Ghidra Reverse Engineering Master Class

For decades, IDA Pro and its associated "Hex-Rays Decompiler" were the undisputed industry standard for reverse engineering. They commanded a price tag of over $3,000 per year. In March 2019, the National Security Agency (NSA) released Ghidra, their internal reverse engineering framework, for free as open-source software. This rocked the cybersecurity world. This guide takes you from opening your first binary to writing Python scripts for automated de-obfuscation.

The Killer Feature: The Decompiler

Most free tools (like `objdump` or `Radare2`) provide Disassembly (ASM). ASM is hard to read.
Ghidra provides Decompilation (Pseudo-C).
It analyzes control flow graphs and translates assembly instructions back into high-level logic (loops, if-statements, function calls). This lowers the barrier to entry significantly.

1. Setting Up Your Environment

Ghidra requires the Java Development Kit (JDK 17+).
Once installed, the workflow is project-based:

Project Manager: Ghidra does not open single files; it opens Projects. This allows you to import a `.exe` and all its dependency `.dll` files, allowing Ghidra to link functions across libraries.
Auto-Analysis: When you first open a file (the "Dragon" icon), Ghidra asks to analyze. Always say YES.
Crucial Checkboxes: "WindowsPE" (for Windows) or "ELF" (for Linux), "ASCII Strings", and "Function ID".

2. Navigating the Interface

The layout can be overwhelming. Focus on these three sync-locked windows:

Program Trees (Top Left): Shows sections of the binary (.text, .data, .rdata).
Listing View (Center): The raw Assembly instructions. This is the "Ground Truth". If the decompiler makes a mistake, the answer is here.
Decompile View (Right): The C code. This is interactive. You can rename variables here, and they update everywhere.

            // BEFORE RENAMING (The "Ghidra" default)
            void FUN_00401000(int param_1) {
              int iVar1;
              iVar1 = *(int *)(param_1 + 4);
              if (iVar1 == 0x539) {
                FUN_00401050("Success");
              }
            }
            
            // ACTION:
            // 1. Right-click 'param_1' -> Rename to 'user_struct'
            // 2. Right-click '0x539' -> Convert -> Decimal (1337)
            
            // AFTER RENAMING
            void check_admin_code(int user_struct) {
              int admin_id;
              admin_id = *(int *)(user_struct + 4);
              if (admin_id == 1337) {
                log_message("Success");
              }
            }
        

3. Handling Malware & Obfuscation

Malware authors hate you. They use tricks to break tools like Ghidra.
XOR Encoding: Strings are rarely plain text. They are encrypted.
Stack Strings: Instead of `char *s = "hello"`, they do:
`mov [esp], 'h'; mov [esp+1], 'e'; ...`
Ghidra scripts can help fix this.

4. Scripting with Python (Jython)

This is where you become a pro. You don't click 100 times; you write a script.
Ghidra exposes a flat API. Here is a script to automatically decode XOR strings:

            # Simple XOR Decoder Script
            from ghidra.program.model.mem import MemoryAccessException
            
            start_addr = currentAddress
            length = 16
            key = 0xAA
            
            mem = currentProgram.getMemory()
            try:
                # Read bytes
                bytes = mem.getBytes(start_addr, length)
                
                # Decode
                decoded = []
                for b in bytes:
                    decoded.append(chr((b & 0xFF) ^ key))
                
                print("Decoded String: " + "".join(decoded))
                
                # Add comment to code listing
                codeUnit = currentProgram.getListing().getCodeUnitAt(start_addr)
                codeUnit.setComment(codeUnit.PLATE_COMMENT, "Decoded: " + "".join(decoded))
                
            except MemoryAccessException:
                print("Error reading memory")
        

5. Headless Analysis (Automation)

Imagine you have 10,000 malware samples. Opening them one by one is impossible.
Ghidra has a "Headless Mode". You can run it from the terminal to import a binary, run analysis, run a script, and export the results to JSON.

./analyzeHeadless projects/MalwareDB -import ransomware.exe -postScript MyScanner.py

This is standard practice in SOCs and antivirus companies.

Mastering Ghidra: The NSA's Toolkit