Table of contents : Cover Title Page Copyright and Credits Dedicated About Packt Contributors Table of Contents Preface Section 1: Introduction to Ghidra Chapter 1: Getting Started with Ghidra Technical requirements WikiLeaks Vault 7 NSA release Ghidra versus IDA and many other competitors Ghidra overview Installing Ghidra Overview of Ghidra's features Summary Questions Chapter 2: Automating RE Tasks with Ghidra Scripts Technical requirements Using and adapting existing scripts The script class Script development Summary Questions Chapter 3: Ghidra Debug Mode Technical requirements Setting up the Ghidra development environment Overviewing the software requirements Installing the Java JDK Installing the Eclipse IDE Installing PyDev Installing GhidraDev Debugging the Ghidra code and Ghidra scripts Debugging Ghidra scripts from Eclipse Debugging any Ghidra component from Eclipse Ghidra RCE vulnerability Explaining the Ghidra RCE vulnerability Exploiting the Ghidra RCE vulnerability Fixing the Ghidra RCE vulnerability Looking for vulnerable computers Summary Questions Further reading Chapter 4: Using Ghidra Extensions Technical requirements Installing existing Ghidra extensions Analyzing the code of the Sample Table Provider plugin Understanding the Ghidra extension skeleton Analyzers Filesystems Plugins Exporters Loaders Developing a Ghidra extension Summary Questions Further reading Section 2: Reverse Engineering Chapter 5: Reversing Malware Using Ghidra Technical requirements Setting up the environment Looking for malware indicators Looking for strings Intelligence information and external sources Checking import functions Dissecting interesting malware sample parts The entry point function Analyzing the 0x00453340 function Analyzing the 0x00453C10 function Analyzing the 0x0046EA60 function Analyzing the 0x0046BEB0 function Analyzing the 0x0046E3A0 function Analyzing the 0x004559B0 function Analyzing the 0x004554E0 function Analyzing the 0x0046C860 function Analyzing the 0x0046A100 function Summary Questions Further reading Chapter 6: Scripting Malware Analysis Technical requirements Using the Ghidra scripting API Writing scripts using the Java programming language Writing scripts using the Python programming language Deobfuscating malware samples using scripts The delta offset Translating API hashes to addresses Deobfuscating the hash table using Ghidra scripting Improving the scripting results Summary Questions Further reading Chapter 7: Using Ghidra Headless Analyzer Technical requirements Why use headless mode? Creating and populating projects Performing analysis on imported or existing binaries Running non-GUI scripts in a project Summary Questions Further reading Chapter 8: Auditing Program Binaries Technical requirements Understanding memory corruption vulnerabilities Understanding the stack Stack-based buffer overflow Understanding the heap Heap-based buffer overflow Format strings Finding vulnerabilities using Ghidra Exploiting a simple stack-based buffer overflow Summary Questions Further reading Chapter 9: Scripting Binary Audits Technical requirements Looking for vulnerable functions Retrieving unsafe C/C++ functions from the symbols table Decompiling the program using scripting Looking for sscanf callers Enumerating caller functions Analyzing the caller function using PCode PCode versus assembly language Retrieving PCode and analyzing it Using the same PCode-based script in multiple architectures Summary Questions Further reading Section 3: Extending Ghidra Chapter 10: Developing Ghidra Plugins Technical requirements Overview of existing plugins Plugins included with the Ghidra distribution Third-party plugins The Ghidra plugin skeleton The plugin documentation Writing the plugin code The provider for a plugin Developing a Ghidra plugin Documenting the plugin Implementing the plugin class Implementing the provider Summary Questions Further reading Chapter 11: Incorporating New Binary Formats Technical requirements Understanding the difference between raw binaries and formatted binaries Understanding raw binaries Understanding formatted binaries Developing a Ghidra loader The old-style DOS executable (MZ) parser The old-style DOS executable (MZ) loader Understanding filesystem loaders FileSystem Resource Locator Summary Questions Further reading Chapter 12: Analyzing Processor Modules Technical requirements Understanding the existing Ghidra processor modules Overviewing the Ghidra processor module skeleton Setting up the processor module development environment Creating a processor module skeleton Developing Ghidra processors Documenting processors Identifying functions and code using patterns Specifying the language and its variants Summary Questions Further reading Chapter 13: Contributing to the Ghidra Community Technical requirements Overviewing the Ghidra project The Ghidra community Exploring contributions Understanding legal aspects Submitting a bug report Suggesting new features Submitting questions Submitting a pull request to the Ghidra project Summary Questions Further reading Chapter 14: Extending Ghidra for Advanced Reverse Engineering Technical requirements Learning the basics of advanced reverse engineering Learning about symbolic execution Learning about SMT solvers Learning about concolic execution Using Ghidra for advanced reverse engineering Adding symbolic execution capabilities to Ghidra with AngryGhidra Converting from PCode into LLVM with pcode-to-llvm Summary Questions Further reading Assessments Other Books You May Enjoy Index