Ghidra Published by the NSA – What is this tool capable of?

M.Sc. Chris Wojzechowski

Ghidra Published by the NSA – What is this tool capable of?

Ghidra is an open source tool that helps security researchers better understand programs. The tool was launched and released today at the RSA Conference in San Francisco.

Ghidra is a reverse engineering tool

But what does Reverse Engineering actually mean? When developing software, what the program should do is set in a human-understandable programming language (e.g., Java or Python). This so-called source code is converted by a translator, the compiler, into machine code, that is to say computer-readable instructions.
Reverse engineering is an attempt to reverse this step and see how a program works and runs. Manufacturers are trying to protect themselves, but reverse engineering is an important tool in IT security.

Why are there tools like Ghidra?

Reverse engineering is an important step for safety. With the help of reverse engineering, for example, weak spots in password safes are found and can be closed. Another use case for the tool is the analysis of malware. Malware is often analyzed to understand how it works. If a computer is encrypted after a ransomware attack, it can eventually be decrypted with a “master key” or program This is mostly due to reverse engineering. The blog post by Digital Media Women describes the work of a Malware Reverse Engineer at GData Advanced Analytics from Bochum.

Why is Ghidra so exciting?

The world became really aware of Ghidra in the course of the Vault7 releases in 2017 through Wikileaks code. Ghidra has a graphical interface and has been developed by the NSA since the early 2000s. The exciting thing is that there has been little movement in the reverse engineering market so far. Almost all tools are associated with enormous financial expenses which meant a high entry barrier. Ghidra makes it much easier for those interested, students and teachers to learn reverse engineering.

Installation and first impression

You do not need anything to install, except a current Java version. You download a zip file from the Ghidra website and unzip this file to a location of your choice. Afterwards you can use Ghidra easily. When starting the program you will be asked for a project name. You forgive this and then you can, for example, import .exe files and analyze them afterwards. The following screenshot shows Ghidra during the automatic analysis of the npp.exe file (notepad ++). We will look more closely at analyzing files in the upcoming blog posts.
Ghidra - Test
Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.