Ghidra is a Software Reverse Engineering (SRE) framework created and maintained by the National Security Agency (NSA) Research Directorate. Ghidra is an open-source tool that allows security researchers and malware analysts to ‘hack’ into the code behind the software.
The program’s 1.2 million lines of code are designed to reverse the compiler process, decompiling executable code into assembly listings and finally into approximate C code. Capabilities include disassembly, assembly, decompilation, graphing control flows through functions, scripting, inspecting symbols and references, identifying variables, data along with hundreds of other features. It’ll all be very familiar to you if you used similar reverse engineering tools, such as IDA, Binary Ninja, Radare, Hopper, Snowman etc.
The platform is processor independent, capable of analysing code targeting x86, ARM, PowerPC, MIPS, Spar, Atmel, Toy along with several other processors. While the framework is built using Java, the code can also handle Python-based plugins as well as Java-written ones, because an NSA analyst doesn’t like Java, so apparently, they added Python support as well for that reason. Some plugins examples will allow additional functionality such as Cryptanalysis, interaction with OllyDbg and the Ghidra Debugger.
Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
Regardless of what platform you use to run Ghidra or what types of binaries you are going to analyse in Ghidra, you will need the standard package. The framework includes a suite of full-featured, high-end software analysis tools to enable you to analyse compiled code on a variety of platforms including Windows 7 or 10 (64-bit), macOS (OS X) 10.8.3+ (Mountain Lion or later), and Linux (64-bit, CentOS 7 is preferred).
The latest version of Ghidra is 9.0 (at the time of writing this post).
Ghidra requires Java Runtime Environment to run. The current version requires Java 11 JDK and a PC with minimum 4 GB RAM, 1 GB storage (for installed Ghidra binaries).
In recent years it has become almost apparent that any leaked NSA hacking tools were used for hacking purposes by the NSA analysts rather than researching thanks to recent cyber-attack headlines such as WannaCry, NotPetya and even the Democratic National Committee (DNC) email breach during Hilary Clinton’s U.S. election campaign. Arguably, when the tool was realised on 05 March 2019 officially to the public (Ghidra version 9.0), everyone was worried (and still is) that the tool might include a backdoor planted by NSA. We are not going to go in great lengths around this topic; however, it is recommended to run the tool inside a Virtual Machine until the public community has thoroughly reviewed the code for bugs or flaws. So far we know the following:
A security researcher (@hackerfantastic) found a Remote Code Execution (RCE) when the tool is loaded in debug mode. However, this was proven to be more of a bug rather than a backdoor.
Ghidra opens up Java Debug Wire Protocol (JDWP) in debug mode listening on port 18001. An attacker could use this port to execute code remotely. To address the RCE, change line 150 of support/launch.sh from * to 127.0.0.1 until the next release patch.
Conclusion
After playing with Ghidra tool for a couple of hours, we have found it to be a useful and competent tool, especially when considering that is free and open-sourced but that won’t be enough to make most security researchers switch from IDA Pro to Ghidra. At the end of the day, IDA is quite powerful and has been one of the most, if not the only, widely used tool for reverse engineering purposes for a long time.
That being said, we definitely believe that this is the best free tool that you can find out there for malware analysis with so many offerings. Also, if you don’t have IDA Pro licences or find them to be costly, below is a comprehensive list of Ghidra’s advantages versus other well-known tools such as IDA Pro that you might want to consider: