Introduction to Ghidra

STUDENT GUIDE

How to Use Slides

Installing Ghidra

Notes:

Exercise Files

Notes:

Course Objectives

Notes:

Course Topics

  • Install and Introduction
  • Creating Projects
  • Importing/Exporting programs
  • Customizing tools
  • Basic Code Analysis
  • Selections
  • Basic code Markup
  • Basic Decompiler

  • Applying Data Types
  • Navigation
  • Searching
  • ByteViewer
  • Basic Program Tree
  • Symbol Table/Tree
  • Function Graph
  • Function Call Tree


Notes:

What is Ghidra?

Notes:

Programs

Notes:

Plugins

Notes:

Tools

Notes:

Project Manager

Notes:

Ghidra Server

Notes:

Why use Ghidra?

Notes:

Starting Ghidra

Notes:


Program Manager Layout

Notes:

Program Manager
Creating a New Project

Notes:
Before you can do anything else, you must first create a project. Projects are used to store all the programs and related information together in one place. This helps Ghidra locate the files, making them easily accessible to the user. Projects are populated with data using the import process, which will be explained in the next step.

Exercise 1
Create a New Project

Notes:

Project Manager
Import Program


Notes:
Below are steps for importing a file in the Program Manager.

  1. Go to File->Import File...
  2. Browse to the program you want to import. Click on "supported formats" if you want to see a list of formats Ghidra supports. Ghidra can import (PE, ELF, raw binary, intel hex, gzf (ghidra zip file), etc.)
  3. Recognized type: If recognizable, Ghidra will fill in the correct file format otherwise it will show "raw binary" and you must choose the correct language/compiler pair.
  4. Raw Binary: You may always choose raw binary if you do not want any imported information and you must choose the correct language/compiler pair.
  5. Choose a new project folder if you want the loading programs in a subfolder.
  6. Options Button:
    • There are several import options including a few for importing and linking dynamically linked library (DLL) files along with your program.
      • You can choose to use libraries already in your project or import them from disk
      • You can edit the list of paths to search for on disk libraries
      • You can choose a subfolder in your project to save them
      • Hit F1 on the Options window to see more information about all of the import options.

Exercise 2
Import Program

Notes:

Open Program in Tool

Notes:

How to Start Auto-Analysis

Notes:

What happens during
Auto-Analysis?

Notes:

Auto-Analysis

Notes:

Exercise 3
Auto-Analysis


Notes:

CodeBrowser Layout

Notes:

Useful Info

Notes:

Selections and Highlights


Notes:

Listing

Notes:

Field Editor

Notes:
Below are directions for using the Field Editor.

  1. Use the Edit the Listing Fields icon in the top right of the Listing to toggle open or to close the field editor.
  2. Field groupings are different depending on what area of the program your cursor is on. Examples of different fields include: Code/Data, Open Array or Structure, and Function Signature.
  3. When the cursor is on the current field, the field will be highlighted in the field editor.
  4. Use the mouse to move or resize the fields. Notice their counterparts in the Listing also move and resize at the same time.
  5. Use the right click menu to choose from a variety of options including: enable, disable, add, or remove fields.
  6. Disabling a field will leave the space but remove the content from the listing view.
  7. Removing a field will remove the space and the content from the listing view.
  8. You can add new rows, spacers, and other field types.
  9. You can reset back to the default if you wish.

Docking Windows

Notes:

Edit Tool Options

Notes:

Exercise 4
Customize the CodeBrowser

Notes:

Basic CodeBrowser Navigation

Notes:

More CodeBrowser Navigation

Notes:

External Program Navigation

Notes:

Basics of a Table

Notes:

Exercise 5
Navigation and Tables

Notes:

Code Browser
Features for Understanding Code

Notes:

References

Notes:

CodeBrowser Basic Markup


Notes:

Exercise 6
Listing Understand/Markup

Notes:

Decompiler Overview

Notes:

Basic Decompiler Features

Notes:


Editing using the decompiler

Basic Decompiler Features

Notes:
Decompiler Parameter ID


Automatically Create Structures Commit Parameters and Locals
Following Variable Usage
Export current function

Recommended Decompiler Techniques

Notes:

Exercise 7
Decompiler Understand/Markup

Notes:

CodeBrowser Markup
More About Labels

Notes:

CodeBrowser Markup
More About Comments

Notes:

Applying Data Types

Notes:

Applying Data Types
Data Type Manager

Notes:

Applying Data Types
Right Mouse Menu

Notes:

Applying Data Types
Cycle Groups

Notes:

Functions

CodeBrowser Markup
Clearing

Notes:

CodeBrowser Markup
Constants

Notes:

Exercise 8
Constants

Notes:

CodeBrowser Markup
Bookmarks

Notes:

Exercise 9
Bookmarks

Notes:

Export Formats

Notes:

Program Tree Basics

Notes:

Program Tree Modularization

Notes

Exercise 10
Program Tree

Byte Viewer Basics

Notes:

Searching
Search Program Text

Notes:

Searching
Search Memory

Notes:

Searching
Search for Strings

Notes:

Searching
Search for Direct References


Notes:

Searching
Search for Address Tables

Notes:

Searching
Search for Instructions

Notes:

Searching
Search for Scalars

Notes:

Exercise 11
Search

Notes:

Symbol Table Basics

Notes:

Symbol Table
Reference Window

Notes:

Symbol Tree Basics

Notes:

Windows Menu
Previews

Notes:

Windows Menu
Defined Tables

Notes:

Windows Menu
Script Manager

Notes:

Function Graph

Notes:

Function Graph Basic Controls

Notes:

Function Graph
Basic Controls (cont.)

Notes:

Function Graph Node Buttons

Notes:

Function Graph
Window Buttons

Notes:

Function Graph Hover/Focus

Notes:

Function Graph Hover/Focus

Notes:

Function Graph Hover (Special)

Notes:

Function Graph Focus (Special)

Notes:

Function Graph
Right-Click Menu

Notes:

Function Graph Tool Buttons


Notes:

Function Graph Group Vertices


Notes:

Function Call Trees

Notes:

Course Summary

Notes:

Preview of Intermediate
Ghidra course
  • Advanced data types
  • Memory Map
  • Multi-user projects
  • Comparing programs
  • Version tracking
  • Scripting Development
  • Running Ghidra in headless mode

Notes: