NSA Ghidra software reverse engineering framework

There&#x27;s a discouragment the comes in the RE community that to be useful at all you need to be able to write your own exotic packer decoders, but I use Ghidra about once a month for really basic security incident response to pull apart &quot;driver&quot; installer packages to see where they are phoning home to, evaluating enterprise vendor-ware packages looking for hard coded credentials and snoopy telemetry, sometimes I can pull down the second stage of a phishing attempt against one of our users and RE it just to see what the level of sophistication the attackers having a go at us are at, and I&#x27;ve used the cantor dust plugin to quickly find sections of compressed and encypted data in firmware images.<p>There is no chance I will ever publish original RE research, but it&#x27;s a handy go-to tool, along with cyberchef, binwalk, and some other breadth-first static analysis tools for hunting specific IoCs. I could probably teach a solid generalist who cared to get to the level of being able to dissassemble something and say, &quot;yeah, this is dodgy&quot; or not in an afternoon.<p>As an exercise, next time you get a cheap peripheral like a headset or a other usb device, pop the driver installer package into ghidra and click through the call graph just to see what else it does. You may be surprised.

The breadth of that tool is just incredible. I&#x27;m about to submit my first PR to them to fix a couple of bugs in their PEF parser (classic Mac OS PowerPC executables), but it&#x27;s absolutely bonkers that they have that support to begin with, and that it all works as well as it does. I&#x27;m very pleased to see my tax dollars going to something like that.

Ghidra is genuinely an awesome software, you don’t need to be a reverse engineering expert to use it.<p>And with LLMs like GPT it will be able to do insane stuff like automatically analysing very complex malware.<p>On the other hand I’m sure malware will evolve too, with LLMs you can actually directly edit the binary and add hooks to them. Cost of building firmware malware for NICs and UEFI will lower to zero dollars.<p>Anyway I’m getting out of topic but this was something I really wanted to mention somewhere, it is likely there will be a massive amount of complex malware coming via LLMs that will potentially impact the entire economy.

I&#x27;ve been working on a hobbyist project to analyze a ROM for an architecture that wasn&#x27;t covered by Ghidra, and let me just say. I had a hellish time trying to work with Sleigh, the language you use to define new architectures for Ghidra to analyze. There just isn&#x27;t a ton of great info out there about it, outside of the Sleigh documentation itself. I was able to find a few guides online but none were quite at the level of detail I was looking for.<p>I ended up getting lucky and finding somebody else&#x27;s project for the same CPU, that I was able to build on to make something that worked. And by doing that I was eventually able to figure out why I couldn&#x27;t even get off the ground.

For me, the one spot where Ghidra is lacking is support for vtables (or COM objects). You can&#x27;t simply feed it a C++ header file that defines the COM object.

Ghidra is reasonably simple to pick up at the entry level. I use it just for fun to make a keygen for commercial software from time to time. Just to flex the muscle.<p>My take aways are: 1&#x2F; You can do RE without knowledge of assembler (which I know nothing about) 2&#x2F; C decompiler is useful and you will need to learn some patterns of how things get disassembled 3&#x2F; There are many good videos on youtube on how to get started 4&#x2F; There is a debugger to see what the program actually does but I never managed to get it running. That would be awesome feature to use.

One cool thing is the infinity dragon logo, it’s a recurring motif with other NSA projects.

I&#x27;m loving this for syncing between RE tools, tho would be great if we had help on the supported ghidra features!<p><a href="https:&#x2F;&#x2F;github.com&#x2F;binsync&#x2F;binsync">https:&#x2F;&#x2F;github.com&#x2F;binsync&#x2F;binsync</a>

The best part of readme: security warnings.

Is Ghidra a trojan horse?

Somehow this thing downloaded itself so there&#x27;s that

Somehow this thing downloaded itself and that&#x27;s enough

Has anyone RE&#x27;d ghidra using another decompiler to determine whether it hides NSA backdoors etc?

Fyi there was free OpenAI credit given out, so decided to try out ghidra with the G-3P0 plugin, imo has been fun looking around binary&#x27;s with basic C experience.

Maybe a better UIX in the readme says, 1) buy an NVIDIA Jetson ODIN 64GB Mini 2) press the buy and play button in the App Store 3) you are running in a AAA Studio IDE

Is ghidra safe to use if you consider the NSA an adversary?<p>Every person I&#x27;ve asked this question has had their noses so far up the NSA&#x27;s pooper that they could not imagine considering the NSA an adversary.<p>But suppose you were running a malware honeypot operation for the CCP. Would you still use Ghidra? Why or why not?<p>And please don&#x27;t pass the buck and say, &quot;I probably wouldn&#x27;t be allowed to use ghidra&quot; or &quot;I&#x27;d probably use whatever my CCP handler told me to use&quot; or &quot;I wouldn&#x27;t be working for the CCP in the first place.&quot; That does not inform me about the security risks of using ghidra with the NSA as an adversary.