Malware analysis with Ghidra

There are numerous tools that are free and available to security professionals to help analyze malware. The Ghidra was first released a few years ago and has proven relatively popular due to being a free tool that can be used for malware analysis.

However, many people who are new to these types of tools often find it difficult to learn how to use Ghidra. That's why I'm here to show you how to use it.

In this article we'll look at what Ghidra is, how to install it, and some helpful tips to help you get started with this tool for malware analysis.

ghidra0

Contents hide
What is Ghidra?
How to install Ghidra
Reverse Engineering with Ghidra
Function graph
Search Strings
End

What is Ghidra?

Ghidra is one reverse engineering tool developed by the NSA and released in 2019. It is particularly popular with malware analysts as it is what is known as the disassembly. This allows a malware analyst to inspect the functionality of a malware sample without running it, and this is extremely useful as the analyst is able to examine the malware's code and map out the function it performs.

The difference between Ghidra and a tool like x64dbg is that x64dbg is one debugger, meaning it will actually execute the malware as you go along and analyze the code. So if you find an interesting function in x64dbg, for example, that encrypts all files, it will run that function and encrypt all files on the machine you are using to analyze the malware.

A disassembly tool, such as Ghidra, does not run the code, but maps the code assembly of the malware and allows the user to analyze the code without affecting the file system of the analyzer. This makes Ghidra an ideal tool for detecting and mapping features that may be of further interest to a malware analyst.

Disclaimer: Ghidra should only be used in a sandboxed environment, such as a virtual machine designed for malware analysis, do not attempt to analyze malware on your computer's operating system.

How to install Ghidra

To install Ghidra on Windows, go to the official Ghidra website as shown below:

guide

Select 'Download from Github', this will take you to the Ghidra Github page where you can download the latest version of the software.

ghidra1

Download the zip file and unzip the contents to a location of your choice, after unzipping you should have the following files:

ghidra2

To run Ghidra, double-click on the Windows batch file named 'ghidraRun', the following error message may appear:

ghidra3

You can fix it by following the steps in guide below.

Once opened, the following windows will appear, the “Active Project” and the window “tip of the day". The window "tip of the day” is pretty self-explanatory and can be closed.

ghidra4

To start using Ghidra and analyzing a sample, you must first create a project that is used to store the sample and the files that Ghidra produces.

To start, select 'File' and then 'New Project'.

ghidra5

Choose whether you want to share the project or not, in this example, I'll choose 'Non-Shared Project' and I'll click 'NEXT'.

ghidra6

Next, give your project a name, which can be the name of the malware sample being analyzed, and click 'Finish'.

Now we have one project and we can drop the malware samples into the project for analysis.

We then see a file added to the project called 'remcos.exe', and Ghidra tells us that it has recognized the file as a Windows PE 32bit file.

Click ok and Ghidra will start importing the file.

Once the file is successfully imported into Ghidra, the following window will appear providing details about the imported file.

ghidra7

Select “OK” and then double-click the name of the imported malware or tap the dragon logo icon to open the code browser.

The following prompt will appear informing that Ghidra has not yet analyzed the file and asking if you want to analyze it now, select 'Yes'.

ghidra8

Then the following window will appear regarding the analysis options, from here select the option I have highlighted and it is called 'WindowsPE x86 Propagate External Parameters'. This helps when parsing an imported function, as the function parameters that will be pushed on the stack will be listed inside the tool.

ghidra9

Select 'Analyze', and Ghidra will start analyzing the file, the status bar in the lower right corner of Ghidra will display a status bar showing the progress of the analysis.

ghidra10

Once the process is complete, Ghidra is ready for you to start reverse engineering of the malware sample.

Reverse Engineering with Ghidra

When you open a malware in Ghidra that has been imported and analyzed by the tool, you will see a number of windows.

Ghidra main windows

In the upper left corner, there is a window containing the sections of the malware, this is the 'Program Trees' section. If you've used a tool like PeStudio before, then this should be familiar to you.

ghidra11

The unity "Symbol Tree” is very useful as it contains the imports, exports and functions that the malware uses to perform its malicious activities.

ghidra12

By clicking on 'Imports' we can see which libraries have been imported by the malware, clicking on a DLL reveals the imported functions associated with that library.

ghidra13

From looking at the imports it is then possible to identify any interesting functions that the malware is using. This is great for a malware analyst as it means we can double click on those imports to see if they are being used by the malware and try to understand what activity it can perform on an exposed computer.

The same can be done with the tab Exports to see which functions have been extracted by the malware, however, there are no exports in the malware sample in this file we are analyzing.

The 'Symbol Tree' contains all functions written by the malware developer. When Ghidra imports and then analyzes the malware, it will attempt to assign names to some of the functions based on the automated analysis it has performed.

In the image below one of the functions is called 'CreateToolhelp32Snapshot', this is the name of an imported function used to enumerate the processes running on a device, so Ghidra saw that this import is used in this function and named it accordingly.

ghidra14

We can also see some functions that have a convention convention starting with 'FUN_' followed by a series of numbers.

These are functions that are not defined by Ghidra and are therefore named 'FUN_', which is short for function, and then given a hexadecimal numeric value that represents the position of the function in the binary system.

There is also an entry for 'entry', this is the entry point of the malware, and by double-clicking on it, Ghidra's main 'Listing' window will update to show the assembly code to the entry point of the malware.

ghidra15

In the image above we see the assembly instructions and information pushed onto the stack and the various calls made to them. This information can give us an idea of ​​what the malware is doing by focusing on any interesting API calls listed in Ghidra's 'Symbol Tree' window.

By clicking 'entry', the 'Decompile' window will now update and contain some data. This window shows where Ghidra tried to convert the assembly code in the 'Listing' window to C programming code. This allows the malware analyst to see what the malware developer's code might have looked like and help analyze the malware .

ghidra16

Function graph

Another visualization that will help with malware analysis is the use of the function graph, which can be accessed by selecting the 'Display Function Graph' icon in the Ghidra toolbar.

ghidra17

This will launch a graphical representation of the function currently displayed in the 'Listing' window.

ghidra18

Zooming in on the graph allows the analyst to see more clearly the decisions the malware makes and the flow the malware follows depending on certain conditions.

ghidra19

In the image above I've marked where I've detected that the function calls 'GetStartupInfoA', so this tells me that this function retrieves the boot information of the compromised device.

Double-clicking on the name of any function called within the chart will take the user to that function and update the screen to show the newly selected function.

Search Strings

By clicking the 'Windows' option on the toolbar tab and selecting 'Defined Strings', Ghidra will list the strings within the executable.

ghidra20

This is useful as the unpacked malware often contains strings that may indicate what the malware does once it compromises a host. Once this option is selected, the following window will appear:

ghidra21

Here we can see that malware can create some persistence, as the 'Software\\Microsoft\\Windows\CurrentVersion\Run' registry location where it is listed is a common mechanism persistence for malware.

There is also a file listed as 'install.bat', this would now be a file I would be interested in recovering from the malware analysis. Double-clicking on any of these strings will take you to where they are in the binary, so the 'Listing', 'Decompile' and 'Function Graph' views can be used to further explore where these strings are and what does the malware with this data.

In the image below I have double clicked on 'install.bat', the 'Listing' window has been updated to show where this string is located within the binary.

ghidra22

In the image above we also see the string 'XREF[1]' and then the function name. Ghidra tells the user that it has crossed the string 'install.bat' and lists the name of the function where the string is found.

Double-clicking on the function name will display that function in Ghidra's 'Listing' window and where the 'install.bat' string is located.

For the sake of the demo let's say that I have now analyzed this function and found that install.bat is created on disk and when executed creates an execution key that starts the malware every time the exposed host is booted.

Looking at the image above I will never remember the function called 'FUN_00040560d' so to help my analysis I will give it another name.

This can be done by right clicking on the function and selecting 'Edit Function'.

ghidra23

This will open the following window:

ghidra24

Using the field “Function Name', the function name can now be changed to something more memorable.

ghidra25

This is useful because the name of this function will now change throughout the project in Ghidra and is now visible in the “Symbol Tree" in unit "Functions"

ghidra26

 

End

Ghidra is a useful must-have tool for malware analysis. We hope this article has given you an overview of how the tool can be used to further investigate specific functions in a malware sample. Remember that when using a tool like Ghidra it can be very time consuming to start from the entry point and start analyzing each line of code.

Instead, use some of the features I've mentioned in this post, and examine the functionality of the malware. Many of the entries may be of interest, there are some that are used to connect to the internet or encrypt data. Examine where these imports are used in the malware and see if you can identify why the malware uses these functions. The same can be done with any strings. See where they are in the malware and see what the malware is doing with that data.

iGuRu.gr The Best Technology Site in Greece
Follow us on Google News

GhidraReverse Engineering

Ghidra, ghidra linux, ghidra scripting, ghidra graph view, reverse engineering

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).