Ghidra - An Open Source Reverse Engineering Tool

How the NSA open-sourced all software in 2019


Playlists: 'froscon2019' videos starting here / audio / related events

The NSA released a tool called Ghidra both for free usage as well as in source code format. It is a software reverse engineering framework with advance capabilities like a powerful decompiler. This lecture will give a short introduction into Ghidra and cover examples of both benign executables as well as malware with a focus on the Windows operating system.

Reverse engineering - more specifically software reverse engineering - is the process of deconstructing computer programs with the purpose of understanding their feature set. This especially includes software that is not available as source code but only as binary executables. These files can be analyzed by executing them, which is often referred to as "dynamic analysis" or by translating them into another language, like assembly, which the reverse engineer then tries to reason about. The second approach is often referred to as "static analysis".

While it is - in principle - possible for a human to fully understand and statically analyze a binary by reading raw assembly, this approach does not scale well: The x86 assembly language for example - which is used in most desktop computers and servers - is made up of thousands of different instructions. Each of these instructions only performs a very small task, like adding two integers. One can imagine that a binary - even as mundane as a tool to list the current directory content - is made up of a large number of these instructions. In practice, the reverse engineering therefore heavily relies on tooling.

The Vault 7 leak by WikiLeaks in 2017 suggested that the NSA owns or develops a reverse engineering tool called "Ghidra". Two years later, at the RSAConference in 2019, the NSA released the tool to the public, first as ready-to use software, then even all its source code. For the reverse engineering community, this is a huge thing: All tools available until that point in time where either very expensive or lack advanced capabilities.

While this lecture will only cover executables for the Microsoft Windows operating system, Ghidra also supports a very wide variety of platforms reaching from ARM - used in many IoT devices - over DEX - for Android-based devices to more exotic architectures as PowerPC, MIPS or SPARC. This versatility is a huge pro for Ghidra when compared to its main competing software product like the Hex-Rays decompiler.

A lot of people think, that reverse engineering is a dark art only a few selected individuals are chosen to be gifted in. I honestly think that it is just another skill and would even go as far as saying that maintaining a legacy software product without good documentation - which is a common scenario in the software development industry - is much harder than understanding how WannaCry worked.