I’m excited to announce that the SANS FOR610: Reverse-Engineering Malware course I co-author with Lenny Zeltser now uses Ghidra for static code analysis. Ghidra is a free and open-source software (FOSS) reverse engineering platform developed by the National Security Agency (NSA). It has an active community of users and contributors, and we are optimistic about the future of this analysis tool. I found it an invaluable addition to my toolkit, as have many other malware analysts.
Ghidra includes a full-featured, visual disassembler. Moreover, it comes with a built-in decompiler, which provides a C representation of the disassembly. Decompiled output complements disassembly nicely, and this additional perspective can accelerate the malware analysis process. For example, let’s compare some disassembly (Figure 1) with the decompiled code (Figure 2):
Some aspects of the analysis benefit from the low-level insights that the disassembler providers. Other tasks are faster when looking at the decompiler’s output, which is easier to review and assess. When reverse-engineering malware, I found it helpful to switch between Ghidra’s disassembler and decompiler output.
Ghidra also supports scripts and plugins for extensibility, providing ample opportunity for analysts to automate their work as their reverse engineering skills grow with experience. In addition, Ghidra has multiple collaborative work features to support teamwork for complex analysis tasks. The built-in help menu is an excellent resource to learn more about these features and many more.
If you’re wondering how you might incorporate Ghidra into your toolkit, take a look at the walkthrough I published earlier as an Introduction to Code Analysis With Ghidra. For additional insights, view the 20-minute video I recorded to explain a typical analysis workflow with Ghidra:
I hope you’ll join me and other FOR610 instructors at an upcoming course to explore this impressive analysis framework and strengthen your reverse engineering skills.
About the Author:
Anuj Soni is a Senior Threat Researcher at Cylance, where he performs malware research and reverse engineering. He is also a SANS Certified Instructor and co-author of the course FOR610: Reverse-Engineering Malware. If you would like to learn more about malware analysis strategies, join him at an upcoming SANS FOR610 course.