Ghidra An Open Source Reverse Engineering Tool
Lars A. Wallenborn FrOSCon 2019, 10th August
How the NSA open-sourced all software in 2019 Intro Since 2004 IT Freelancer 2013 Diploma in Mathematics @ Uni Bonn 2014 - 2015 Software Developer in Bonn Since 2015: Security Researcher at CrowdStrike
whoami
Lars A. Wallenborn [email protected] @larsborn
1 whoami
Lars A. Wallenborn [email protected] @larsborn
Since 2004 IT Freelancer 2013 Diploma in Mathematics @ Uni Bonn 2014 - 2015 Software Developer in Bonn Since 2015: Security Researcher at CrowdStrike
1 Overview
1. What is Reverse Engineering? 2. Why should I do it? 3. How do I do it?
2 What is Reverse Engineering • very general term: process of ”reversing” the production process of an artificial object • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
This Presenation We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
What is Reverse Engineering
• RE or reversing for short
3 process of ”reversing” the production process of an artificial object • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
This Presenation We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
What is Reverse Engineering
• RE or reversing for short • very general term:
3 • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
This Presenation We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
What is Reverse Engineering
• RE or reversing for short • very general term: process of ”reversing” the production process of an artificial object
3 This Presenation We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
What is Reverse Engineering
• RE or reversing for short • very general term: process of ”reversing” the production process of an artificial object • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
3 We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
What is Reverse Engineering
• RE or reversing for short • very general term: process of ”reversing” the production process of an artificial object • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
This Presenation
3 What is Reverse Engineering
• RE or reversing for short • very general term: process of ”reversing” the production process of an artificial object • with the aim to reveal its designs, architecture, or – generally – to extract knowledge
This Presenation We will focus on a very specific kind of Reverse Engineering:
Binary Software Reverse Engineering
3 Reverse Engineering
Binary Software Reverse Engineering
Compilation
source code binary / executable
4 Binary Software Reverse Engineering
Compilation
source code binary / executable
Reverse Engineering
4 Binary Software Reverse Engineering – More General
X
easy to read hard to read
Reverse Engineering
5 Why should I do it? : Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance
6 • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do?
6 : A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility
6 • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears.
6 : Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes
6 • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack.
6 : Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis
6 • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM.
6 : Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development
6 • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended?
6 : How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking
6 • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection?
6 : How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage
6 I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
6 But this is roughly sorted by how legal I think it is. In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer
6 In Germany. On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is.
6 On a sunny day.
Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany.
6 Motivation
• Quality Assurance: Does it do what it is supposed to do? • Interoperatibility: A wild undocumented binary blog appears. • Educational Purposes: Excuse to hack. • Malware Analysis: Understand The Bad GuysTM. • Exploit Development: Are there bugs? Can I exploit them to make it behave in a way it was not intended? • Cracking: How to circumvent copy right protection? • Economic Espionage: How does it work with the goal to reimplement it and then sell it.
I am not a lawyer But this is roughly sorted by how legal I think it is. In Germany. On a sunny day. 6 How do I do it? #include
int main() { printf("Hallo FrOSCon!");
return 0; }
Show me an Example!
7 Show me an Example!
#include
int main() { printf("Hallo FrOSCon!");
return 0; }
7 strip a.exe
Compile it!
Compile C program to a binary.
gcc main.c
8 Compile it!
Compile C program to a binary.
gcc main.c
strip a.exe
8 strings Based Reversing
Demo
9 • !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
10 ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode.
10 • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable.
10 ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon!
10 • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”.
10 ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure:
10 Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
10 Due to time constraints while reversing, you often have to find a balance between speed and confidence.
What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s?
10 What can we deduce already?
• !This program cannot be run in DOS mode. ⇒ It probably is a Windows executable. • Hallo FrOSCon! ⇒ suggests that this is a ”hello world program”. • Mingw-w64 runtime failure: ⇒ probably compiled with MinGW (Minimalist GNU for Windows).
Too many “probably”s and “suggests”s? Due to time constraints while reversing, you often have to find a balance between speed and confidence.
10 3.1 Static vs. Dynamic Reverse Engineering 3.2 Executable Formats 3.3 Assembly 3.4 Tools 3.5 How to get started with Ghidra?
Overview
1. What is Reverse Engineering? 2. Why should I do it? 3. How do I do it?
11 Overview
1. What is Reverse Engineering? 2. Why should I do it? 3. How do I do it? 3.1 Static vs. Dynamic Reverse Engineering 3.2 Executable Formats 3.3 Assembly 3.4 Tools 3.5 How to get started with Ghidra?
11 Static vs. Dynamic Reverse Engineering Definition: Dynamic Reversing Dynamic software reverse engineering is the analysis of computer software that is performed by executing programs on a real or virtual processor.
Definition: Static Reversing Static software reverse engineering is the analysis of computer software that is performed without actually executing the target program.
Static vs. Dynamic Reverse Engineering
12 Definition: Static Reversing Static software reverse engineering is the analysis of computer software that is performed without actually executing the target program.
Static vs. Dynamic Reverse Engineering
Definition: Dynamic Reversing Dynamic software reverse engineering is the analysis of computer software that is performed by executing programs on a real or virtual processor.
12 Static vs. Dynamic Reverse Engineering
Definition: Dynamic Reversing Dynamic software reverse engineering is the analysis of computer software that is performed by executing programs on a real or virtual processor.
Definition: Static Reversing Static software reverse engineering is the analysis of computer software that is performed without actually executing the target program.
12 Executable Formats . We will focus on Windows. • Windows uses the Portable Executable (PE) format. • RE techniques heavily depend on the used programming language. C, C++, Delphi, Go, .NET ... • Focus on ”native” PE files, i.e. files that are ”normal” Windows executables.
Executable Formats
• Depends on operating system
13 • Windows uses the Portable Executable (PE) format. • RE techniques heavily depend on the used programming language. C, C++, Delphi, Go, .NET ... • Focus on ”native” PE files, i.e. files that are ”normal” Windows executables.
Executable Formats
• Depends on operating system. We will focus on Windows.
13 • RE techniques heavily depend on the used programming language. C, C++, Delphi, Go, .NET ... • Focus on ”native” PE files, i.e. files that are ”normal” Windows executables.
Executable Formats
• Depends on operating system. We will focus on Windows. • Windows uses the Portable Executable (PE) format.
13 • Focus on ”native” PE files, i.e. files that are ”normal” Windows executables.
Executable Formats
• Depends on operating system. We will focus on Windows. • Windows uses the Portable Executable (PE) format. • RE techniques heavily depend on the used programming language. C, C++, Delphi, Go, .NET ...
13 Executable Formats
• Depends on operating system. We will focus on Windows. • Windows uses the Portable Executable (PE) format. • RE techniques heavily depend on the used programming language. C, C++, Delphi, Go, .NET ... • Focus on ”native” PE files, i.e. files that are ”normal” Windows executables.
13 • PE files contain so-called sections. • Named like .text, .data, .rdata or .bss. • When the program is executed, the so-called PE loader copies the content of these sections to different regions in memory. • Then, execution is handed over to the so-called entry point within the .text section.
PE files
14 • Named like .text, .data, .rdata or .bss. • When the program is executed, the so-called PE loader copies the content of these sections to different regions in memory. • Then, execution is handed over to the so-called entry point within the .text section.
PE files
• PE files contain so-called sections.
14 • When the program is executed, the so-called PE loader copies the content of these sections to different regions in memory. • Then, execution is handed over to the so-called entry point within the .text section.
PE files
• PE files contain so-called sections. • Named like .text, .data, .rdata or .bss.
14 • Then, execution is handed over to the so-called entry point within the .text section.
PE files
• PE files contain so-called sections. • Named like .text, .data, .rdata or .bss. • When the program is executed, the so-called PE loader copies the content of these sections to different regions in memory.
14 PE files
• PE files contain so-called sections. • Named like .text, .data, .rdata or .bss. • When the program is executed, the so-called PE loader copies the content of these sections to different regions in memory. • Then, execution is handed over to the so-called entry point within the .text section.
14 Assembly • Low-Level language executed by the CPU. • Only able to do very basic things. • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state: Instead of 4881ec98000000
we see SUB RSP, 0x98
Assembly
15 • Only able to do very basic things. • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state: Instead of 4881ec98000000
we see SUB RSP, 0x98
Assembly
• Low-Level language executed by the CPU.
15 • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state: Instead of 4881ec98000000
we see SUB RSP, 0x98
Assembly
• Low-Level language executed by the CPU. • Only able to do very basic things.
15 • Often shown in disassembled state: Instead of 4881ec98000000
we see SUB RSP, 0x98
Assembly
• Low-Level language executed by the CPU. • Only able to do very basic things. • Central concepts: Registers, Stack, Functions.
15 : Instead of 4881ec98000000
we see SUB RSP, 0x98
Assembly
• Low-Level language executed by the CPU. • Only able to do very basic things. • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state
15 we see SUB RSP, 0x98
Assembly
• Low-Level language executed by the CPU. • Only able to do very basic things. • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state: Instead of 4881ec98000000
15 Assembly
• Low-Level language executed by the CPU. • Only able to do very basic things. • Central concepts: Registers, Stack, Functions. • Often shown in disassembled state: Instead of 4881ec98000000
we see SUB RSP, 0x98
15 Tools • IDA (Interactive Disassembler) + HexRays Decompiler • Binary Ninja • RetDec (retargetable decompiler) • Ghidra
Tools
16 (Interactive Disassembler) + HexRays Decompiler • Binary Ninja • RetDec (retargetable decompiler) • Ghidra
Tools
• IDA
16 + HexRays Decompiler • Binary Ninja • RetDec (retargetable decompiler) • Ghidra
Tools
• IDA (Interactive Disassembler)
16 • Binary Ninja • RetDec (retargetable decompiler) • Ghidra
Tools
• IDA (Interactive Disassembler) + HexRays Decompiler
16 • RetDec (retargetable decompiler) • Ghidra
Tools
• IDA (Interactive Disassembler) + HexRays Decompiler • Binary Ninja
16 (retargetable decompiler) • Ghidra
Tools
• IDA (Interactive Disassembler) + HexRays Decompiler • Binary Ninja • RetDec
16 • Ghidra
Tools
• IDA (Interactive Disassembler) + HexRays Decompiler • Binary Ninja • RetDec (retargetable decompiler)
16 Tools
• IDA (Interactive Disassembler) + HexRays Decompiler • Binary Ninja • RetDec (retargetable decompiler) • Ghidra
16 Ghidra • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months. • JAVA-based GUI, backend written in C. • Capable of decompiling native PEs • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017.
17 • Really did so in the following months. • JAVA-based GUI, backend written in C. • Capable of decompiling native PEs • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software.
17 • JAVA-based GUI, backend written in C. • Capable of decompiling native PEs • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months.
17 • Capable of decompiling native PEs • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months. • JAVA-based GUI, backend written in C.
17 decompiling native PEs • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months. • JAVA-based GUI, backend written in C. • Capable of
17 • (und many other formats)
What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months. • JAVA-based GUI, backend written in C. • Capable of decompiling native PEs
17 What is Ghidra?
• Existence is publicly known since the Vault7 leaks in 2017. • At the RSA security conference 2019, the NSA announced to release it as open source software. • Really did so in the following months. • JAVA-based GUI, backend written in C. • Capable of decompiling native PEs • (und many other formats)
17 • Import executables and disassemble them • Decompile the assembly and display pseudo code (C-like) • Guess variable and function names when possible • Allow some basic refactoring similar to an integrated development environment (IDE)
What can Ghidra do?
18 • Decompile the assembly and display pseudo code (C-like) • Guess variable and function names when possible • Allow some basic refactoring similar to an integrated development environment (IDE)
What can Ghidra do?
• Import executables and disassemble them
18 • Guess variable and function names when possible • Allow some basic refactoring similar to an integrated development environment (IDE)
What can Ghidra do?
• Import executables and disassemble them • Decompile the assembly and display pseudo code (C-like)
18 • Allow some basic refactoring similar to an integrated development environment (IDE)
What can Ghidra do?
• Import executables and disassemble them • Decompile the assembly and display pseudo code (C-like) • Guess variable and function names when possible
18 What can Ghidra do?
• Import executables and disassemble them • Decompile the assembly and display pseudo code (C-like) • Guess variable and function names when possible • Allow some basic refactoring similar to an integrated development environment (IDE)
18 How do I use it?
Demo
19 Questions?
Thank You
Lars A. Wallenborn [email protected] @larsborn
Some advertisement: I will give Reverse Engineering classes soon. If you are interested, talk to me or sent me an email!
20 Thank You
Lars A. Wallenborn [email protected] @larsborn
Some advertisement: I will give Reverse Engineering classes soon. If you are interested, talk to me or sent me an email!
Questions?
20 Appendix: Static vs. Dynamic RE Comparison timeconsuming evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static Analyis Dynamic Analyis
Static vs. Dynamic Comparison Comparison
21 timeconsuming evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis
21 evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming
21 evasion techniques (arms race) resource intensive (computers) not fool-prove not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming resource intensive (humans)
21 evasion techniques (arms race) resource intensive (computers) not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming resource intensive (humans) not fool-prove
21 resource intensive (computers) not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming evasion techniques (arms race) resource intensive (humans) not fool-prove
21 not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove
21 Conclusion A combined approach is the best of course. We will focus on static analysis here.
Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove not fool-prove
21 Static vs. Dynamic Comparison Comparison
Static Analyis Dynamic Analyis timeconsuming evasion techniques (arms race) resource intensive (humans) resource intensive (computers) not fool-prove not fool-prove
Conclusion A combined approach is the best of course. We will focus on static analysis here.
21 Appendix: Assembly • There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
22 • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU.
22 • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8.
22 • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data.
22 • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM).
22 MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example:
22 • Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
22 • Depending on how you count there are between 1000 and 4000 assembly instructions.
Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments.
22 Assembly: Registers
• There are around 16 registers in a 64-bit CPU. • Named like RAX, RBP or R8. • Each register can store 64 bit of data. • They are extremly fast (even compared to RAM). • Example: MOV RAX, 0x12 SUB RAX, 0x8 ADD RAX, 0x4
• Each instructions is made up of a mnemonic and (optionally) arguments. • Depending on how you count there are between 1000 and 4000 assembly instructions.
22 • There is a very special register: RIP. • It stores the address of the next assembly command that should be executed by the CPU. • Yes, the program lives in the same space as the data. • This is the cause of many problems we have with computers nowadays.
Assembly: Instruction Pointer
23 • It stores the address of the next assembly command that should be executed by the CPU. • Yes, the program lives in the same space as the data. • This is the cause of many problems we have with computers nowadays.
Assembly: Instruction Pointer
• There is a very special register: RIP.
23 • Yes, the program lives in the same space as the data. • This is the cause of many problems we have with computers nowadays.
Assembly: Instruction Pointer
• There is a very special register: RIP. • It stores the address of the next assembly command that should be executed by the CPU.
23 • This is the cause of many problems we have with computers nowadays.
Assembly: Instruction Pointer
• There is a very special register: RIP. • It stores the address of the next assembly command that should be executed by the CPU. • Yes, the program lives in the same space as the data.
23 Assembly: Instruction Pointer
• There is a very special register: RIP. • It stores the address of the next assembly command that should be executed by the CPU. • Yes, the program lives in the same space as the data. • This is the cause of many problems we have with computers nowadays.
23 Assembly: Instruction Pointer
• There is a very special register: RIP. • It stores the address of the next assembly command that should be executed by the CPU. • Yes, the program lives in the same space as the data. • This is the cause of many problems we have with computers nowadays.
23 • Central datastructure. • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
24 • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure.
24 • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure. • Resides in RAM.
24 • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure. • Resides in RAM. • Literally a stack.
24 • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure. • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it.
24 • Example:
PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure. • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location.
24 PUSH RBX PUSH 0x98 POP RBX
Assembly: Stack
• Central datastructure. • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
24 Assembly: Stack
• Central datastructure. • Resides in RAM. • Literally a stack. • PUSH and POP can be used to manipulate it. • Registers RSP and RBP store its location. • Example:
PUSH RBX PUSH 0x98 POP RBX
24 • Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
25 • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly.
25 • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics.
25 CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
25 • CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
25 • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack
25 • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument
25 • RET does the inverse. • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function
25 • This allow arbitrarily deeply nested calls.
Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse.
25 Assembly: Functions
• Often functions in C are compiled to functions in assembly. • CALL and RET are the responsible mnemonics. • Example:
CALL f5 15 00 00 CALL printf RET
• CALL pushes EIP to the stack • And then sets its value to the given argument • Effectively continuing execution in the function • RET does the inverse. • This allow arbitrarily deeply nested calls.
25