Offensive Security

Ghidra Published by the NSA – What is this tool capable of?

Ghidra Published by the NSA – What is this tool capable of?

Ghidra is an open source tool that helps security researchers better understand programs. The tool was launched and released today at the RSA Conference in San Francisco.

Ghidra is a reverse engineering tool

But what does Reverse Engineering actually mean? When developing software, what the program should do is set in a human-understandable programming language (e.g., Java or Python). This so-called source code is converted by a translator, the compiler, into machine code, that is to say computer-readable instructions.
Reverse engineering is an attempt to reverse this step and see how a program works and runs. Manufacturers are trying to protect themselves, but reverse engineering is an important tool in IT security.

Why are there tools like Ghidra?

Reverse engineering is an important step for safety. With the help of reverse engineering, for example, weak spots in password safes are found and can be closed. Another use case for the tool is the analysis of malware. Malware is often analyzed to understand how it works. If a computer is encrypted after a ransomware attack, it can eventually be decrypted with a “master key” or program This is mostly due to reverse engineering. The blog post by Digital Media Women describes the work of a Malware Reverse Engineer at GData Advanced Analytics from Bochum.

Why is Ghidra so exciting?

The world became really aware of Ghidra in the course of the Vault7 releases in 2017 through Wikileaks code. Ghidra has a graphical interface and has been developed by the NSA since the early 2000s. The exciting thing is that there has been little movement in the reverse engineering market so far. Almost all tools are associated with enormous financial expenses which meant a high entry barrier. Ghidra makes it much easier for those interested, students and teachers to learn reverse engineering.

Installation and first impression

You do not need anything to install, except a current Java version. You download a zip file from the Ghidra website and unzip this file to a location of your choice. Afterwards you can use Ghidra easily. When starting the program you will be asked for a project name. You forgive this and then you can, for example, import .exe files and analyze them afterwards. The following screenshot shows Ghidra during the automatic analysis of the npp.exe file (notepad ++). We will look more closely at analyzing files in the upcoming blog posts.
Ghidra - Test
Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.