Ghidra Download Pdb File
Kandyce Harper
Here is where the problem comes up. I have a Ryzen 9 5900X with 64GB of RAM on my computer, yet it has been analyzing for days now and it isn't showing any signs of finishing soon. Before starting the analysis, I extended Ghidra's MAXMEM to 32GB (and restarted Ghidra to apply changes), and I believe this helped a bit with speed, because memory usage seems to be a bit above 16GB (which is, according to the ghidraRun script, the limit Ghidra would let itself use on my computer). I have no idea what else to do though. The binary is pretty big (33.6MB), but not nearly enough to need so many days I think, it can't be that complicated. My max threads in auto analysis are also set to 24, yet according to system monitor, Ghidra is only using 8% of my CPU.
We are also going to build the Eclipse development extensions for this version of Ghidra, this will help us later on when we build a loader and write our analysis scripts. To do this we add the following line to the build_ghidra.sh script:
Now that we have a new version of Ghidra built, we also need to build the GhidraDev plugin for Eclipse. The eclipse projects can be found in the ghidra-builder/workdir/ghidra/GhidraBuild/EclipsePlugins/GhidraDev directory.
Launch Ghidra via ghidraRun and go to File-> Install Extensions. Select the GhidraGBA loader and click OK. You will need to restart Ghidra for the change to take effect. Now when you load a GBA ROM you should see the following:
Takeaways here - gvba does not work with any sort of modern GDB. gdb-multiarch seems to miss breakpoints for some reason, and gdb from devkitarm does not respond to ghidra appropriately to provide registers.
Ghidra installation simply involves unpacking zip files to a folder of your choice. Each of the Ghidra packages is intended to unpack directly on top of the same folder structure. For example, extracting Ghidra_7.0.2_TSSI_20151120_common.zip to the folder C:\Ghidra will unpack everything into the C:\Ghidra\ghidra_7.0.2. Other packages for version 7.0.2 will drop their files into the same relative directory structure.
First I will explain my environment, you would need to adopt this to current versions or systems you might be using. To download Ghidra head over to -sre.org/. Ghidra is built with Java and the current version 9.0 requires at-least OpenJDK 11. I am using Linux and currently OpenJDK 12. Below is an example of my setup. Starting Ghidra with ./ghidraRun the first time will require you to tell Ghidra where your OpenJDK is located. In my case I extracted the tar into /Documents/Ghidra/ with tar -xvf openjdk-12+32_linux-x64_bin.tar.gz
Once you have told Ghidra where you have JDK you should see something similar to the window below.
.
Ghidra uses the concept of workspaces to hold your work. First choose "File->New Project" You have the ability to setup a collaboration project (which is very very cool) or a non-shared project.
You can then create a workspace by choosing "Project->Workspace->add". I chose to setup a non-shared project and pointed it to the workspace under /Documents/ghidra_testing. After this setup you can click on the dragon head to start the CodeBrowser. Your screen will look a bit different since I have already setup my color palette. If you would like to change your appearance the settings are under "Edit->Tool Options"
At this point we are ready to start using the tool to do some RE work. First we need a binary. In this example I have created a simple C++ program and have it here:ghidra_test_binary so you could follow along. Let's first take a quick look at the source code so we know what to expect. The file ghidra_test.cpp can be compiled with "g++ ghidra_test.cpp -o ghidra_test". In this code we have a Base class and a Derived with virtual functions. To view the binary in Ghidra simply press the hotkey "I" or go to File->Import and choose the file. Ghidra should recognize the file as an .elf for x86 64 bit processor. Click though the next couple of popup windows choosing the default selections for now and eventually you will see the disassembly. Now we need to find the start of the program. In the "Program Tree" view on the upper left hand side of the window if we click on ".text" the disassembly window and the decompilation window will update. We can now see __libc_start_main() and our main(). Highlighting something in either window view will highlight the corresponding in the other window. This is a great feature that will allow the user to see how the decompilation is matched with the disassembly. Double clicking on main() will update our view with main's code. Before we dive in too deep, if we take a look under the "Symbol Tree" and the "Data Type Manager" view's we can see that Ghidra has attempted to recognize our some of our class information. It has created a Base and Derived object type under Data Types, and attempted to match the virtual functions under the classes. However, we still need to do a bit of work to make Ghidra show everything correctly.
The process for this is similar as the Derived class structure setup. However first we need to add the structure to the types. Right click on ghidra_test under the Data Type Manager and choose New->Structure. Notice we can add other types as well. I have not tried any of these, however Enums are another common type that we can use in the RE process. I will call this structure VTABLE_Derived All of our data types in the VTable will be pointers, if we look in the VTable at offset 0x103cc0, we see it has 6 entries. Since we have symbols associated with those calls we can use those to fill in our names on the VTable structure. In the end it should look similar to below: We can then apply that structure to the vtable. I found this is an optional step for the most part, but if you wanted to do this you first need to clear out the current types for table. Choose an entry and hit the hotkey "C". This will make the space "undefined". Do this for all entries and it will look something like this Go to the first address (0x103cc0) and click the "T" hotkey and type VTable_Derived. You will see the structure as been applied. We also need to setup a pointer type to this VTable. The name of this will be "VTable_Derived*". This is done by right clicking on the VTABLE_Derived class data type and choosing "New->Pointer to"We then need to apply that to the vptr type in our Derived structure selecting the vptr in our decompilation and clicking the hotkey "Ctl+L. The following is what you should see going though this:
At this point we are basically finished with this class and VTable. We can then continue with the RE process. An interesting thing I found Ghidra does is attempt to resolve all other "this" pointers with our work. If it is recognized in the constructor calls, or if a function is under the class it will automatically resolve the offsets and make everything look nice. To see an example take a look at the function calls:
If we also look back at "main()" we see it has also resolved our virtual function calls.
I initially wanted to do a video on this topic since it will likely convey the material here better. I still might do that, but it will take some effort in my part setting up my recording software and equipment so it might take a couple of weeks. While this guide is not meant to be a comprehensive guide into every feature available in Ghidra, I think it does give you a good starting point to setup a project and view on it's capabilities. In my opinion, Ghidra is the most feature rich tool out of the free or demo tools available for software reverse engineering. Ghidra being free and open source will be great for introducing beginners to RE. While it might not be an immediate replacement for experienced researchers who have years of experience with other tools, I think it has great potential to eventually be a replacement. It think it will also require HexRays and Vector35 to up their game on the features they provide in order to stay competitive, especially if a plugin community of developers for Ghidra exists. For a more in-depth how to and supplementary content view the guide in the docs under ghidra_9.0/docs/GhidraClass.
I noticed that Ghidra has various types of user defined comments. Does anyone have any examples on how to get user added pre, post and eol comments for a function in ghidra using the ghidra python api?
The eventbrite page is here: -u-reverse-engineering-with-ghidra-tickets-109681391996 - we will be releasing the videos of the classes as well so you will still be able to access the material even if you're not present for the actual class.
After creating a project in ghidra for the CTF (or just using youreverything-goes-here project) and after using File > Import File toadd our binary to the project we can open it tell Ghidra that Yes wewould like to analyze the file right now when prompted.
Version Tracking refers to the process used by reverse engineers to identify matching code or data between different software binaries. One common use case is to version track two different versions of the same binary. Version Tracking Ghidra - ghidra2018
This is the ultimate purpose of version tracking, to retain any progress that has already been made in understanding the code and be able to proceed despite any changes to the original binary. Version Tracking Ghidra - ghidra2018
Writing Ghidra loader
I never implemented any Ghidra loader. I did some research. There is a nice tutorial about writing loaders - here. To be honest, I much prefer to experiment so my mostyle was based on the opensource loaders like GhidraPS4Loader and mclf-ghidra-loader.