T H E G H I D R A B O O K T H E D E F I N I T I V E G U I D E C H R I S E A G L E A N D K A R A N A N C E T H E G H I D R A B O O K T he De finiti ve Guide by Chris Eagle and Kara Nance San Francisco THE GHIDRA BOOK. Copyright © 2020 Chris Eagle and Kara Nance. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-13: 978-1-71850-102-7 (print) ISBN-13: 978-1-71850-103-4 (ebook) Publisher: William Pollock Executive Editor: Barbara Yien Production Editors: Laurel Chun and Katrina Taylor Cover Illustration: Gina Redman Interior Design: Octopod Studios Project Editor: Dapinder Dosanjh Developmental Editor: Athabasca Witschi Technical Reviewer: Brian Hay Copyeditor: Barton D. Reed Compositor: Danielle Foster Proofreader: Sharon Wilkey For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; [email protected] www.nostarch.com Library of Congress Control Number: 2020938508 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. To all those who believe in science and fact-based decision making as well as all of the COVID-19 first responders around the world whose hard work and sacrifice provided a ray of hope in a time of global crisis. To all girls who are passionate about investigating and understanding technology and the men and women who support and encourage them. Dream big and keep exploring! About the Authors Chris Eagle has been reverse engineering software for 40 years. He is the author of The IDA Pro Book (No Starch Press) and is a highly sought-after provider of reverse engineering training. He has published numerous reverse engineering tools and given talks at conferences such as Blackhat, Defcon, and Shmoocon. Kara Nance is a private security consultant. She has been a pro- fessor of computer science for many years. She has served on the Honeynet Project Board of Directors and given numerous talks at conferences around the world. She enjoys building Ghidra exten- sions and regularly provides Ghidra training. About the Tech Reviewer Brian Hay has been a reverse engineer, professor, and software developer for many years. He has spoken and taught at many conferences and is currently a senior researcher for a boutique security research company. He specializes in designing and developing virtualized environments for training and testing exciting new tools like Ghidra. BRIEF CONTENTS Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi PART I: INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Chapter 1: Introduction to Disassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 2: Reversing and Disassembly Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 3: Meet Ghidra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 PART II: BASIC GHIDRA USAGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Chapter 4: Getting Started with Ghidra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Chapter 5: Ghidra Data Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 6: Making Sense of a Ghidra Disassembly . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Chapter 7: Disassembly Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Chapter 8: Data Types and Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Chapter 9: Cross-References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Chapter 10: Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 PART III: MAKING GHIDRA WORK FOR YOU . . . . . . . . . . . . . . . . . . . . . . . . . .215 Chapter 11: Collaborative SRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Chapter 12: Customizing Ghidra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Chapter 13: Extending Ghidra’s Worldview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Chapter 14: Basic Ghidra Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Chapter 15: Eclipse and GhidraDev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Chapter 16: Ghidra in Headless Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 PART IV: A DEEPER DIVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Chapter 17: Ghidra Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Chapter 18: Ghidra Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Chapter 19: The Ghidra Decompiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Chapter 20: Compiler Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 PART V: REAL-WORLD APPLICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467 Chapter 21: Obfuscated Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Chapter 22: Patching Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Chapter 23: Binary Differencing and Version Tracking . . . . . . . . . . . . . . . . . . . . . . . 529 Ghidra for IDA Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 viii Brief Contents