Stephen Smith's Blog

Musings on Machine Learning…

Ghidra

with one comment


Introduction

In my novel “Influence”, the lead character J@ck Tr@de searches for an easter egg in a server operating system. To do this he uses a disassembler which converts machine code back into source code. Normally you write computer programs in a programming language which a compiler (another program) reads through and converts to the bits and bytes that computers actually execute. In my novel, the disassembler uses AI to do an especially good job. I don’t know of any disassembler that uses AI yet, but a new really powerful disassembler has just been released by the NSA as open source. So I thought I’d spend a bit of time blogging on this, since it’s open source, perhaps someone will add some AI to it, so it is a powerful as the tool J@ck uses.

Most disassemblers either aren’t very good, or are quite expensive. This just changed when the NSA released their internally developed tool Ghidra as open source. I don’t know where the word Ghidra comes from, but the icon for the program is a dragon. I downloaded this and gave it a run. It was easy to install, ran well and looks really powerful. Why did the NSA do this? Don’t they usually guard their internal tools with their lives? They claim it’s to help security researchers at Universities and such do a better job discovering vulnerabilities in software, making us all safer as a result. I wonder if it’s the NSA trying to get some good publicity, since they are generally untrusted and most Americans got upset when it was revealed that the NSA could access any photo on any cell phones, including dick-pics. This really upset a lot of people, probably the only good thing a dick-pic has ever done.

For anyone interested, my novel, Influence, is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

Installation

Ghidra is a Java program, so you need to have the Java 11 JDK installed first. I’m doing this on Ubuntu and didn’t already have Java installed. The Java that is installed by default apt-get is Java 10, so it didn’t work. To install Java 11, took a bit of Googling, but the following commands worked:

sudo add-apt-repository ppa:linuxuprising/java
sudo apt-get update
sudo apt-get install oracle-java11-installer

This adds an additional repository and then installs Java 11 from it. Then download Ghidra, uncompress it somewhere and run the shell script to start it.

Running

To play around with it, I created a new project and imported the executable file “head” from /usr/bin. This gave me some basic information on the executable:

It then takes a second to analyse the file and then I can launch the code browser and look through a split screen with the assembler code on the left and the generated C code on the right.

I can view a function call graph of the current function (the functions that call it and the functions that it calls).

I can view a function graph of the entire program that I can zoom in and out and browse around in.

I can annotate the program, add any insights I see. I can patch the program. All very powerful. Ghidra has full scripting support, the built in scripting language is Java, after all it is a Java program. But the API has support to add other scripting languages. There is a plug-in architecture so you can write extensions. It supports many executable formats and knows about many processor instruction sets.

Trust the NSA?

After I downloaded Ghidra, I watched a couple of YouTube videos on it. One of the presenters ran WireShark so he could see if Ghidra was making any network connections back to the NSA. After all, could this be a trojan horse that the NSA will use to find out what hackers are up to? At least this presenter didn’t see any network calls while he was running. But to a real hacker this could be major concern. As of this writing all the Java code has been open sourced, but some of the extra addons that are in other languages still need to be posted, so right now you can’t build Ghidra as it’s distributed, but the NSA say this should be remedied in a few weeks.

Summary

Although, perhaps not as powerful as what J@ck was using, this is a really powerful tool to reverse engineer programs and even operating systems. The generated source code isn’t great, but it’s helpful compared to just assembler. I think the expensive commercial disassembler vendors must be pretty upset as I really don’t see any reason for them to exist now? I think this will be a big boon to black and white hat hackers as well as to anyone that needs to reverse engineer some code (perhaps to figure out an undocumented API). Happy Hacking.

Advertisements

Written by smist08

March 6, 2019 at 9:19 pm

One Response

Subscribe to comments with RSS.

  1. For what it’s worth, disassemblers convert machine code to assembly language, while decompilers convert machine code to a high level language.

    Ghidla looks interesting; it might be useful for reverse-engineering binaries for which the source is lost.

    R.J. Dunnill

    March 6, 2019 at 9:33 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: