hands on ghidra
play

Hands-On Ghidra A Tutorial about the Software Reverse Engineering - PowerPoint PPT Presentation

Aug 23, 2022 •825 likes •1.25k views

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group Ghidra? Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.

  1. Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group

  2. Ghidra? “Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.” Frequently asked questions 2

  3. Introduction - Ghidra ● Software Reverse Engineering Framework ● Developed by the National Security Agency ● Public release March 5 th 2019 ● Open Source, Apache v2 license ● Written in Java*, runs on Linux, Windows & Mac ● Free 3

  4. Overview ● Features ● Extension & Automation ● p-code & SLEIGH format ● Comparison with IDA Pro 4

  5. Features ● Supports many architectures ● Highly customizable ● Decompiler ● Collaboration/Ghidra Server ● Emulator* ● Thoroughly documented ● Parse C Source & Structure editor ● Built-in Assembler ● Control Flow Graph & Call Graph visualization ● “Version Tracking” 5

  6. Features – Supported Architectures 6502, 68000, 6805, 80251, 80390, 8048, 8051, 8085, ARM/AArch64, AVR8/32, CR16C, Dalvik, JVM, dsPIC30F/33E/33F, HC05/08/S08/S12, MCS96, MIPS, PA-RISC, PIC-12/16/17/18/24, PowerPC, Sparc, SuperH/ H4, TI MSP430/430X, TriCore, x86/64, Z180, Z80 6

  7. Features – Supported Architectures 6502, 68000, 6805, 80251, 80390, 8048, 8051, 8085, ARM/AArch64 , AVR8/32, CR16C, Dalvik , JVM , dsPIC30F/33E/33F, HC05/08/S08/S12, MCS96, MIPS , PA-RISC, PIC-12/16/17/18/24, PowerPC , Sparc , SuperH/ H4, TI MSP430/430X, TriCore, x86/64 , Z180, Z80 7

  8. Features - Customization ● Modify window layout (add/remove views, re- organize, …) ● Despite (re-)organization of views All in sync with current selection ● Modify Hotkeys ● Change fonts, fore-/background colors ● Load & Organize Plug-Ins within the GUI 8

  9. Features – Decompiler ● THE most anticipated feature ● Works for all aforementioned architectures ● Fairly clean ● Different Data Flows highlightable (def-use chain, forward/ backward slice) ● Potential decompilation errors are tagged with special variable names/prefixes (in_, in_stack_, extraout_, unaff_) 9

  10. Features – Collaboration ● Ghidra client & server ● Share and work on projects with multiple users ● Read/Write/Admin access per user configurable ● Merge conflicts can be resolved with a given tool ● Authentication: Username/Password, Active Directory (Kerberos), PKI, JAAS, SSH preshared key for headless ● Not interactive ● No branches 10

  11. Features – Emulator* ● Has API for emulation ● Ability to set breakpoints for the emulation ● Sample scripts provided ● However no nice “clicky” interface for out-of- the-box usage* *yet… (supposedly to be released with an Integrated debugger some time) 11

  12. Features – Header parser & Struct editor ● Visual struct editor ● Struct/Data previews ● Accumulated data types exportable/importable (Ghidra Data Type Archives .gdt) ● You can provide custom header files to add function signatures, structs, … ● Export all said types to a header file 12

  13. Features – Built-In Assembler ● Auto-completion (use upper case) ● Immediately alters analysis/decompilation ● Changes only in Ghidra, not file on disk ● Changes can be exported back to file* ● Different stability/coverage ratings per Architecture 13

  14. Features – Built-In Assembler ● Poor: disPIC30F ● Bronze: AVR32 ● Gold: x86-64 ● Platinum: x86, ARM/Thumb 32, AArch64, PowerPC, SPARC, MIPS, PA-RISC, AVR8, SuperH-4, 68000, TI MSP430X 14

  15. Features – Documentation ● Javadoc for Java API available ● Context-sensitive & well described Help pages (hover mouse over item in question & press F1) ● GhidraClass: Slide-sets & exercises covering all aspects of Ghidra usage and extension (Beginner, Intermediate, Advanced ) ● 245 example scripts (Java & Python), showcasing how to use the API ● Instruction reference* & Instruction encoding *requires prior download of reference manuals to right location 15

  16. Features – CFGs & Call graphs ● Interactive Control Flow Graphs and Call graphs* ● Both sync with code selection changes ● Flows to/from blocks or loops are highlightable ● Call graphs also representable as Call Tree (quick overview w/o needing much space) *seem a bit sluggish, especially on obfuscated code 16

  17. Extension & Automation ● Java scripts ● Python scripts & Interpreter ● Customized “tools” ● Headless mode 17

  18. Extension & Automation - Java Scripts ● Integration with Eclipse →Auto-completion →Debuggability ● Ghidra Program API vs. Script API ● GhidraDev Eclipse plugin ● Can run other java or python scripts from within a script 18

  19. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 19

  20. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 20

  21. Extension & Automation - Java Scripts // Description goes here // and continues here // @author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 21

  22. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author // @category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 22

  23. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts // @keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 23

  24. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f // @menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 24

  25. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 // @toolbar logo.png 25

  26. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 26

  27. Extension & Automation - Python ● Run via Jython ● Tied to Python 2.7.1 ● Integrated interpreter ● Auto-completion ● help(COMMAND) →prints corresponding javadoc ● GhidraDev Eclipse plugin + PyDev plugin ● Can run other python or java scripts from within a script 27

  28. Extension & Automation – Custom “tools” ● Save window layout, key bindings, colors, loaded plugins, etc. as custom “tools” ● Useful to have several tools for different tasks (Not have everything clobbered into one & always adjust the windows etc.) 28

  29. Extension & Automation – Headless mode ● Run custom scripts before/after analysis or w/o analysis ● Turn On/Off certain analysis passes ● Java scripts/Python scripts – both work ● Run on single file, folders, wildcarded files ● Import into existing projects, keep/delete newly created projects ● Can interact with shared repositories (Computation happens locally though) ● Make address selections or pass values to follow-up scripts 29

  30. Dv f p-code & SLEIGH format ● p-code: Ghidras intermediate representation (IR) Yes yes… another IR... ● SLEIGH: file format describing Binary Assembly p-code snippet + information about registers and adress space 30

  31. Dv f p-code & SLEIGH format ● Register Transfer Language ● “raw p-code” & “Additional p-code” ● No side-effects ● Unlimited temporary registers ● Address space, Varnode & p-code operations ● Pseudo p-code 31

  32. Dv Pseudo p-code 32

  33. Additional p-code operations ● MULTIEQUAL ● INDIRECT ● PTRADD ● PTRSUB ● CAST 33

  34. Dv f p-code & SLEIGH format ● SLEIGH format can have file inclusions, macros and other preprocessing ● Defines endianness, alignment, wordsize, access (r/w) and other properties of address spaces ● Complex but generic format further describing the disassembly process 34

  35. Comparison with IDA Pro ● Architecture support: → More disassemblers in IDA → More decompilers in Ghidra (All previously mentioned architectures) ● Features: → Integrated debugger for all major platforms in IDA → Integrated collaboration in Ghidra ● Extensibility: → Broad community and many plugins for IDA → Thorough documentation and many examples in Ghidra 35

  36. Comparison with IDA Pro ● Performance ● Documentation ● Decompilation: Comparable, slight differences ● Stability: both similarly good/bad ● “Look & Feel” ● The little things ● Price: free vs. 52959$ 36

  37. Future? Official: ● Debugger ● (Emulator) Community: ● More plugins to follow... ● P-code → LLVM IR anyone? 37

  38. Conclusion ● Great all-in-one framework ● Easy to use and extend ● Free 38

  39. Thank you for your attention! Questions? Contact: Roman Rohleder roman.rohleder@thalesgroup.com 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out

Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out

Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org Organization Resources on our Wiki: wiki.cyberatuc.org SIGN IN! (Slackbot will post the link in #general

327 views • 10 slides
Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Design Issues - Kinematics How many / which

561 views • 18 slides
Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Extrae & Paraver Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for most of the hands on from the web site https://tools.bsc.es/tools-hands-on. No binaries are provided, but you can follow the

633 views • 24 slides
Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play

Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play

Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play bridge you get dealt a hand of 13 cards. Let S be the set of all bridge hands (so our experiment is dealing 13 cards). Since the order in

206 views • 18 slides
Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Introduction Graph Theory City Colouring Facebook Friends Villages and Canals Parting Thoughts Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them shake exactly two peoples hands. How many people

878 views • 45 slides
Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some

Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some

Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some profiles, and see if we can see data coming in to our system. Perform the following instructions on your virtual machine. When youre using a web

981 views • 45 slides
Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May

Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May

Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May 2017 Each year the WHO SAVE LIVES: Clean Your Hands campaign aims to maintain a global profile on the importance of hand hygiene in health care and

554 views • 23 slides
Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Clustering Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for most of the hands on from the web site https://tools.bsc.es/tools-hands-on. Clustering has to be executed on a Linux machine. > ls

389 views • 6 slides
TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands

TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands

TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands debrief) Who did you explain the Learning Circle to this past week? WEDNESDAY GATHERING STEWARDSHIP WHAT IS A STEWARD A Steward is a Manager

867 views • 25 slides
5 May 2019 Clean care for all - it's in your hands

5 May 2019 Clean care for all - it's in your hands

WHO SAVE LIVES: Clean Your Hands 5 May 2019 Clean care for all - it's in your hands http://www.who.int/infection-prevention/en/ Each year the WHO SAVE LIVES: Clean Your Hands campaign aims to maintain a global profile on the importance of

789 views • 60 slides
Hands on Sara Dickinson Willem Toorop Hands on Overview What is the

Hands on Sara Dickinson Willem Toorop Hands on Overview What is the

Hands on Sara Dickinson Willem Toorop Hands on Overview What is the getdns API What can the getdns library do for you Guided tour of the API Examples uses (code!) Demo of Stubby (time permitting) but

945 views • 93 slides
Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur

Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur

ANGLAIS EDSBR0436 - Anglais Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur Responsable : Benot Parmentier ONE.be Chausse de Charleroi 95 - 1060 Bruxelles Tl. : +32 (0)2 542 12 11 / Fax : +32

513 views • 32 slides
HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in

HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in

Tyler August, MSc HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in stories. We learn with our hands. Play = hands on learning Play = hands on learning Wait. What? PLAY ASTROPHYSICS? Madness! 1

533 views • 18 slides
Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit

Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit

All Hands Volunteers Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit www.hands.org www.classy.org/AllHandsOnDetroit 339 223 4490 reuben@hands.org

536 views • 15 slides
Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality Sean W.

Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality Sean W.

Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality Sean W. Smith Department of Computer Science Dartmouth College Hanover, NH USA http://www.cs.dartmouth.edu/~sws/ April 15, 2005 joint work with various

615 views • 38 slides
20 OCT 2020 Presenters: MAJ Ryan Ressler, Maneuver Requirements Division (MRD) Dr. James

20 OCT 2020 Presenters: MAJ Ryan Ressler, Maneuver Requirements Division (MRD) Dr. James

Maneuver Requirements Division Electrification Industry Day Information Briefing 20 OCT 2020 Presenters: MAJ Ryan Ressler, Maneuver Requirements Division (MRD) Dr. James Mancillas, Futures and Concepts Center (FCC) Mr. Steven Herrick, Product

402 views • 19 slides
AVOIDING THE GIT OF DESPAIR E M M A J A N E H O G B I N W E S T B Y S I T E B U I L D I N

AVOIDING THE GIT OF DESPAIR E M M A J A N E H O G B I N W E S T B Y S I T E B U I L D I N

AVOIDING THE GIT OF DESPAIR E M M A J A N E H O G B I N W E S T B Y S I T E B U I L D I N G T R A C K @ E M M A J A N E H W http://drupal.org/user/1773 Avoiding The Git of Despair @emmajanehw http://drupal.org/user/1773

881 views • 58 slides
Staging Drupal Change Management Strategies for Drupal DrupalCamp CT 2010 Staging Drupal

Staging Drupal Change Management Strategies for Drupal DrupalCamp CT 2010 Staging Drupal

Staging Drupal Change Management Strategies DrupalCamp CT 2010 Staging Drupal Change Management Strategies for Drupal DrupalCamp CT 2010 Staging Drupal Change Management Strategies DrupalCamp CT 2010 Introductions Erich Beyrent

578 views • 28 slides
Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely

Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely

Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely deployed as an OpenAFS client platform Many large OpenAFS sites rely heavily on Linux on both servers and clients The OpenAFS Linux client

681 views • 30 slides
a Session-based Library with Polarities and Lenses Keigo Imai Nobuko Yoshida Shoji Yuen

a Session-based Library with Polarities and Lenses Keigo Imai Nobuko Yoshida Shoji Yuen

Session-ocaml : a Session-based Library with Polarities and Lenses Keigo Imai Nobuko Yoshida Shoji Yuen Gifu University, JP Imperial College London, UK Nagoya University, JP COORDINATION 2017 Neuchtel, Switzerland 20th June,

621 views • 59 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Creative Visualizations A non-programming approach to create instant data visualizations through

Creative Visualizations A non-programming approach to create instant data visualizations through

Creative Visualizations A non-programming approach to create instant data visualizations through drag-and-drop builders Dr. Omer Ayoub Senior Data Scientist House of Mathematical and Statistical Sciences, King Abdul Aziz University, Jeddah,

358 views • 17 slides

More recommend