Security through explanation
This article is based on the public release of Ghidra 11.2. Documentation in code is great to have, although it is not as great a task to write it. When reverse engineering a binary with Ghidra, comments are your documentation. You might write down some notes for your future self, or for your colleagues or … Read more
This article is based on the public release of Ghidra 11.2. While scripts are generally used to automatically (and/or automagically) perform repeatable and mundane actions, that is not to say that their runtime cannot take a while. If the wrong script is started by accident, or if the chosen approach is too time consuming, the … Read more
This article is based on the public release of Ghidra 11.2. While Ghidra is an extensive framework and allows the inclusion of arbitrary logic to perform a given task, some tasks are better performed elsewhere. There can be a variety of reasons to outsource the execution of the code somewhere else: a proprietary service offers … Read more
This article is based on the public release of Ghidra 11.2. Ghidra provides an overview of strings within the graphical user interface, but there is no directly accessible API call within the FlatAPI to access it. However, it is possible to obtain them programmatically. The code in this blog comes from a script I wrote … Read more
This article is based on the public release of Ghidra 11.2. Ghidra’s project based nature allows one to include multiple files into a project. These files can be split into different folders within the project. When running Ghidra headless, one can ingest files (recursively) from a given folder. The ingested files and related folder structure … Read more
This article is based on the public release of Ghidra 11.0.1. Ghidra’s graphical user interface is intuitive to use, customisable, and allows one to easily analyse, compare, and contrast code. There is one thing its not made for: bulk actions. While bulk import of files is possible via drag-and-drop into an open Ghidra project, it … Read more
This article is based on the public release of Ghidra 11.0.1. Customising Ghidra to make it fit your workflow is a lot easier than one might assume! Ghidra scripts extend the framework to perform specific actions. The automation can be done for a variety of reasons: to avoid repetitive (manual) actions, to search for a … Read more
This article is based on the public release of Ghidra 11.0.1. The demand for a dark theme in tooling is overwhelming, and the National Security Agency has heard the community’s requests. Since Ghidra 10.3, released on the 11th of May 2023, themes are supported within the framework. This tip focuses on how to enable the … Read more
This article is based on the public release of Ghidra 11.0.1. In 2023, just before Christmas, the NSA released a new feature for Ghidra called BSim. This feature is best explained by stating the feature’s name in full: Behavior Similarity. The comparison of functions is useful for a variety of purposes, such as but not … Read more
This article is based on the public release of Ghidra 11.0.1. Described as the best thing since sliced bread by numerous people, this tip is worth its weight in gold, especially if you are using Ghidra on a laptop. When left-clicking on a register, value, or variable in the disassembly listing or decompiler, the background … Read more