During the RSA conference The US National Security Agency announced the opening of access to the “Ghidra” Reverse Engineering Toolkit, which includes an interactive disassembler with support for decompiling C code and provides powerful tools for analyzing executables.
The project It has been developed for almost 20 years and is actively used by US intelligence agencies.. To identify bookmarks, analyze malicious code, study various executable files, and analyze compiled code.
For its capabilities, the product is comparable to the extended version of the IDA Pro proprietary package, but it is designed exclusively for code analysis and does not include a debugger.
On the other hand, Ghidra has support for decompiling into pseudocode that looks like C (in IDA, this feature is available through third-party plugins), as well as more powerful tools for joint analysis of executable files.
Key features
Within the Ghidra reverse engineering toolkit we can find the following:
- Support for various sets of processor instructions and executable file formats.
- Executable file support analysis for Linux, Windows and macOS.
- It includes a disassembler, an assembler, a decompiler, a program execution graph generator, a module to execute scripts and a large set of auxiliary tools.
- Ability to perform in interactive and automatic modes.
- Plug-in support with the implementation of new components.
- Support for automating actions and extending existing functionality through the connection of scripts in Java and Python languages.
- Availability of funds for teamwork of research teams and coordination of work during reverse engineering of very large projects.
Interestingly, a few hours after Ghidra's release, the package found a vulnerability in the debug mode implementation (disabled by default), which opens network port 18001 for remote application debugging using the Java Debug Wire Protocol (JDWP).
By default, network connections were made on all available network interfaces, instead of 127.0.0.1, what allows you to connect to Ghidra from other systems and execute any code in the context of the application.
For example, you can connect to a debugger and abort execution by setting a breakpoint and substitute your code for further execution using the "print new" command, for example, »
print new java.lang.Runtime (). exec ('/ bin / mkdir / tmp / dir') ».
Besides, andIt is possible to observe the publication of an almost completely revised edition of the open interactive disassembler REDasm 2.0.
The program has an extensible architecture that allows you to connect drivers for additional sets of instructions and file formats in the form of modules. The project code is written in C ++ (Qt-based interface) and distributed under the GPLv3 license. Work supported on Windows and Linux.
Basic package supports PE, ELF, DEX firmware formats (Android Dalvik), Sony Playstation, XBox, GameBoy and Nintendo64. Of the instruction sets, x86, x86_64, MIPS, ARMv7, Dalvik, and CHIP-8 are supported.
Among the features, we can mention the support for the interactive visualization in IDA style, the analysis of multi-threaded applications, the construction of a visual progress chart, the digital signature processing engine (which works with SDB files) and the tools for project management.
How to install Ghidra?
For those interested in being able to install this Reverse Engineering Toolkit “Ghidra”,, They should know that they must have at least:
- 4 GB RAM
- 1 GB for Kit storage
- Have Java 11 Runtime and Development Kit (JDK) installed.
To download Ghidra we have to go to its official website where we can download. The link is this.
Done this alone They will have to unzip the downloaded package and inside the directory we will find the file "ghidraRun" which will run the kit.
If you want to know more about it you can visit the following link.