Ghidra – ZIRCONIC

I’m still digging into Ghidra, building off of my last post which was meant to be a kind of “IDA to Ghidra Crossover” guide. For more Ghidra practice, I took a piece of ransomware that I analyzed before (using IDA) and worked on it with Ghidra. Whenever it makes sense I’ll do a side-by-side comparison. I’m using Ghidra 9.0 Public and Ida Free 7.0 (both running in a 64-bit VM).

Once I loaded the ransomware, one thing I noticed immediately is that Ghidra didn’t catch that there was a new function right after the entry/start function, but IDA did:

I’m not sure why this is. One thing I suppose you could do is look for function entry sequences (PUSH EBP; MOV EBP, ESP) and then manually create a function when you find one. In Ghidra, you’d just put the cursor in the spot where you want to create the function, and then hit F:

Press F to ~~Pay Respect~~ Create a Function

On the other hand, I remember there was a part of the code that IDA wasn’t as successful with. Ghidra did better on this part, at least recognizing that there’s a function there while IDA got a bit more confused:

As I was looking at the function at 4017B8, besides noticing that this was another function that IDA didn’t recognize, I noticed that Ghidra labels strings in a nice way where the label contains both a reference to the string itself and also the address. IDA will sometimes just give you a very generic name without including the address in the label. You can change the IDA options around strings so that it will not automatically generate a name (and set options like string prefix, etc.) but then you just get something like “asc_401414” which isn’t that meaningful either. I’m not sure how IDA generates the names, and the documentation is a bit vague: “If this option is set, IDA will give meaningful names to newly created string literals.”

Changing not very descriptive parameters like 0x40000000 to something like GENERIC_WRITE is easy in both programs. In IDA, it’s M to bring up the enumerations, and then you pick one from the list. In Ghidra, it’s E to “Set Equate” and then pretty much the same process — look up the value you want to apply there.

I decided to make a copy of the sample and changed one of the lines in the ransom note to be “TEST RANSOMWARE PLEASE IGNORE” so I could try out the “Determine Program Differences” window. Seems that you need to import the other file into the current project so you can compare differences between the two programs. There’s a lot of options here that you can use with this tool:

Since I just quickly edited it in a text editor it screwed something up because it inserted 0x0D0A in certain places, but even so I can still see how the differences get highlighted, as well as how you can quickly navigate between differences by right-clicking and selecting options from the pop-up menu:

Like in IDA, you can right click on a value in the program listing and change how it’s displayed:

Also, it’s nice to see that Unicode strings are picked up automatically in Ghidra, not just ASCII strings. It’s not that big of a deal to tell IDA to treat something as a Unicode string, but having Ghidra automatically do this is one of those little things that I appreciate because it’s something that I find tedious (maybe there’s a way to make this happen automatically in IDA that I just never learned).

A Mix of ASCII and Unicode Strings in Ghidra’s Program Listing

Finally, I like how Ghidra identifies thunk functions:

Going through a sample that I previously analyzed with IDA helped me get more accustomed to Ghidra because I have some idea of how it the final product should look already. The more I use Ghidra the more I like it. I’m still going to keep IDA around — for instance, I tried loading up a really old DOS game executable, and while Ghidra didn’t come up with anything meaningful in the program listing using automated analysis, IDA Free 7.0 at least came up with some results. Time permitting, I’ll try to look at samples in both programs for a while just to see how things differ.

BLUF: Ghidra is awesome and I’m looking forward to switching over entirely from other tools, and not having to sell my car (and the neighbor’s) to afford a license is quite convenient.

I finally got a chance to sit down and take a look at Ghidra. I’ll admit that my first couple of minutes with it wasn’t great, but I think that was because the software does so much that it can seem overwhelming. I thought about how I currently use IDA, and made some quick notes about how to do those things in Ghidra. After figuring out how to do the things I need to do, I started to REALLY like Ghidra. Here are my notes in no particular order. Next post I plan to write about reversing something with Ghidra, and maybe even do a side-by-side reversing comparison with IDA if I have the time.

UNDO!

Everything should have this.
CTRL-Z to undo and CTRL-Shift-Z to redo.
Be aware that this will undo more things than you might anticipate — for example, one time I did an automatic analysis of a full file, and undo actually undid all of the analysis done by the program and I was back to just a raw listing. This isn’t what I would expect to happen — I figured that it would only undo simple things like undo a label I just created. Not a problem, just interesting to see how it works.

Moving Back and Forward

Just Alt and the left or right arrows. Still getting used to not hitting Escape all the time.

Viewing Strings and other Subviews

In IDA, I’m used to pulling up stuff like the Strings subview with Shift-F12. Once you’re in the CodeBrowser, then place you’re going to want to look is in the Windows section of the menu bar. Besides the Strings window, you’ll also find stuff like Bytes (like the hexview in IDA) and the function graph, which is similar to the graph view in IDA.

Bookmarks

To add a bookmark, CTRL-D, and to view the list of bookmarks, CTRL-B. Sound familiar?

Comments

Add a comment with ; and from that dialog box, you can select the type of comment (e.g., repeatable).
Other comment types specify if you want the comment to come before the line, after the line, or even do a “plate comment”.

Labels (Naming a Location or a function)

Hit L to add a label to a location, say if you want to provide a name for a section of code within a function that represents different paths from a branching instruction.
This would also be how you rename functions. Put the cursor on the function name in the main window and hit L, then you can change the function name using the dialog box.

Function Editing

If you want to change more than just the name, put the cursor on the function name and hit F, which will let you modify the function name but also things like the calling convention, parameters, etc.

Searching for Specific Instructions

For instance, maybe you want to search for all instances of XOR so you can pick out where there might be some XOR encoding. I highlight the instruction, then from the menu bar select Search | For Matching Instructions | Exclude Operands (to find just XOR, not XOR EAX, EAX for instance).

Then from there you can select where you want to search (the entire program, or just a selection) and other options, and then you get a similar listing to what you might see in IDA.

Enumerations

Pretty easy — cursor on the value you want to look up, press E to bring up the enumerations dialog box. Haven’t done too much with this in Ghidra yet, but looks pretty similar to IDA in the sense that you need to have some idea of where to find what you’re looking for (for instance, I’ll probably still have to look up functions in MSDN to figure out what the possible enumerations are). Not sure how to add my own enumerations, though it looks like Ghidra has so much (and it’s so well organized) that perhaps this won’t be necessary.

Instruction Highlighting

Middle mouse button, and this seems to work like a toggle. You don’t seem to be able to select multiple instructions, but clicking with the middle button / mousewheel will highlight all the the instructions and will keep them highlighted even if you move the cursor elsewhere in the disassembly. I actually like this better than IDA, because in IDA when you would move the cursor somewhere else, you would either lose the highlighting entirely or you would have something else highlighted (like another instruction or location). This also seems to work on everything — opcodes, locations, operands, etc. I got this info from someone names Saruman9 on the repository. I had posted this as an enhancement and they had this to say:

“Clicking the middle mouse button will highlight all the other occurrences of instruction/operand/other. For changing the setting see Edit -> Tool options… -> Listing Fields -> Cursor Text Highlight -> Mouse Button To Activate.”

To wrap it up, these notes represent just a tiny amount of Ghidra’s full functionality (and, in fairness, a tiny slice of what IDA can do also). Let’s also not forget that I didn’t even get into the decompiler functionality of Ghidra in this post. I’m not trying to dump on IDA and I hope it’s not coming across that way, but I’m just really excited to have this great tool available to use without paying a ton of money, especially for architectures other than the usual x86/64.

I expect this is unnecessary if you are already reading this post, but you can find Ghidra here if you don’t have it already. You’ll also need OpenJDK 11.0 (though it might work with other versions, I have not tested it out).

Tag: Ghidra

BI_D Ransomware Redux (Now With 100% More Ghidra)

Ghidra, Fuck Yeah!