There are numerous tools that are free and available to security professionals to help analyze malware. The Ghidra was first released a few years ago and has proven relatively popular due to being a free tool that can be used for malware analysis.
However, many people who are new to these types of tools often find it difficult to learn how to use Ghidra. That's why I'm here to show you how to use it.
In this article we'll look at what Ghidra is, how to install it, and some helpful tips to help you get started with this tool for malware analysis.
What is Ghidra?
Ghidra is onetool developed by the NSA and released in 2019. It is particularly popular with malware analysts as it is what is known as the . This allows a malware analyst to inspect the functionality of a malware sample without running it, and this is extremely useful as the analyst is able to examine the malware's code and map out the function it performs.
The difference between Ghidra and a tool like x64dbg is that x64dbg is one, meaning it will actually execute the malware as you go along and analyze the code. So if you find an interesting function in x64dbg, for example, that encrypts all files, it will run that function and encrypt all files on the machine you are using to analyze the malware.
Atool, such as Ghidra, does not run the code, but maps the code of the malware and allows the user to analyze the code without affecting the file system of the analyzer. This makes Ghidra an ideal tool for detecting and mapping features that may be of further interest to a malware analyst.
Disclaimer: Ghidra should only be used in a sandboxed environment, such as a virtual machine designed for malware analysis, do not attempt to analyze malware on your computer's operating system.
How to install Ghidra
To install Ghidra on Windows, go to the official Ghidra website as shown below:
Select '', this will take you to the Ghidra Github page where you can download the latest version of the software.
Download the zip file and unzip the contents to a location of your choice, after unzipping you should have the following files:
To run Ghidra, double-click on the Windows batch file named 'ghidraRun', the following error message may appear:
You can fix it by following the steps in guide below.
Once opened, the following windows will appear, the “” and the window “ ". The window " ” is pretty self-explanatory and can be closed.
To start using Ghidra and analyzing a sample, you must first create a project that is used to store the sample and the files that Ghidra produces.
To start, select 'File' and then 'New Project'.
Choose whether you want to share the project or not, in this example, I'll choose '' and I'll click ' '.
Next, give your project a name, which can be the name of the malware sample being analyzed, and click 'Finish'.
Now we have oneand we can drop the malware samples into the project for analysis.
We then see a file added to the project called 'remcos.exe', and Ghidra tells us that it has recognized the file as a Windows PE 32bit file.
Click ok and Ghidra will start importing the file.
Once the file is successfully imported into Ghidra, the following window will appear providing details about the imported file.
Select “OK” and then double-click the name of the imported malware or tap the dragon logo icon to open the code browser.
The following prompt will appear informing that Ghidra has not yet analyzed the file and asking if you want to analyze it now, select 'Yes'.
Then the following window will appear regarding the analysis options, from here select the option I have highlighted and it is called 'WindowsPE x86 Propagate External Parameters'. This helps when parsing an imported function, as the function parameters that will be pushed on the stack will be listed inside the tool.
Select 'Analyze', and Ghidra will start analyzing the file, the status bar in the lower right corner of Ghidra will display a status bar showing the progress of the analysis.
Once the process is complete, Ghidra is ready for you to startof the malware sample.
Reverse Engineering with Ghidra
When you open a malware in Ghidra that has been imported and analyzed by the tool, you will see a number of windows.
Ghidra main windows
In the upper left corner, there is a window containing the sections of the malware, this is the 'Program Trees' section. If you've used a tool like PeStudio before, then this should be familiar to you.
The unity "” is very useful as it contains the imports, exports and functions that the malware uses to perform its malicious activities.
By clicking on 'Imports' we can see which libraries have been imported by the malware, clicking on a DLL reveals the imported functions associated with that library.
From looking at the imports it is then possible to identify any interesting functions that the malware is using. This is great for a malware analyst as it means we can double click on those imports to see if they are being used by the malware and try to understand what activity it can perform on an exposed computer.
The same can be done with the tabto see which functions have been extracted by the malware, however, there are no exports in the malware sample in this file we are analyzing.
The 'Symbol Tree' contains all functions written by the malware developer. When Ghidra imports and then analyzes the malware, it will attempt to assign names to some of the functions based on the automated analysis it has performed.
In the image below one of the functions is called 'CreateToolhelp32Snapshot', this is the name of an imported function used to enumerate the processes running on a device, so Ghidra saw that this import is used in this function and named it accordingly.
We can also see some functions that have a conventionstarting with 'FUN_' followed by a series of numbers.
These are functions that are not defined by Ghidra and are therefore named 'FUN_', which is short for function, and then given a hexadecimal numeric value that represents the position of the function in the binary system.
There is also an entry for 'entry', this is the entry point of the malware, and by double-clicking on it, Ghidra's main 'Listing' window will update to show the assembly code to the entry point of the malware.
In the image above we see the assembly instructions and information pushed onto the stack and the various calls made to them. This information can give us an idea of what the malware is doing by focusing on any interesting API calls listed in Ghidra's 'Symbol Tree' window.
By clicking 'entry', the 'Decompile' window will now update and contain some data. This window shows where Ghidra tried to convert the assembly code in the 'Listing' window to C programming code. This allows the malware analyst to see what the malware developer's code might have looked like and help analyze the malware .
Another visualization that will help with malware analysis is the use of the function graph, which can be accessed by selecting the 'Display Function Graph' icon in the Ghidra toolbar.
This will launch a graphical representation of the function currently displayed in the 'Listing' window.
Zooming in on the graph allows the analyst to see more clearly the decisions the malware makes and the flow the malware follows depending on certain conditions.
In the image above I've marked where I've detected that the function calls 'GetStartupInfoA', so this tells me that this function retrieves the boot information of the compromised device.
Double-clicking on the name of any function called within the chart will take the user to that function and update the screen to show the newly selected function.
By clicking the 'Windows' option on the toolbar tab and selecting 'Defined Strings', Ghidra will list the strings within the executable.
This is useful as themalware often contains strings that may indicate what the malware does once it compromises a host. Once this option is selected, the following window will appear:
Here we can see that malware can create some, as the 'Software\\Microsoft\\Windows\CurrentVersion\Run' registry location where it is listed is a common mechanism for malware.
There is also a file listed as 'install.bat', this would now be a file I would be interested in recovering from the malware analysis. Double-clicking on any of these strings will take you to where they are in the binary, so the 'Listing', 'Decompile' and 'Function Graph' views can be used to further explore where these strings are and what does the malware with this data.
In the image below I have double clicked on 'install.bat', the 'Listing' window has been updated to show where this string is located within the binary.
In the image above we also see the string 'XREF' and then the function name. Ghidra tells the user that it has crossed the string 'install.bat' and lists the name of the function where the string is found.
Double-clicking on the function name will display that function in Ghidra's 'Listing' window and where the 'install.bat' string is located.
For the sake of the demo let's say that I have now analyzed this function and found that install.bat is created on disk and when executed creates an execution key that starts the malware every time the exposed host is booted.
Looking at the image above I will never remember the function called 'FUN_00040560d' so to help my analysis I will give it another name.
This can be done by right clicking on the function and selecting 'Edit Function'.
This will open the following window:
Using the field “', the function name can now be changed to something more memorable.
This is useful because the name of this function will now change throughout the project in Ghidra and is now visible in the “" in unit " "
Ghidra is a useful must-have tool for malware analysis. We hope this article has given you an overview of how the tool can be used to further investigate specific functions in a malware sample. Remember that when using a tool like Ghidra it can be very time consuming to start from the entry point and start analyzing each line of code.
Instead, use some of the features I've mentioned in this post, and examine the functionality of the malware. Many of the entries may be of interest, there are some that are used to connect to the internet or encrypt data. Examine where these imports are used in the malware and see if you can identify why the malware uses these functions. The same can be done with any strings. See where they are in the malware and see what the malware is doing with that data.