENTS IN DETAIL

1
INTRODUCTION TO DISASSEMBLY

2
REVERSING AND DISASSEMBLY TOOLS

3
MEET GHIDRA

4
GETTING STARTED WITH GHIDRA

5
GHIDRA DATA DISPLAYS

6
MAKING SENSE OF A GHIDRA DISASSEMBLY

7
DISASSEMBLY MANIPULATION

8
DATA TYPES AND DATA STRUCTURES

9
CROSS-REFERENCES

10
GRAPHS

11
COLLABORATIVE SRE

12
CUSTOMIZING GHIDRA

13
EXTENDING GHIDRAS WORLDVIEW

14
BASIC GHIDRA SCRIPTING

15
ECLIPSE AND GHIDRADEV

16
GHIDRA IN HEADLESS MODE

17
GHIDRA LOADERS

18
GHIDRA PROCESSORS

19
THE GHIDRA DECOMPILER

20
COMPILER VARIATIONS

21
OBFUSCATED CODE ANALYSIS

22
PATCHING BINARIES

23
BINARY DIFFERENCING AND VERSION TRACKING

ACKNOWLEDGMENTS

This book would not have been possible without the help and support of the extremely professional staff at No Starch Press. Bill Pollock and Barbara Yien supported our goal of creating a book about Ghidra that aligned with our vision and we deeply appreciate their confidence in us throughout this journey. Athabasca Witschis initial feedback on chapters provided valuable insight and guidance. Laurel Chuns ongoing support and patience through all our questions helped turn this book into a finished product we are very proud of. We would also like to thank all of the people behind the scenes for their hard work in making this dream a reality, including Katrina Taylor, Barton D. Reed, Sharon Wilkey, and Danielle Foster.

We would like to thank our technical editor, Brian Hay, for reviewing our many words and examples. His knowledge and experience with Ghidra has helped to ensure that the technical content in this book is solid, and his teaching experience guided our presentation so that the material is presented in a way that appeals to both new and experienced reverse engineers.

We would like to thank the entire Ghidra development team, past and present, at the National Security Agency for building Ghidra and sharing it with the world as an open source project.

Kara would like to thank Ben for his patience while she learned about technology and Katie for her patience while she wrote about it. She thanks Jen for the inspirational introduction, and Dickie and Lenora for always believing in her. Finally, she would like to thank Brian for his humor and ongoing support every hour of every day. Without the support that you all provided, this book would not have been possible.

INTRODUCTION

Our goal in writing this book is to provide a resource that introduces Ghidra to both current and future reverse engineers. In the hands of a skilled reverse engineer, Ghidra streamlines the analysis process and allows users to customize and extend its capabilities to suit their individual needs and improve their workflows. Ghidra is also very accessible to new reverse engineers, particularly with its included decompiler that can help them more clearly understand the relationships between high-level language and disassembly listings as they begin exploring the world of binary analysis.

Writing a book about Ghidra is a challenging undertaking. Ghidra is a complex open source reverse engineering tool suite that is continually evolving. Our words describe a moving target, as the Ghidra community continues to improve and extend its capabilities. As with many new open source projects, Ghidra has begun its public life with a rapid string of evolutionary releases. A primary goal while writing this book has been to ensure that as Ghidra evolves, the books content continues to provide readers with a wide and deep foundation of knowledge to understand and effectively utilize current and future Ghidra versions to address their reverse engineering challenges. As much as possible, we have tried to keep the book version-agnostic. Fortunately, new releases of Ghidra are well-documented, with detailed listings of changes that provide version-specific guidance should you encounter any differences between the book and your version of Ghidra.