首页
论坛
专栏
课程

[下载][下载] ghidra_9.0_PUBLIC_20190228 - ghidra_9.0.2_PUBLIC_20190403

2019-3-7 10:08 5605

[下载][下载] ghidra_9.0_PUBLIC_20190228 - ghidra_9.0.2_PUBLIC_20190403

2019-3-7 10:08
5605
快速上手看了一下,反编译效果是真的强,静态分析完全可以挑战IDA,基本功能和操作和IDA相似度很高,上手基本上没难度。

百度网盘备份,各位自取,目前最新版本:ghidra_9.0.2_PUBLIC_20190403
链接: https://pan.baidu.com/s/1WSgB0lS7uZqhYvtmJmpeEg 提取码: ngkv 

github上已经提供源码,并且包含各个版本的release包,建议从此处下载:
https://github.com/NationalSecurityAgency/ghidra/releases

ghidra运行需要java虚拟机,下载后添加bin目录到环境变量path即可。
https://jdk.java.net/11/


Ghidra软件逆向工程框架

Ghidra是由国家安全局研究理事会创建和维护的软件逆向工程(SRE)框架。该框架包括一套功能齐全的高端软件分析工具,使用户能够在各种平台上分析编译代码,包括Windows,Mac OS和Linux。功能包括反汇编,汇编,反编译,绘图和脚本,以及数百个其他功能。Ghidra支持各种过程指令集和可执行格式,可以在用户交互模式和自动模式下运行。用户还可以使用Java或Python开发自己的Ghidra插件组件和/或脚本。

为了支持NSA的网络安全任务,Ghidra旨在解决复杂SRE工作中的扩展和团队问题,并提供可定制和可扩展的SRE研究平台。NSA已将Ghidra SRE功能应用于各种问题,这些问题涉及分析恶意代码并为寻求更好地了解网络和系统中潜在漏洞的SRE分析师提供深入见解。

此存储库是完整开源版本的占位符。请放心,我们正在努力使这里的软件可用。在此期间,您可以在您的SRE工作中使用Ghidra,开发自己的脚本和插件,并仔细阅读首次公开发布中发布的超过一百万行的Java和Sleigh代码。该版本可以从我们的项目主页下载。请考虑查看我们的贡献者指南,了解如何在可用时参与此开源项目。

如果你对这样的项目感兴趣并希望开发这个和其他网络安全工具,为NSA帮助保护我们的国家及其盟友,考虑申请我们的职业生涯。






[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

最后于 2019-4-8 09:43 被wonderzdh编辑 ,原因:
上一主题 下一主题
最新回复 (22)
linhanshi 2019-3-7 10:13
2
0
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
_http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html
最后于 2019-3-7 10:14 被linhanshi编辑 ,原因:
linhanshi 2019-3-7 10:14
3
0
First Look at Ghidra (NSA Reverse Engineering Tool) | MalwareTech | 1:06:52 
_https://www.youtube.com/watch?v=285b_DEmvHY
linhanshi 2019-3-7 11:31
4
0
An Hour With Ghidra : The Good and The Ugly
_https://blog.fadyothman.com/an-hour-with-ghidra-the-good-and-the-ugly/
linhanshi 2019-3-7 11:50
5
0

NSA开源逆向工具Ghidra入门使用教程

原创:360威胁情报中心360威胁情报中心今天

背景

昨天,在刚刚举办的RSA大会上,NSA发布了一款功能强大、免费的开源逆向分析工具:Ghidra。该反汇编工具类似于我们常用的IDA,不过其基于JAVA开发,是一款适用于Windows、Mac和Linux的跨平台反汇编工具,用户还可以使用Java或Python开发自己的Ghidra插件或者脚本。2017年维基解密在Vault 7中首次曝光了Ghidra,该信息来自于中央情报局(CIA)的内部文件,Ghidra在过去数年里一直被用于NSA相关的网络安全任务当中。

360威胁情报中心第一时间对该工具进行了详细分析,梳理了相关说明文档、具体的安装使用方法,以及该软件的相关趣闻解读,带你详细了解这款强大而神秘的安全工具。


Ghidra下载地址

可以通过Ghidra的项目主页或者GitHub进行下载:

    https://Ghidra-sre.org

    https://github.com/NationalSecurityAgency/Ghidra


整理的一些官方说明

360威胁情报中心对Ghidra的官方说明文档进行了梳理,将一些必要的安装注意事项、文件目录介绍、使用方法、相关插件的使用等等逐一进行介绍,方便读者对照安装使用。


支持平台

Windows 7/Windows 10(64位)

Linux(64位,最好是CentOS 7)

MacOS(10.8.3)


安装条件

硬件条件:4GB内存;1GB硬盘空间

软件条件:Java 11+


安装方法

通过解压缩工具解压下载的压缩包(7-zip,WinZIP,WinRAR)即可使用。

安装注意事项

Ghidra直接通过压缩包解压即可使用,这样的好处就是可以不用修改各种系统配置,如Windows下的注册表,便于删除,坏处是不能直接在桌面上或开始菜单设置快捷方式。

特定盘符,如C:\需要Administrator权限。

Ghidra会使用系统标准的TEMP目录来存储相关数据,用户也可以通过修改support/launch.properties来进行修改。


Java环境注意事项

Ghidra会通过path自动定位相关的java runtime和development kit版本

设置Windows下相关JDK path配置

解压JDK

打开系统环境变量设置选项

在path中增加<path of extracted JDK dir>\bin

Linux下下相关JDK path配置

    1.解压JDK

    2.编辑~/.bahsrc

    Vi ~/.bashrc

    3.export PATH=<path ofextracted JDK dir>/bin:$PATH

    4.保存

当然用户可能有使用特定版本java的需求,可以通过support/launch.properties中的JAVA_HOME_OVERRIDE来进行配置。不过如果该版本不符合Ghidra的需求,Ghidra是不会运行的。


运行Ghidra

GUI模式

切换到GhidraInstallDir目录,运行GhidraRun.bat(Windows)或GhidraRun(linus或macOS),即可在GUI模式下启动Ghidra:

启动界面如下:

Ghidra Server

Ghidra支持多人协作完成一个逆向项目,各种研究人员在自己设备上进行相关的逆向任务,并将其修改提交到公共的存储库中,相关配置在Ghidra Server中有详尽的说明。

命令行模式

有别于传统的GUI模式,使用者可以通过命令行模式进行批量化的反编译工作。

独立的JAR包模式

Ghidra允许将其中的部分文件打包为JAR包并单独运行,以便于更方便的通过命令行模式进行启动,也方便于作为单独的Java逆向工程库。使用者可以通过<GhidraInstallDir> / support / buildGhidraJar创建单独的Ghidra.jar文件并使用。


扩展

拓展是Ghidra的可选组件,可以执行以下操作:

用于编写拓展Ghidra相关的功能

将其它的工具和Ghidra集成,如eclipse或IDA

其默认附加了以下的拓展项,可在<GhidraInstallDir> /Extensions中找到:

Eclipse:用于在eclipse中安装GhidraDev eclipse插件

Ghidra:Ghidra扩展

IDAPro:和IDA互动的插件


插件注意

可以通过前端的GUI进行安装卸载

l 文件->安装拓展

l 选择需要安装/卸载的拓展程序

l 重启生效

需要对GhidraInstallDir具备写入权限

也可以不使用GUI前端目录,直接将扩展解压到<GhidraInstallDir> / Ghidra /Extensions即可


开发相关插件

用户可以通过自定义的Ghidra脚本、插件、分析器来扩展其功能,Ghidra通过提供一个名为GhidraDev的自定义Eclipse插件来支持Eclipse中的开发,该插件可以在<GhidraInstallDir> / Extensions / Eclipse目录中找到。


具体使用过程

项目创建

通过自带BAT脚本启动GUI模式:

进入之后,会有一个Tip提示,如下所示:

Ghidra是按项目进行管理的,使用者需要首先创建一个项目:

输入项目名:

项目创建完毕之后生成一个具体的目录,注意项目文件删除的时候似乎不能直接通过GUI删除,需要手动删除:

创建好项目之后就可以导入需要反编译的文件了:

如下所示我们反编译测试了calc.exe计算器程序:

开始反编译,速度相比于IDA还是慢了不少:

完成之后,项目文件下会创建对应的项目,双击进入:

进入之后会提示是否进行分析:

点击确认后,可以控制相应的分析选项:

开始分析之后,右下角会有相关的进度条展示:

目前来看Ghidra是无法自动下载符号的,需要对PDB相关配置进行设置:

完成分析之后的整体界面如下所示,很有一股浓浓的JAVA风范:

由于是基于项目的,因此Ghidra中可以同时打开多个反编译的项目,只需要直接往项目中导入文件即可:


主要功能介绍

360威胁情报中心整理了一些Ghidra反汇编界面中常见且有用的一些功能选项,并进行相关介绍:

Navigation菜单


该菜单下是一些主要操作选项:

Window菜单

该菜单下是其主要支持的功能窗口,类似于IDA中view->opensubview

其中的Python功能提供了类似IDAPython的功能,可以通过help()或直接按F1查看对应的功能说明:

脚本管理菜单

脚本管理菜单下有大量的JAVA扩展脚本,这也是目前为止笔者觉得能带来惊喜的一个地方:

这些脚本选中后是可以直接运行的,如下所示的是字符串搜索功能:

反编译项目对比功能

由于是以项目为单位的,因此支持对同一个项目中的反编译项目进行对比:

具体选项如下:

不过目前看来其效果一般:


常用快捷键

Ghidra也支持快捷键功能,360威胁情报中心整理了一些Ghidra中常见且有用的快捷键进行介绍:

双击


和IDA一致,直接双击可以进入之后的地址函数:

搜索(Ctrl+SHIFT+E)

该快捷键用于进行搜索,类似于IDA中的alt+t

效果如下,速度对比IDA还是要慢上不少:

书签(Ctrl+D)

该快捷键启用书签功能:

反编译(Ctrl+E)

相当于IDA中的F5,展示反编译后的代码:

右键查看引用

类似于IDA中的Ctrl+X:


更多操作

更多详细的快捷键和操作可见解压后docs文件夹中的CheatSheet.html文件:


一些趣闻:关于JDWP远程代码执行

在Ghidra发布后不久,HackerFantastic就在Twitter发布了Ghidra存在JDEWP的远程代码执行问题:


JDWP是指开放了一个调试端口,可以远程访问:

笔者默认的环境下可以看到这个JAVA的调试端口并没有启动:

笔者在对应的support下看到了对应的launch.sh脚本,这个脚本确实会开启一个对应的端口,但需要通过debug和debug-supend参数启动:

实际上我们使用的GhidraRun也是通过launch.bat进行启动的:

只是GhidraRun使用的是bg参数,并不会激活对应的调试模式:

因此从目前来看正常的GUI启动时不会激活该功能,但是由于launch本身是主要的启动入口,在没有详细深入分析前,不排除有其他方式通过debug和debug-supend参数进行调用,因此建议手动path该代码。


总结

目前来看Ghidra具有反编译功能,查看、定位反编译后的代码相较于IDA有优势。不过在使用过程中发现其处理某些混淆后代码的能力还比较欠缺,在一些界面功能上也还有较大的差距,此外基于JAVA开发的原因也使得其在性能上有一些欠缺。


参考链接

https://Ghidra-sre.org/CheatSheet.html

https://Ghidra-sre.org/InstallationGuide.html

https://github.com/NationalSecurityAgency/Ghidra


八岛 1 2019-3-7 13:08
6
0
mips 的伪代码完美
linhanshi 2019-3-8 07:49
7
0
Ghidra: A quick overview for the curious
_http://0xeb.net/2019/03/ghidra-a-quick-overview/
linhanshi 2019-3-8 08:14
8
0

Ghidra: A quick overview for the curious

March 6, 2019eliasIDA Pro

Ghidra, is a software reverse engineering (SRE) suite of toolsdeveloped by NSA’s Research Directoratein support of the Cybersecurity mission. It was released recently and I became curious about it and wanted to check it out.

I have not researched to see if someone else did a similar overview article or not, however, I am writing this article for myself and those who don’t want to run Ghidra themselves and just want to learn a bit about it.

I know that it is unfair to compare Ghidra to IDA Pro, but I cannot help it: I am a long time user of IDA Pro and it is my only point of reference when it comes to reverse engineering tools.

This article is going to be long and will contain lots of screenshots. I just started playing with Ghidra and therefore, I might be wrong or might be presenting inaccurate or incomplete information so please excuse me ahead of time.

Table of contents

General overview

What is Ghidra

Files structure overview

Processor modules

Ghidra functionality

Project management

The code browser

The symbol tree

The decompiler

Code patching and the hex viewer

Graph view

Searching features

Scripting features

Misc features

Options

Other screenshots

Conclusion

General Overview

What is Ghidra

Ghidra is a software reverse engineering (SRE) framework that includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, Mac OS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using the exposed API.

Files structure overview

I ran thetreecommand on the unpacked Ghidra installation archive. Here’s the output:

├───Configurations

│ └───Public_Release

│ ├───data

│ └───lib

├───Extensions

├───Features

│ ├───Base

│ │ ├───data

│ │ │ ├───formats

│ │ │ ├───parserprofiles

│ │ │ ├───stringngrams

│ │ │ ├───symbols

│ │ │ │ ├───win32

│ │ │ │ └───win64

│ │ │ └───typeinfo

│ │ │ ├───generic

│ │ │ ├───mac_10.9

│ │ │ └───win32

│ │ │ └───msvcrt

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───BytePatterns

│ │ ├───data

│ │ │ └───test

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───ByteViewer

│ │ ├───data

│ │ └───lib

│ ├───DebugUtils

│ │ └───lib

│ ├───Decompiler

│ │ ├───ghidra_scripts

│ │ ├───lib

│ │ └───os

│ │ ├───linux64

│ │ ├───osx64

│ │ └───win64

│ ├───DecompilerDependent

│ │ ├───data

│ │ └───lib

│ ├───FileFormats

│ │ ├───data

│ │ │ ├───android

│ │ │ ├───crypto

│ │ │ └───languages

│ │ │ └───Dalvik

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───FunctionGraph

│ │ ├───data

│ │ └───lib

│ ├───FunctionGraphDecompilerExtension

│ │ └───lib

│ ├───FunctionID

│ │ ├───data

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───GhidraServer

│ │ ├───data

│ │ │ └───yajsw-stable-12.12

│ │ │ ├───doc

│ │ │ ├───lib

│ │ │ │ ├───core

│ │ │ │ │ ├───commons

│ │ │ │ │ ├───jna

│ │ │ │ │ ├───netty

│ │ │ │ │ └───yajsw

│ │ │ │ └───extended

│ │ │ │ ├───abeille

│ │ │ │ ├───commons

│ │ │ │ ├───cron

│ │ │ │ ├───glazedlists

│ │ │ │ ├───groovy

│ │ │ │ ├───jgoodies

│ │ │ │ ├───keystore

│ │ │ │ ├───regex

│ │ │ │ ├───velocity

│ │ │ │ ├───vfs-dbx

│ │ │ │ ├───vfs-webdav

│ │ │ │ └───yajsw

│ │ │ └───templates

│ │ ├───lib

│ │ └───os

│ │ ├───linux64

│ │ ├───win32

│ │ └───win64

│ ├───GnuDemangler

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───GraphFunctionCalls

│ │ └───lib

│ ├───MicrosoftCodeAnalyzer

│ │ └───lib

│ ├───MicrosoftDemangler

│ │ └───lib

│ ├───MicrosoftDmang

│ │ └───lib

│ ├───PDB

│ │ ├───lib

│ │ ├───os

│ │ │ └───win64

│ │ └───src

│ │ └───pdb

│ │ ├───cpp

│ │ └───headers

│ ├───ProgramDiff

│ │ └───lib

│ ├───Python

│ │ ├───data

│ │ │ └───jython-2.7.1

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───Recognizers

│ │ └───lib

│ ├───SourceCodeLookup

│ │ └───lib

│ └───VersionTracking

│ ├───data

│ ├───ghidra_scripts

│ └───lib

├───Framework

│ ├───DB

│ │ └───lib

│ ├───Demangler

│ │ └───lib

│ ├───Docking

│ │ ├───data

│ │ └───lib

│ ├───FileSystem

│ │ └───lib

│ ├───Generic

│ │ ├───data

│ │ └───lib

│ ├───Graph

│ │ └───lib

│ ├───Help

│ │ └───lib

│ ├───Project

│ │ ├───data

│ │ └───lib

│ ├───SoftwareModeling

│ │ ├───data

│ │ │ └───languages

│ │ └───lib

│ └───Utility

│ └───lib

├───Processors

│ ├───6502

│ │ └───data

│ │ └───languages

│ ├───68000

│ │ ├───data

│ │ │ ├───languages

│ │ │ └───manuals

│ │ └───lib

│ ├───6805

│ │ └───data

│ │ └───languages

│ ├───8051

│ │ ├───data

│ │ │ ├───languages

│ │ │ │ └───old

│ │ │ └───manuals

│ │ └───ghidra_scripts

│ ├───8085

│ │ └───data

│ │ └───languages

│ ├───AARCH64

│ │ ├───data

│ │ │ ├───languages

│ │ │ └───patterns

│ │ └───lib

│ ├───ARM

│ │ ├───data

│ │ │ ├───languages

│ │ │ │ └───old

│ │ │ ├───manuals

│ │ │ └───patterns

│ │ └───lib

│ ├───Atmel

│ │ ├───data

│ │ │ ├───languages

│ │ │ └───manuals

│ │ └───lib

│ ├───CR16

│ │ └───data

│ │ ├───languages

│ │ └───manuals

│ ├───DATA

│ │ ├───data

│ │ │ └───languages

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───JVM

│ │ ├───data

│ │ │ ├───languages

│ │ │ └───manuals

│ │ └───lib

│ ├───MIPS

│ │ ├───data

│ │ │ ├───languages

│ │ │ ├───manuals

│ │ │ └───patterns

│ │ └───lib

│ ├───PA-RISC

│ │ └───data

│ │ ├───languages

│ │ ├───manuals

│ │ └───patterns

│ ├───PIC

│ │ ├───data

│ │ │ ├───languages

│ │ │ └───manuals

│ │ ├───ghidra_scripts

│ │ └───lib

│ ├───PowerPC

│ │ ├───data

│ │ │ ├───languages

│ │ │ │ └───old

│ │ │ ├───manuals

│ │ │ └───patterns

│ │ └───lib

│ ├───Sparc

│ │ ├───data

│ │ │ ├───languages

│ │ │ ├───manuals

│ │ │ └───patterns

│ │ └───lib

│ ├───TI_MSP430

│ │ └───data

│ │ ├───languages

│ │ └───manuals

│ ├───Toy

│ │ ├───data

│ │ │ └───languages

│ │ │ └───old

│ │ │ └───v01stuff

│ │ └───lib

│ ├───x86

│ │ ├───data

│ │ │ ├───languages

│ │ │ │ └───old

│ │ │ ├───manuals

│ │ │ └───patterns

│ │ └───lib

│ └───Z80

│ └───data

│ ├───languages

│ └───manuals

└───Test

└───IntegrationTest

└───lib

One can see that this project is pretty organized. Digging deeper, I noticed that Ghidra already includes source code for various components:

There are lots of source code files if you search for `*-src.zip`.

PDB plugin source code

200+ Java scripts in source form

etc.

I mentioned the topic of source code because at the time of writing this article, Ghidra’sGitHub repositorystill does not contain the source code and it reads:

This repository is a placeholder for the full open source release. Be assured efforts are under way to make the software available here. In the meantime, enjoy using Ghidra on your SRE efforts, developing your own scripts and plugins, and perusing the over-one-million-lines of Java and Sleigh code released within the initial public release. The release can be downloaded from our project homepage. Please consider taking a look at our contributor guide to see how you can participate in this open source project when it becomes available.

Processor modules

At the time of writing, Ghidra supports the following processor modules:

6502

68000

6805

8051

8085

AARCH64

ARM

Atmel

CR16

DATA

JVM

MIPS

PA-RISC

PIC

PowerPC

Sparc

TI_MSP430

Toy

x86

Z80

They are located inC:\ghidra_9.0\Ghidra\Processors.

The processor modules seem to be data driven. There are some plugins/extensions aspect to them written and implemented in Java.
For instance, you can find some source code components of the x86 module in here:C:\ghidra_9.0\Ghidra\Processors\x86\lib\x86-src.zip.

The programmable part of a processor module contains things like ‘relocation decoders’, ‘file format decoders’, ‘analysis plugins’, etc.

├───app

│ ├───plugin

│ │ └───core

│ │ └───analysis

│ └───util

│ └───bin

│ └───format

│ ├───coff

│ │ └───relocation

│ └───elf

│ ├───extend

│ └───relocation

└───feature

└───fid

└───hash

Interestingly enough, processor modules have reference to the corresponding processor module in external tools (namely IDA Pro):

<language_definitions>

<languageprocessor="6502"

endian="little"

size="16"

variant="default"

version="1.0"

slafile="6502.sla"

processorspec="6502.pspec"

id="6502:LE:16:default">

<description>6502 Microcontroller Family</description>

<compilername="default"spec="6502.cspec"id="default"/>

<external_nametool="IDA-PRO"name="m6502"/>

<external_nametool="IDA-PRO"name="m65c02"/>

</language>

Ghidra functionality

Ghidra is feature full. It includes a powerful code browser, a graph viewer, a decompiler, hundreds of scripts, various search facilities, undo/redo support,a server for collaborative work, programdiffingtools, etc.
Since Ghidra is huge, I won’t be able to cover every single feature, instead I will focus on the most important and useful ones that a seasoned reverse engineer will find fundamental.

Project management

Everything is a project in Ghidra. Unlike IDA, you don’t start your reverse engineering session with an input file, instead you start by creating a project. On the first run, there are no projects and you are presented with this dialog:

In this article, I will be reverse engineering my open source Wizmo tool that can be foundhere. Please grab thebinariesif you want to use Ghidra and follow along.
Start by creating a project called “Wizmo” and by importing the “WizmoConsole.exe” program:

After importing the file, you are presented with the import results summary dialog:

After you press “OK”, you get to see the code browser window and are asked whether you want to start analyzing the file:

You can always analyze or re-analyze the file later from the “Analysis” menu:

You can also check the properties of the imported file:

You can import as many files as you want. Normally, the files you import into the project should have a logical relationship among themselves. For example, the main EXE and its DLLs.

In this example above, I imported unrelated files. Later, we will also learn that it is possible to create links from one imported file to another by editing the external functions path. For exampleWizmoConsole.exeimports fromuser32.dll, therefore we can link the imported functions in WizmoConsole to jump directly intouser32.dll. This feature is what really constitutes a project. The concept of projects is not yet supported by IDA Pro.

The code browser

The code browser can be compared to IDA’s main interface. The code browser hosts all the visual elements of Ghidra:

The main menus

The disassembly view

Symbol tree

Program trees

Strings view

Data types manager

Decompiler view

etc.

The program disassembly listing is highly customizable. Just press on the “Edit the listing fields” button (as indicated by the cursor) to see all the customization options:

Click and drag the fields to re-arrange the visual elements in the disassembly listing (disasm view) window. This advanced visual customization is also not available in IDA Pro.

The code browser also allows you to show additional side information such as the program overview and the entropy:

Inside the code browser disassembly listing, you can press “G” to jump to an address or a label:

Or simply rename a function or label:

You can also right-click on a number in the listing to convert it to another numerical representation:

To view information about an instruction in the code browser, just right click and select “Instruction Info”:

On the same topic of disassembly listing customization, you can convert certain operands to enum constants:

Ghidra sports a nice data type chooser that will help you either type the full type name or choose it visually.

The symbol tree

The symbol tree window lets you see all the symbols in the program, such as the exports, imports, classes, functions, labels, etc.

Here I am exploring the imports ofUSER32.dll:

As you explore the imported entry, you can double-click to jump to it in the code browser. Additionally, if you are not satisfied with the prototype of the imported entry, you can always edit it:

Earlier, I mentioned that you can link an external function to another imported file. Since we know that all those functions come from user32.dll, we can link those functions to the imported file in the project:

Select: “Path” -> Edit -> and pick the related imported file (user32.dll).


Do you want to master Batch Files programming? Look no further, theBatchographyis the right book for you.

Available inprintore-bookeditions from Amazon.

The decompiler

The decompiler is a neat and most welcome feature in Ghidra:

You can toggle the decompiler view from the Window menu. The decompiler view synchronizes with the disassembly listing. Therefore, when you navigate in the decompiler view, you will see the corresponding disassembly lines in the listing window.

Like IDA’s Hex-Rays decompiler plugin, Ghidra’s decompiler is interactive and customizable:

Rename functions

Add comments

Change function prototypes

Change variable names and types

etc.

Here for instance is the full (manually cleaned up) decompilation of theCWizmo::CWizmoconstructor:

I had to create a new custom structure first using the “Data Types” window and selecting “New -> Structure”:

I then populated the new structure fields:

If you don’t want to create the custom structures by hand, you can also parse a C header file:

The decompiler has a contextual popup menu:

– It lets you set comments in the decompiler listing:

– Change a decompiled function prototype:

– Change the prototype of a function argument:

– Modify the function’s return type, signature or run searches:

It is worthwhile noting that the function editor (toggled with the “F” hotkey) is as powerful as IDA’s function prototyping facilities. You can edit the arguments and specify custom storage (ala IDA’s__usercall) for them (stack, registers, etc.):

Some of the supported storage types for the x86 input file:

Apart from being an interactive decompiler, you have powerful searching features. For example, we can search for the usage of a given data type from the decompilation listing.

Here, we right-click onmemset‘s last argument (0x2c, size_t) to look for all usages of the “size_t” type in all decompiled functions (very super handy for vulnerability research):

Right click and select: “Find Uses of size_t”

The result shows us all variables of type “size_t” being used.

Code patching and the hex viewer

Like IDA, Ghidra provides lots of functionality to patch code and then save the patched result. To patch an instruction, just right click and select:

You will then be presented by an instruction editor / assembler:

If you prefer to patch the code like a l33t h4x0r from the hex-viewer, just toggle the hex view from the “Window/Bytes” menu:

Then make the bytes view editable:

You can now edit the program:

The hex viewer has a contextual menu that lets you copy the bytes for instance:

Like in IDA Pro, you can “load additional binaries” by selecting “Add to Program” from the File menu:

(The shellcode to be imported)

After selecting the file you want to add, you can specify additional loading options (block name, base address, etc.):

This is super useful for instance if you want to load shellcode and analyze it along your program:

The new code is then shown nicely in the code browser under its own block name.

No patching is complete without being exported / applied outside. Ghidra, like IDA, let’s you export your changes:

Export as a binary format. You will get a summary after a successful export:

If you compare both the original and the patched file, you should see the difference applied correctly:

etc.

Graph view

Ghidra, like IDA also sports a graph view. Combined with the facilities from the “Select” menu, the graph view becomes a powerful tool:

The “Select” menu:

– You can zoom in:

– You can also change the color of a basic block:

– Or collapse the contents of basic blocks into a single block with a label of your choosing:

– You can also play with various visual aids:

– Last but not least, you can select “Full screen” on a given basic block to inspect it better:

Searching features

Ghidra ships with a wide variety of searching functionality under the “Search” menu:

– You can search for address tables for example:

– You can equally search for scalars (ala “immediates value search” in IDA):

Once you find results:

– You can apply additional filters:

When you apply the filter, the search results are further refined:

If you want to look for certain instructions sequence, you can select one or more instructions from the code browser:

…then select “For Instruction Pattern ” from the search menu to execute the search:

Scripting features

No SRE tool is complete without powerful scripting facilities (select scripting from the “Window/Script manager” menu). Ghidra, out of the box, ships with 200+ scripts written in Java:

For example, theFindImagesScript.javascript finds PNG and GIF images in the input file:

Those scripts use the Ghidra’s APIs:

If you don’t like Java, you can use Python (hosted withJython) to write scripts:

Misc features

Ghidra has many others miscellaneous features worthwhile mentioning.

Let’s start with the cross referencing features.
You can ask Ghidra to compute the cross reference to and from almost any item (string, instruction, register, etc.).

Here for example, we are looking for cross references to a given string from the strings window:

With strings cross referencing, you can discover malicious strings or locate the code that refers / implements certain features (based on the string text you found).

Like in IDA, you can create xrefs manually:

Another feature that can be compared to IDA’s “Segments window” is the “Memory map” window:

In the memory map, you can see the program sections (if the input file has sections, like a PE or ELF file).

Additionally, you can create new sections manually:

Options

Almost everything can be configured in Ghidra through the options facilities:

Other screenshots

Here are some miscellaneous screenshots from Ghidra:

Conclusion

After having played with Ghidra’s UI for a couple of hours, I found it useful and capable but that won’t be enough for me to make the switch from IDA Pro to Ghidra:

I have been using IDA Pro for 22+ years. It is not easy to throw away this experience and start learning a new tool.

Having worked with Hex-Rays and contributed to many features in IDA, I know its SDK and internals pretty well and I know nothing about Ghidra’s

If I want to learn Ghidra’s APIs, I can. However, there are no business justifications yet.

Debuggers: IDA has so many debuggers

They are my best features in IDA Pro. Without debuggers it is hard for me to switch away from IDA.

Customer support: the best in the world

Hex-Rays customer support has spoiled me over the years. You cannot expect the same level of responsiveness and professionalism from any other company. And yes, Amazon Customer service does not even come close to Hex-Ray’s.

IDA is written in C++

IDA, at least on the Windows Platform, feels much neater and faster than Ghidra

A higher degree of interactivity

From my little interaction with Ghidra, IDA still has lots of interactive features and ways to modify the disassembly listing and the Hex-Rays decompiler output.

IDA is highly programmable and scriptable

Yes, Ghidra is programmable and scriptable

But in my opinion, IDA still beats that:

Write plugins / processor modules / file loaders in C++, Python, JavaScript, OCaml your own language?

IDA supports way more processor modules and file loaders (file formats). If you do the multiplication of processor_modules * file_loaders, IDA supports 1200+ different file inputs!

Finally, I personally won’t use Ghidra since it is not yet as powerful as IDA or its decompiler. When Ghidra is open sourced and adopted by the community, we will see which SRE tool remains the king: Binary Ninja, radare, IDA Pro, Hopper, etc.?


_http://0xeb.net/2019/03/ghidra-a-quick-overview/

9
0
啥时候汉化一下
coolsnake 2019-3-11 09:01
10
0
终于放出来了。
linhanshi 2019-3-12 06:38
11
0
Ghidra Install and Simple Keygen Creation on Ubuntu 18.04
_https://www.youtube.com/watch?v=9SM4IvBFxK8
linhanshi 2019-3-15 07:11
12
0
Reverse engineering with #Ghidra: Breaking an embedded firmware encryption scheme 
_https://www.youtube.com/watch?v=4urMITJKQQs
linhanshi 2019-3-17 08:50
13
0
[GHIDRA Plugin] Function String Associate
It does the same thing as plugin FunctionStringAssociate for IDA, Now the script just works, in the future it is planned to increase the speed of work and bring it closer to the speed of the plugin.
_https://twitter.com/kiwipapayamoon/status/1106891992976510976
_https://github.com/partoftheworlD/GHIDRApy_FunctionStringAssociate
linhanshi 2019-3-20 06:06
14
0
Daenerys: IDA Pro and Ghidra interoperability framework
_http://0xeb.net/2019/03/daenerys-ida-pro-and-ghidra-interoperability-framework/
Daenerys is an interop framework that allows you to run IDAPython scripts under Ghidra and Ghidra scripts under IDA Pro with little to no modifications.
_https://github.com/daenerys-sre/source
zhxs 2019-3-24 14:17
15
0
还好有翻译..
猫狗大战 2019-3-27 22:18
16
0
已经有新版本了,路径:https://ghidra-sre.org/ghidra_9.0.1_PUBLIC_20190325.zip 楼主虾米时候也更新下。。
linhanshi 2019-3-28 06:13
17
0
Reversing WannaCry in Ghidra Part 1 - Finding the killswitch and unpacking the malware
_https://www.youtube.com/watch?v=Sv8yu12y5zM
linhanshi 2019-3-28 06:14
18
0
GHIDRA 9.0.1 has been released with many bugfixes!
Changelog:_ https://ghidra-sre.org/releaseNotes.html
Download:_ https://ghidra-sre.org/

ghidra_9.0.1_PUBLIC_20190325.zip
SHA-256
58ffa488e6dc57e2c023670c1dfac0469bdb6f4e7da98f70610d9f561b65c774
_https://www.sendspace.com/file/r8t0zv  
linhanshi 2019-3-28 07:33
19
0
_https://pan.baidu.com/s/1pyClodq7AYm1xJe-F_NTKQ
pass:mgpo 
linhanshi 2019-3-29 06:31
20
0
ghidra_scripts
_https://github.com/ghidraninja/ghidra_scripts
Docs API
_http://ghidra.re/ghidra_docs/api/
Online Courses
_http://ghidra.re/online-courses/
最后于 2019-3-29 06:31 被linhanshi编辑 ,原因:
linhanshi 2019-4-5 07:14
21
0
Ghidra Source Code
_https://github.com/NationalSecurityAgency/ghidra
linhanshi 2019-4-5 12:14
22
0

Ghidra 9.0.2

Ghidra 9.0.2 Change History (April 2019)

Bugs

Analysis.Constant reference analysis boundary controls for speculative references has been fixed. Speculative references are references created from computed constants passed as parameters, stored to a location, or from indexed offsets from a register. (Issue #228)

Decompiler.Fixed rendering bug in the Decompiler when the "Find" dialog is closed. (Issue #282)

Decompiler.Fixed decompiler handling of Function Definition data types. (Issue #247)

Decompiler.Fixed "Free Varnode" exception in RuleConditionalMove. (Issue #294)

Diff.Fixed exceptions that can occur in the Diff View for programs with overlays.

Documentation.Corrected the spelling of "listener" throughout the source code. (Issue #235)

Exporter.Exporting a selection as Intel Hex will now allow a selection of any length. Previously this was restricted to multiples of 16 bytes. (Issue #260)

GUI.Fixed exception that occurs after disabling MyProgramChangesDisplayPlugin.

GUI.Updated the "Open Program" dialog to disallow file drop operations. (Issue #252)

Languages.The ARM Thumb CMP.W and LSL isntructions have been changed to correctly decode. There are still issues to work out with Unpredictable execution when Rd is the PC. (Issue #280)

Multi-User:Ghidra Server.Corrected bug introduced into ghidraSvr.bat which could prevent Ghidra Server startup (Issue #279)

Scripting.MultiInstructionMemReference script has been corrected to consider input and output registers when placing a reference on an instruction.

Security

Basic Infrastructure.Added a property to support/launch.properties to prevent log4j from using jansi.dll on Windows. (Issue #286)


_https://pan.baidu.com/s/1-VIXKIhO-2JuyalzeWKCaQ 

pass:93z0  



赛飞 2019-4-9 16:04
23
0
修改so后,怎么导出so包,楼主知道么。。请指教,导出binary的不能用。
游客
登录 | 注册 方可回帖
返回