The Ghidra Book The Definitive Guide Pdf Download
Cherly Pertubal
Ghidra is one of many open source software (OSS) projects developed within the National Security Agency. Complete source code for Ghidra along with build instructions have been added to the repository. Please read the updated CONTRIBUTING guide to find out more about how you can join the community.
First I will explain my environment, you would need to adopt this to current versions or systems you might be using. To download Ghidra head over to -sre.org/. Ghidra is built with Java and the current version 9.0 requires at-least OpenJDK 11. I am using Linux and currently OpenJDK 12. Below is an example of my setup. Starting Ghidra with ./ghidraRun the first time will require you to tell Ghidra where your OpenJDK is located. In my case I extracted the tar into /Documents/Ghidra/ with tar -xvf openjdk-12+32_linux-x64_bin.tar.gz
Once you have told Ghidra where you have JDK you should see something similar to the window below.
.
Ghidra uses the concept of workspaces to hold your work. First choose "File->New Project" You have the ability to setup a collaboration project (which is very very cool) or a non-shared project.
You can then create a workspace by choosing "Project->Workspace->add". I chose to setup a non-shared project and pointed it to the workspace under /Documents/ghidra_testing. After this setup you can click on the dragon head to start the CodeBrowser. Your screen will look a bit different since I have already setup my color palette. If you would like to change your appearance the settings are under "Edit->Tool Options"
At this point we are ready to start using the tool to do some RE work. First we need a binary. In this example I have created a simple C++ program and have it here:ghidra_test_binary so you could follow along. Let's first take a quick look at the source code so we know what to expect. The file ghidra_test.cpp can be compiled with "g++ ghidra_test.cpp -o ghidra_test". In this code we have a Base class and a Derived with virtual functions. To view the binary in Ghidra simply press the hotkey "I" or go to File->Import and choose the file. Ghidra should recognize the file as an .elf for x86 64 bit processor. Click though the next couple of popup windows choosing the default selections for now and eventually you will see the disassembly. Now we need to find the start of the program. In the "Program Tree" view on the upper left hand side of the window if we click on ".text" the disassembly window and the decompilation window will update. We can now see __libc_start_main() and our main(). Highlighting something in either window view will highlight the corresponding in the other window. This is a great feature that will allow the user to see how the decompilation is matched with the disassembly. Double clicking on main() will update our view with main's code. Before we dive in too deep, if we take a look under the "Symbol Tree" and the "Data Type Manager" view's we can see that Ghidra has attempted to recognize our some of our class information. It has created a Base and Derived object type under Data Types, and attempted to match the virtual functions under the classes. However, we still need to do a bit of work to make Ghidra show everything correctly.
The process for this is similar as the Derived class structure setup. However first we need to add the structure to the types. Right click on ghidra_test under the Data Type Manager and choose New->Structure. Notice we can add other types as well. I have not tried any of these, however Enums are another common type that we can use in the RE process. I will call this structure VTABLE_Derived All of our data types in the VTable will be pointers, if we look in the VTable at offset 0x103cc0, we see it has 6 entries. Since we have symbols associated with those calls we can use those to fill in our names on the VTable structure. In the end it should look similar to below: We can then apply that structure to the vtable. I found this is an optional step for the most part, but if you wanted to do this you first need to clear out the current types for table. Choose an entry and hit the hotkey "C". This will make the space "undefined". Do this for all entries and it will look something like this Go to the first address (0x103cc0) and click the "T" hotkey and type VTable_Derived. You will see the structure as been applied. We also need to setup a pointer type to this VTable. The name of this will be "VTable_Derived*". This is done by right clicking on the VTABLE_Derived class data type and choosing "New->Pointer to"We then need to apply that to the vptr type in our Derived structure selecting the vptr in our decompilation and clicking the hotkey "Ctl+L. The following is what you should see going though this:
At this point we are basically finished with this class and VTable. We can then continue with the RE process. An interesting thing I found Ghidra does is attempt to resolve all other "this" pointers with our work. If it is recognized in the constructor calls, or if a function is under the class it will automatically resolve the offsets and make everything look nice. To see an example take a look at the function calls:
If we also look back at "main()" we see it has also resolved our virtual function calls.
I initially wanted to do a video on this topic since it will likely convey the material here better. I still might do that, but it will take some effort in my part setting up my recording software and equipment so it might take a couple of weeks. While this guide is not meant to be a comprehensive guide into every feature available in Ghidra, I think it does give you a good starting point to setup a project and view on it's capabilities. In my opinion, Ghidra is the most feature rich tool out of the free or demo tools available for software reverse engineering. Ghidra being free and open source will be great for introducing beginners to RE. While it might not be an immediate replacement for experienced researchers who have years of experience with other tools, I think it has great potential to eventually be a replacement. It think it will also require HexRays and Vector35 to up their game on the features they provide in order to stay competitive, especially if a plugin community of developers for Ghidra exists. For a more in-depth how to and supplementary content view the guide in the docs under ghidra_9.0/docs/GhidraClass.
In the third part, 'Making Ghidra Work For You,' the authors explorethe above-mentioned collaborative software reverse engineering acrossmultiple analysts' devices, customization (Ghidra is available insource and can be adjusted to taste). Customization can includeextending the worldview, such as improving the automagic labeling andfunction identification in the binary, and basic scripting forrepeated or repetitive tasks. Moreover, one chapter discusses theintegration of the Eclipse IDE of Java fame using GhidraDevplugin. Last but not least in this part, the authors guide the readeron the headless (dragon?) mode, to be used when a GUI is notneeded (as in scripting mode).
you may need to scrounge up old versions of desmume known to have a working debugger. the debugger support has got quite bitrotted. I've also never heard of anyone using it in ghidra, although if it claims to have GDB support then i guess it might work. I should mention that "gdb support" on windows is fundamentally dodgy due to gdb protocol being fundamentally dodgy. I suggest you ask google for advice on general desmume GDB debugging and follow that guide first until you can get it to work. Then improvise to make it work with ghidra
I already got a gdb build of desmume and got it to work on IDA PRO, but I couldn't find anything on google about getting it to work on Ghidra. I've seen a guide on how to connect Ghidra debugger to mgba so it should theoretically possible to do the same with Desmume, but it could just be that it's not possible on windows due to compatibility issues.
Well, if you're asking questions like "what to put in GDB launch command" then I don't think we can conclude compatibility issues yet. And I doubt there are compatibility issues. I would suggest you find a forum of ghidra experts and show them how you got idapro working with desmume and ask them what the ghidra equivalent is.
760c119bf3