What is Ghidra and How to Use it to Reverse Engineer Malware

What is Ghidra

Ghidra, a reverse engineering tool developed by the NSA, is a disassembly tool that differs from debuggers like x64dbg. Ghidra allows malware analysts to inspect malware code without executing it, making it safer and more efficient for identifying functions of interest. Unlike debuggers that run the code, Ghidra maps out assembly code, enabling analysts to analyze without affecting the analysis device. For malware analysis, using Ghidra in a sandbox is crucial to prevent damage to the host operating system.

How to Install Ghidra

Below are the key steps to Install Ghidra on Windows:

1. Navigate to official Ghidra website
2. Select ‘Download from Github’
3. Download the zip file and extract contents
4. Double-click ‘ghidraRun’ Windows batch file

Creating a Project:

1. Select ‘File’ > ‘New Project’
2. Choose ‘Non-Shared Project’
3. Give the project a name
4. Finish

Importing a File:

1. Drag malware sample into the project
2. Click ‘OK’
3. Select ‘OK’ after file is imported

Analyzing the File:

1. Double-click malware name or dragon logo icon
2. Select ‘Yes’ to analyze the file
3. Choose ‘WindowsPE x86 Propagate External Parameters’ analysis option
4. Select ‘Analyze’

Reverse Engineering Using Ghidra

After importing and analyzing a malware sample in Ghidra, you will be presented with various windows.

Main Ghidra Windows

In the top left corner of the main Ghidra interface, the “Program Trees” section displays the malware’s structure. The “Symbol Tree” section lists the malware’s imports, exports, and functions.

The “Imports” tab reveals which libraries and functions are imported, while the “Exports” tab shows exported functionality. The “Symbol Tree” section includes imported functions and functions written by the malware author (named by Ghidra or using a generic “FUN_” convention).

The “entry” function represents the malware’s starting point. Clicking on this updates the “Listing” window with assembly instructions, providing insights into the malware’s actions. The “Decompile” window attempts to convert assembly code into C code, aiding in malware analysis.

Function Graph

Selecting the “Display Function Graph” icon in Ghidra’s toolbar displays a graphical representation of the current function’s flow. This graph provides a visual overview of the function’s decisions and execution paths based on different conditions. By zooming in, analysts can identify specific actions performed by the malware.

Searching Strings

Ghidra can assist in identifying executable strings within unpacked malware, which may contain clues about its behavior. To view these strings, navigate to “Windows” > “Defined Strings” in the toolbar. Double-clicking a string will take you to its location within the binary, providing context for further analysis. Similarly, double-clicking a string like “install.bat” will update the “Listing” view to show its location. XREF values indicate cross-referenced strings and their associated function names. Double-clicking function names will navigate directly to their location in the “Listing” view. To improve readability, right-click on function names like “FUN_00040560d” and select “Edit Function” > “Function Name” to rename them. This change will be reflected throughout the Ghidra project, including the “Symbol Tree” for easy reference.

Conclusion

Ghidra is a robust malware analysis tool that requires a strategic approach for optimal use. Instead of scrutinizing every line of code, it is better to concentrate on specific functionalities that can shed light on the malware’s behavior. By examining imported functions, particularly those associated with internet connectivity or data encryption, analysts can trace their usage patterns to discern the malware’s objectives. Similarly, identifying and investigating interesting strings within the malware’s code can reveal how it handles sensitive data. This enables analysts to focus on the most relevant information, allowing for a more efficient and focused investigation.