Ghidra: All you Need to Know about the NSA’s Reverse Engineering Tool

(Last Updated On: 27th March 2019)

Reading time ~10min


Ghidra is a Software Reverse Engineering (SRE) framework created and maintained by the National Security Agency (NSA) Research Directorate. Ghidra is an open-source tool that allows security researchers and malware analysts to ‘hack’ into the code behind the software.

The program’s 1.2 million lines of code are designed to reverse the compiler process, decompiling executable code into assembly listings and finally into approximate C code. Capabilities include disassembly, assembly, decompilation, graphing control flows through functions, scripting, inspecting symbols and references, identifying variables, data along with hundreds of other features. It’ll all be very familiar to you if you used similar reverse engineering tools, such as IDA, Binary Ninja, Radare, Hopper, Snowman etc.

The platform is processor independent, capable of analysing code targeting x86, ARM, PowerPC, MIPS, Spar, Atmel, Toy along with several other processors. While the framework is built using Java, the code can also handle Python-based plugins as well as Java-written ones, because an NSA analyst doesn’t like Java, so apparently, they added Python support as well for that reason. Some plugins examples will allow additional functionality such as Cryptanalysis, interaction with OllyDbg and the Ghidra Debugger.

Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.

Regardless of what platform you use to run Ghidra or what types of binaries you are going to analyse in Ghidra, you will need the standard package. The framework includes a suite of full-featured, high-end software analysis tools to enable you to analyse compiled code on a variety of platforms including Windows 7 or 10 (64-bit), macOS (OS X) 10.8.3+ (Mountain Lion or later), and Linux (64-bit, CentOS 7 is preferred).

The latest version of Ghidra is 9.0 (at the time of writing this post).
Ghidra requires Java Runtime Environment to run. The current version requires Java 11 JDK and a PC with minimum 4 GB RAM, 1 GB storage (for installed Ghidra binaries).

In recent years it has become almost apparent that any leaked NSA hacking tools were used for hacking purposes by the NSA analysts rather than researching thanks to recent cyber-attack headlines such as WannaCry, NotPetya and even the Democratic National Committee (DNC) email breach during Hilary Clinton’s U.S. election campaign. Arguably, when the tool was realised on 05 March 2019 officially to the public (Ghidra version 9.0), everyone was worried (and still is) that the tool might include a backdoor planted by NSA. We are not going to go in great lengths around this topic; however, it is recommended to run the tool inside a Virtual Machine until the public community has thoroughly reviewed the code for bugs or flaws. So far we know the following:

A security researcher (@hackerfantastic) found a Remote Code Execution (RCE) when the tool is loaded in debug mode. However, this was proven to be more of a bug rather than a backdoor.

Ghidra opens up Java Debug Wire Protocol (JDWP) in debug mode listening on port 18001. An attacker could use this port to execute code remotely. To address the RCE, change line 150 of support/launch.sh from * to 127.0.0.1 until the next release patch.

Conclusion

After playing with Ghidra tool for a couple of hours, we have found it to be a useful and competent tool, especially when considering that is free and open-sourced but that won’t be enough to make most security researchers switch from IDA Pro to Ghidra. At the end of the day, IDA is quite powerful and has been one of the most, if not the only, widely used tool for reverse engineering purposes for a long time.

That being said, we definitely believe that this is the best free tool that you can find out there for malware analysis with so many offerings. Also, if you don’t have IDA Pro licences or find them to be costly, below is a comprehensive list of Ghidra’s advantages versus other well-known tools such as IDA Pro that you might want to consider:

  • The code is available on GitHub open to the public, and we should expect to see enhancements from amateur and professional security developers rolling out soon — making the tool even more robust, and a major reason why the NSA likely chose to release a formerly closed project. Being open-sourced is a big advantage. Ghidra can be used or modified by anyone for free, and you can just fix a bug that you discover in Ghidra that you could never do the with IDA or Binary Ninja.
  • Ghidra’s type system is nice and in some ways cooler than IDA’s. Semi-automatic struct inference rocks, and it comes with a large type of library.
  • Ghidra will decompile code from a dozen different architectures. IDA will only do x86, x64, ARM / AArch64 and you have to pay for all of those separately. In theory, it could decompile a custom architecture if you implement your disassembler backend thoroughly enough.
  • Ghidra’s UI is marginally worse than IDA because it’s implemented in Java Swing when compared with IDA’s Qt environment.
  • Ghidra parsers PE headers whereas IDA doesn’t. It is a handy feature to have.
  • Ghidra and IDA both use Python for scripting. However, Ghidra’s Python is actually Jython, which gives it access to the entire state of the system (minus the decompiler, which is native code – but you can interact with all the code that drives the decompiler). This is really big – the API surface of the entirety of Ghidra is pretty massive so the scripting opportunities are similarly exciting.
  • Ghidra has a (mostly functional) patching interface which understands assembly. Despite IDA Pro costing thousands, gets confused when you try to assemble something as basic as “mov rdi, rdx” in 64-bit code.
  • Ghidra appears to have a functioning Undo operation, which IDA seems to still not have. Being able to make changes without worrying about your IDB accidentally becoming unusable is huge.
  • Since IDA is a more mature and ubiquitous product, there are a lot of open-source tools built around it.
  • Ghidra does not use a traditional installer program. Instead, the Ghidra distribution file is simply extracted in-place on the filesystem. This approach has advantages and disadvantages. On the upside, administrative privilege is not required to install Ghidra for personal use. Also, because installing Ghidra does not update any OS configurations such as the registry on Windows, removing Ghidra is as simple as deleting the Ghidra installation directory. On the downside, Ghidra will not automatically create a shortcut on the desktop or appear in application start menus.
  • Ghidra comes with the following extensions available for use (and by default uninstalled), which can be found in the /Extensions directory.
    • The GhidraDev Eclipse plugin for a pre-existing Eclipse installation.
    • Ghidra extensions (formerly known as contribs).
    • IDA Pro plugins/loaders for transferring items with Ghidra.
  • IDA has a debugger whereas Ghidra does not.
  • Ghidra’s support for disassembling Windows OS binaries (e.g. kernelbase.dll) is currently broken due to some bugs with the x86 instruction decoder. There are issues on GitHub talking about this so the community should address them sooner or later.