hands on ghidra
play

Hands-On Ghidra A Tutorial about the Software Reverse Engineering - PowerPoint PPT Presentation

Aug 23, 2022 •825 likes •1.25k views

Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group Ghidra? Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.

  1. Hands-On Ghidra A Tutorial about the Software Reverse Engineering Framework Roman Rohleder Thales Group

  2. Ghidra? “Gee-druh. The G sounds like the G in goto, great, good, graph and GitHub. The emphasis goes on the first syllable.” Frequently asked questions 2

  3. Introduction - Ghidra ● Software Reverse Engineering Framework ● Developed by the National Security Agency ● Public release March 5 th 2019 ● Open Source, Apache v2 license ● Written in Java*, runs on Linux, Windows & Mac ● Free 3

  4. Overview ● Features ● Extension & Automation ● p-code & SLEIGH format ● Comparison with IDA Pro 4

  5. Features ● Supports many architectures ● Highly customizable ● Decompiler ● Collaboration/Ghidra Server ● Emulator* ● Thoroughly documented ● Parse C Source & Structure editor ● Built-in Assembler ● Control Flow Graph & Call Graph visualization ● “Version Tracking” 5

  6. Features – Supported Architectures 6502, 68000, 6805, 80251, 80390, 8048, 8051, 8085, ARM/AArch64, AVR8/32, CR16C, Dalvik, JVM, dsPIC30F/33E/33F, HC05/08/S08/S12, MCS96, MIPS, PA-RISC, PIC-12/16/17/18/24, PowerPC, Sparc, SuperH/ H4, TI MSP430/430X, TriCore, x86/64, Z180, Z80 6

  7. Features – Supported Architectures 6502, 68000, 6805, 80251, 80390, 8048, 8051, 8085, ARM/AArch64 , AVR8/32, CR16C, Dalvik , JVM , dsPIC30F/33E/33F, HC05/08/S08/S12, MCS96, MIPS , PA-RISC, PIC-12/16/17/18/24, PowerPC , Sparc , SuperH/ H4, TI MSP430/430X, TriCore, x86/64 , Z180, Z80 7

  8. Features - Customization ● Modify window layout (add/remove views, re- organize, …) ● Despite (re-)organization of views All in sync with current selection ● Modify Hotkeys ● Change fonts, fore-/background colors ● Load & Organize Plug-Ins within the GUI 8

  9. Features – Decompiler ● THE most anticipated feature ● Works for all aforementioned architectures ● Fairly clean ● Different Data Flows highlightable (def-use chain, forward/ backward slice) ● Potential decompilation errors are tagged with special variable names/prefixes (in_, in_stack_, extraout_, unaff_) 9

  10. Features – Collaboration ● Ghidra client & server ● Share and work on projects with multiple users ● Read/Write/Admin access per user configurable ● Merge conflicts can be resolved with a given tool ● Authentication: Username/Password, Active Directory (Kerberos), PKI, JAAS, SSH preshared key for headless ● Not interactive ● No branches 10

  11. Features – Emulator* ● Has API for emulation ● Ability to set breakpoints for the emulation ● Sample scripts provided ● However no nice “clicky” interface for out-of- the-box usage* *yet… (supposedly to be released with an Integrated debugger some time) 11

  12. Features – Header parser & Struct editor ● Visual struct editor ● Struct/Data previews ● Accumulated data types exportable/importable (Ghidra Data Type Archives .gdt) ● You can provide custom header files to add function signatures, structs, … ● Export all said types to a header file 12

  13. Features – Built-In Assembler ● Auto-completion (use upper case) ● Immediately alters analysis/decompilation ● Changes only in Ghidra, not file on disk ● Changes can be exported back to file* ● Different stability/coverage ratings per Architecture 13

  14. Features – Built-In Assembler ● Poor: disPIC30F ● Bronze: AVR32 ● Gold: x86-64 ● Platinum: x86, ARM/Thumb 32, AArch64, PowerPC, SPARC, MIPS, PA-RISC, AVR8, SuperH-4, 68000, TI MSP430X 14

  15. Features – Documentation ● Javadoc for Java API available ● Context-sensitive & well described Help pages (hover mouse over item in question & press F1) ● GhidraClass: Slide-sets & exercises covering all aspects of Ghidra usage and extension (Beginner, Intermediate, Advanced ) ● 245 example scripts (Java & Python), showcasing how to use the API ● Instruction reference* & Instruction encoding *requires prior download of reference manuals to right location 15

  16. Features – CFGs & Call graphs ● Interactive Control Flow Graphs and Call graphs* ● Both sync with code selection changes ● Flows to/from blocks or loops are highlightable ● Call graphs also representable as Call Tree (quick overview w/o needing much space) *seem a bit sluggish, especially on obfuscated code 16

  17. Extension & Automation ● Java scripts ● Python scripts & Interpreter ● Customized “tools” ● Headless mode 17

  18. Extension & Automation - Java Scripts ● Integration with Eclipse →Auto-completion →Debuggability ● Ghidra Program API vs. Script API ● GhidraDev Eclipse plugin ● Can run other java or python scripts from within a script 18

  19. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 19

  20. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 20

  21. Extension & Automation - Java Scripts // Description goes here // and continues here // @author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 21

  22. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author // @category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 22

  23. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts // @keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 23

  24. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f // @menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 24

  25. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 // @toolbar logo.png 25

  26. Extension & Automation - Java Scripts // Description goes here // and continues here //@author Author //@category MyScripts //@keybinding alt f //@menupath MyScripts.Fix Disassembly1 //@toolbar logo.png 26

  27. Extension & Automation - Python ● Run via Jython ● Tied to Python 2.7.1 ● Integrated interpreter ● Auto-completion ● help(COMMAND) →prints corresponding javadoc ● GhidraDev Eclipse plugin + PyDev plugin ● Can run other python or java scripts from within a script 27

  28. Extension & Automation – Custom “tools” ● Save window layout, key bindings, colors, loaded plugins, etc. as custom “tools” ● Useful to have several tools for different tasks (Not have everything clobbered into one & always adjust the windows etc.) 28

  29. Extension & Automation – Headless mode ● Run custom scripts before/after analysis or w/o analysis ● Turn On/Off certain analysis passes ● Java scripts/Python scripts – both work ● Run on single file, folders, wildcarded files ● Import into existing projects, keep/delete newly created projects ● Can interact with shared repositories (Computation happens locally though) ● Make address selections or pass values to follow-up scripts 29

  30. Dv f p-code & SLEIGH format ● p-code: Ghidras intermediate representation (IR) Yes yes… another IR... ● SLEIGH: file format describing Binary Assembly p-code snippet + information about registers and adress space 30

  31. Dv f p-code & SLEIGH format ● Register Transfer Language ● “raw p-code” & “Additional p-code” ● No side-effects ● Unlimited temporary registers ● Address space, Varnode & p-code operations ● Pseudo p-code 31

  32. Dv Pseudo p-code 32

  33. Additional p-code operations ● MULTIEQUAL ● INDIRECT ● PTRADD ● PTRSUB ● CAST 33

  34. Dv f p-code & SLEIGH format ● SLEIGH format can have file inclusions, macros and other preprocessing ● Defines endianness, alignment, wordsize, access (r/w) and other properties of address spaces ● Complex but generic format further describing the disassembly process 34

  35. Comparison with IDA Pro ● Architecture support: → More disassemblers in IDA → More decompilers in Ghidra (All previously mentioned architectures) ● Features: → Integrated debugger for all major platforms in IDA → Integrated collaboration in Ghidra ● Extensibility: → Broad community and many plugins for IDA → Thorough documentation and many examples in Ghidra 35

  36. Comparison with IDA Pro ● Performance ● Documentation ● Decompilation: Comparable, slight differences ● Stability: both similarly good/bad ● “Look & Feel” ● The little things ● Price: free vs. 52959$ 36

  37. Future? Official: ● Debugger ● (Emulator) Community: ● More plugins to follow... ● P-code → LLVM IR anyone? 37

  38. Conclusion ● Great all-in-one framework ● Easy to use and extend ● Free 38

  39. Thank you for your attention! Questions? Contact: Roman Rohleder roman.rohleder@thalesgroup.com 39

Recommend

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward

Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

524 views • 37 slides
Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out

Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out

Cyber@UC Meeting 88 GHIDRA If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org Organization Resources on our Wiki: wiki.cyberatuc.org SIGN IN! (Slackbot will post the link in #general

327 views • 10 slides
Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Design Issues - Kinematics How many / which

561 views • 18 slides
Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Extrae & Paraver Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for most of the hands on from the web site https://tools.bsc.es/tools-hands-on. No binaries are provided, but you can follow the

633 views • 24 slides
Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play

Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play

Lecture 3 0/ 16 Probability Computations Bridge Hands and Poker Hands Bridge Hands If you play bridge you get dealt a hand of 13 cards. Let S be the set of all bridge hands (so our experiment is dealing 13 cards). Since the order in

206 views • 18 slides
Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them

Introduction Graph Theory City Colouring Facebook Friends Villages and Canals Parting Thoughts Problems for Breakfast Shaking Hands Seven people in a room start shaking hands. Six of them shake exactly two peoples hands. How many people

878 views • 45 slides
Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some

Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some

Hands-on Station Add 1 Hands-on Were going to add some station metadata, create some profiles, and see if we can see data coming in to our system. Perform the following instructions on your virtual machine. When youre using a web

981 views • 45 slides
Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May

Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May

Fight antibiotic resistance its in your hands WHO SAVE LIVES: Clean Your Hands 5 May 2017 Each year the WHO SAVE LIVES: Clean Your Hands campaign aims to maintain a global profile on the importance of hand hygiene in health care and

554 views • 23 slides
Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Clustering Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for most of the hands on from the web site https://tools.bsc.es/tools-hands-on. Clustering has to be executed on a Linux machine. > ls

389 views • 6 slides
TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands

TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands

TABLE DISCUSSION (Hands debrief) What has God been teaching you lately? (Hands debrief) Who did you explain the Learning Circle to this past week? WEDNESDAY GATHERING STEWARDSHIP WHAT IS A STEWARD A Steward is a Manager

867 views • 25 slides
5 May 2019 Clean care for all - it's in your hands

5 May 2019 Clean care for all - it's in your hands

WHO SAVE LIVES: Clean Your Hands 5 May 2019 Clean care for all - it's in your hands http://www.who.int/infection-prevention/en/ Each year the WHO SAVE LIVES: Clean Your Hands campaign aims to maintain a global profile on the importance of

789 views • 60 slides
Hands on Sara Dickinson Willem Toorop Hands on Overview What is the

Hands on Sara Dickinson Willem Toorop Hands on Overview What is the

Hands on Sara Dickinson Willem Toorop Hands on Overview What is the getdns API What can the getdns library do for you Guided tour of the API Examples uses (code!) Demo of Stubby (time permitting) but

945 views • 93 slides
Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur

Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur

ANGLAIS EDSBR0436 - Anglais Hands in water ! When should I wash my hands ? N ddition : D/2014/74.80/12 Editeur Responsable : Benot Parmentier ONE.be Chausse de Charleroi 95 - 1060 Bruxelles Tl. : +32 (0)2 542 12 11 / Fax : +32

513 views • 32 slides
HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in

HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in

Tyler August, MSc HANDS-ON ASTROPHYSICS Story animals ? Yes, BUT we are tool users first and last. We think in stories. We learn with our hands. Play = hands on learning Play = hands on learning Wait. What? PLAY ASTROPHYSICS? Madness! 1

533 views • 18 slides
Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit

Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit

All Hands Volunteers Southeast Michigan Flood Recovery Reuben Grandon What are we seeing now? All Hands On Detroit www.hands.org www.classy.org/AllHandsOnDetroit 339 223 4490 reuben@hands.org

536 views • 15 slides
Presentation GSPP More pictures Disinfection of hands Disinfection of hands Disinfection of

Presentation GSPP More pictures Disinfection of hands Disinfection of hands Disinfection of

Presentation GSPP More pictures Disinfection of hands Disinfection of hands Disinfection of hands Disinfection of hands Disinfection of hands and shoes shoes Disinfection of hands and feet Disinfection of hands and feet Disinfection matt

561 views • 15 slides
Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands

Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands

Hands-on Tutorial Supported by Microsoft Research The CADRE project (Val Pentchev) Hands on intro to CADRE Program (Mat Hutchinson) overview Interactive demo with packages and notebooks (Filipi Silva) CADRE fellow presentation

878 views • 65 slides
HEAVENS HANDS HISTORY http://www.hhcsny.org/ Heavens Hands started in 2000 Grown from a

HEAVENS HANDS HISTORY http://www.hhcsny.org/ Heavens Hands started in 2000 Grown from a

HEAVENS HANDS HISTORY http://www.hhcsny.org/ Heavens Hands started in 2000 Grown from a staff of 2 to over 200 Support more than 900 individuals and families CEO: Lorenzo Brown COO: Mary Knox CFO: Eugene Brandon MISSION & VISION

514 views • 12 slides
Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative

Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative

Walk hands in hands toward an information era: Shaping a peaceful, secure, open and cooperative cyberspace LI Chijiang Director of Office for Cyber Affairs Ministry of Foreign Affairs, China Roles of les of Sta States in Cyber es in

54 views • 4 slides
Eyes on target Hands together Elbows relaxed Feet shoulder-width apart Balanced Hands can go

Eyes on target Hands together Elbows relaxed Feet shoulder-width apart Balanced Hands can go

Comfortable Eyes on target Hands together Elbows relaxed Feet shoulder-width apart Balanced Hands can go over head or stay in front of body Little or no head movement with eyes remaining on target Weight remains centered Small step to the

838 views • 21 slides
Hands on Scala.js Li Haoyi, PNWScala 14 Nov 2014 Hands on Scala.js: Agenda Intro to Scala.js

Hands on Scala.js Li Haoyi, PNWScala 14 Nov 2014 Hands on Scala.js: Agenda Intro to Scala.js

Hands on Scala.js Li Haoyi, PNWScala 14 Nov 2014 Hands on Scala.js: Agenda Intro to Scala.js Interactive Web Pages Cross-platform libraries Client-server integration Wrap Up Intro to Scala.js Intro to Scala.js

547 views • 37 slides
Welcome www.OilfieldHelpingHands.org www.OilfieldHelpingHands.org Oilfield Helping Hands Sally

Welcome www.OilfieldHelpingHands.org www.OilfieldHelpingHands.org Oilfield Helping Hands Sally

Oilfield Helping Hands OILFIELD HELPING HANDS Welcome www.OilfieldHelpingHands.org www.OilfieldHelpingHands.org Oilfield Helping Hands Sally Hallingstad, Rockies Chapter President Katie Grimes, Permian Chapter President Bill Markus,

777 views • 48 slides
Making Hands Primary Biomechanical Engineering Lessons 1 & 2 > an RS Components Imagine-X

Making Hands Primary Biomechanical Engineering Lessons 1 & 2 > an RS Components Imagine-X

Helping Hands, Making Hands Primary Biomechanical Engineering Lessons 1 & 2 > an RS Components Imagine-X resource What are you made of? > Muscle > Skin > Ligaments > Connective tissue The skeletal/muscular >

541 views • 24 slides

More recommend