HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Guide Reverse Engineering with Ghidra

  • Views: 95
Reverse-Engineering-with-Ghidra.webp

Reverse Engineering with Ghidra: A Practical Malware Analysis











Part 1: Introduction and Environment Setup​


Introduction to Malware Reverse Engineering​


Malware reverse engineering is a fundamental discipline in cybersecurity, allowing analysts to understand the behavior of malicious software, identify indicators of compromise (IoCs), and develop detection and mitigation mechanisms.


One of the most powerful tools for this purpose is Ghidra, an open-source reverse engineering suite developed by the NSA. Ghidra offers advanced capabilities for disassembly, decompilation, and binary analysis in a modular and extensible environment.


Installing and Configuring Ghidra​


System Requirements​


Before getting started, ensure you meet the following requirements:


  • Operating System: Windows, Linux, or macOS.
  • Java Development Kit (JDK) 17 or higher (required to run Ghidra).
  • Recommended RAM: 8 GB or more for better performance.

Download and Installation​


  1. Download the latest version of Ghidra from the official site:
  2. Extract the archive to a folder of your choice.
  3. Ensure Java is installed and configured on your system:
    java -version<br>
  4. Run Ghidra from the terminal or file explorer:
    • Linux/macOS:
      ./ghidraRun<br>
    • Windows:Double-click ghidraRun.bat.

Setting Up a Secure Environment​


Malware analysis should be conducted in an isolated environment to avoid compromising the host system. It is recommended to use:


1. Virtual Machine (VM) with​


Configure a VM with:


  • Guest OS: Windows 10/11 or Linux (Kali, Ubuntu, REMnux).
  • Snapshots: Allow quick restoration of the system if something goes wrong.
  • Network isolation: Set the network mode to NAT or host-only to prevent data leaks.

2. Sandboxing with​


To execute malware safely in an automated environment:

3. Complementary Static Analysis​



4. Complementary Dynamic Analysis​



With this setup, your environment will be ready for safe and efficient malware analysis using Ghidra. In the next part, we will cover loading and exploring malicious binaries in Ghidra, including identifying key functions and relevant data structures.

Part 2: Loading and Exploring Malicious Binaries in Ghidra​

Once the environment is set up, the next step is to load a malicious binary into Ghidra for analysis. Follow these steps:

  1. Launch Ghidra and create a new project.
  2. Import the malicious binary into the project by selecting File > Import File....
  3. Ghidra will prompt for the binary format. Ensure the correct format is selected (e.g., PE for Windows executables, ELF for Linux binaries).
  4. Click OK to begin the analysis.
  5. Ghidra will suggest running Auto-Analysis. Select Yes to let Ghidra identify functions, symbols, and references automatically.
The Ghidra interface consists of multiple components that help in analyzing binaries:

  • Code Browser: Displays the disassembled code and decompiled functions.
  • Symbol Tree: Lists functions, variables, and labels detected within the binary.
  • Function Graph: Provides a visual representation of the binary's function calls.
  • Data Type Manager: Helps in identifying and structuring data within the binary.
When analyzing malware, some crucial aspects to look for include:

  • Entry Point: The initial execution point of the binary. This can be found in the Symbol Tree under _start or main.
  • Imports and API Calls: Malware often uses Windows API calls for persistence, network communication, or process injection. Check the Importstab for suspicious calls like:
    • CreateRemoteThread (process injection)
    • WriteProcessMemory (code injection)
    • InternetOpenUrlA (network communication)
  • Strings: Strings can reveal useful information about malware behavior. Navigate to Window > Defined Strings to extract readable text data.
To understand how a function is used:

  1. Right-click on a function name and select References > Show References to Function.
  2. This helps trace how the function is called within the binary.
  3. Use the Graph View (Window > Function Graph) to visualize relationships between functions.
Since malware authors obfuscate function names, renaming them for clarity can help in analysis:

  • Right-click a function and select Rename.
  • Add comments using ; to document findings.
At this point, we have successfully loaded and explored a malware binary in Ghidra. In the next part, we will dive into disassembly and decompilation, focusing on understanding assembly code and reconstructing high-level logic from machine instructions.

Part 3: Disassembly and Decompilation​

Disassembly is a critical step in reverse engineering, as it converts machine code into human-readable assembly instructions. Ghidra provides a powerful disassembler that allows analysts to:

  • Identify executable code sections.
  • Map functions and their interactions.
  • Analyze control flow and data structures.
  1. Open the Code Browser in Ghidra.
  2. Navigate through the disassembled instructions using the Listing window.
  3. Use cross-references (Xrefs) to track function calls and variable usages.
  4. Highlight conditional jumps (JMP, CALL, JE, JNE) to understand execution logic.
Ghidra’s Decompiler translates assembly into a more readable C-like syntax. To use it:

  1. Select a function in the Code Browser.
  2. Open the Decompiler window (Window > Decompiler).
  3. Analyze the generated C-like code for key logic.
Malware often employs obfuscation methods to evade detection. Common techniques include:

  • Junk code insertion to mislead analysts.
  • String encryption to hide commands.
  • Control flow flattening to obscure logical structure.
With disassembly and decompilation, we gain deeper insight into malware behavior. Next, we will explore bypassing obfuscation techniques and automating analysis with scripting in Ghidra.

Part 4: Identifying Malicious Indicators​

Detecting Suspicious Strings​

  • Using Ghidra’s String Analysis Tool: Navigate to Window > Defined Strings to reveal encoded or obfuscated data.
  • Manually Searching for IoCs: Look for common malware-related terms such as:
    • cmd.exe
    • C:\Windows\System32\ (Persistence mechanisms)
    • http:// or https:// (C2 communication)
Now that we can identify malicious indicators, the next part will focus on bypassing obfuscation techniques and automating analysis with Ghidra scripting


Part 5: Bypassing Obfuscation and Automating Analysis with Ghidra Scripting​

Common Obfuscation Techniques and How to Counter Them​

  • Packing and Encryption: Malware often uses custom packers to hide real functionality. Tools like
    This link is hidden for visitors. Please Log in or register now.
    help identify packers.
  • String Encoding: Base64 or XOR encryption hides important strings. Use Python scripts within Ghidra to automate decryption.
  • API Obfuscation: Malware may use function hashing or indirect API calls. Reverse resolve them using cross-references in Ghidra.

Automating Analysis with Ghidra Scripting​

  • Writing Python Scripts in Ghidra:
    • Open Window > Script Manager.
    • Create a new Python script and automate function renaming or data extraction.
  • Example: Extracting Suspicious API Calls Automatically

  • C++: 
    from ghidra.program.model.symbol import SymbolUtilities
from ghidra.util.task import ConsoleTaskMonitor

def find_suspicious_calls():
    symbols = currentProgram.getSymbolTable().getAllSymbols(False)
    for symbol in symbols:
        name = symbol.getName()
        if any(api in name for api in ['VirtualAlloc', 'WriteProcessMemory', 'CreateRemoteThread']):
            print(f'Suspicious API found: {name}')

find_suspicious_calls()
By leveraging scripting, we can automate tedious tasks and quickly identify key malware functions. The next section will present a case study on analyzing a real-world malware sample using Ghidra.

Part 6: Advanced Case Study – Reverse Engineering a Real Malware Sample​

Selecting a Malware Sample​

To demonstrate real-world malware analysis, we will use a publicly available sample from:

  • This link is hidden for visitors. Please Log in or register now.
    – A repository of known malware samples for research.
  • This link is hidden for visitors. Please Log in or register now.
    – A collection of recent malware samples.
⚠️ Warning: Always handle malware samples in an isolated, controlled environment.

Importing the Malware into Ghidra​

  1. Create a new Ghidra project.
  2. Import the malware binary (e.g., a PE or ELF file).
  3. Run Auto-Analysis to detect functions and symbols.

Extracting and Analyzing Strings​

  • Navigate to Window > Defined Strings.
  • Look for network indicators (URLs, IPs, API keys).
  • Identify encoded strings and use Python scripts to decode them.

API Call and Function Analysis​

  • Review Import Table for suspicious API calls.
  • Check cross-references (Xrefs) to track function execution.
  • Analyze suspicious functions such as VirtualAlloc, CreateRemoteThread, LoadLibrary.

Debugging and Dynamic Analysis​



This case study demonstrated how to reverse engineer a real malware sample using Ghidra. In the next part, we will discuss how to integrate Ghidra with other reverse engineering tools to enhance analysis capabilities.

Part 7: Integrating Ghidra with Other Reverse Engineering Tools​

Combining Ghidra with IDA Pro​

  • Why use both? IDA Pro excels in interactive disassembly and debugging, while Ghidra provides powerful scripting capabilities.
  • Exporting data: Use File > Export in Ghidra to save decompiled output for comparison in IDA.
  • Cross-referencing symbols: Import Ghidra-generated symbols into IDA using Python scripts.

Using Ghidra with Radare2​

  • This link is hidden for visitors. Please Log in or register now.
    features: Strong command-line interface and advanced analysis features.
  • Bridging the gap: Export function lists from Ghidra and match them with Radare2’s disassembler for deeper insights.
  • Example: Running r2 -A malware.bin and comparing function outputs with Ghidra.

Debugging with x64dbg and WinDbg​

  • Why debug outside Ghidra? Ghidra does not include built-in debugging.
  • Process:
    • Identify malware’s entry point in Ghidra.
    • Set breakpoints in x64dbg or WinDbg for dynamic analysis.
    • Monitor execution and analyze decrypted payloads.

Network Traffic Analysis with Wireshark​

  • Extracting network indicators: Use Defined Strings in Ghidra to find hardcoded IPs and domains.
  • Correlating data: Capture runtime traffic in Wireshark and compare it with Ghidra findings.
  • Example: Looking for unusual DNS requests linked to C2 servers.

Automating Workflows with CyberChef and YARA​

  • CyberChef: Useful for decoding obfuscated strings detected in Ghidra.
  • YARA rules: Generate custom rules based on Ghidra findings to detect similar malware.

By integrating Ghidra with other powerful tools, we enhance malware analysis capabilities and gain deeper insights. In the final part, we will summarize the methodologies covered and provide key takeaways for improving future malware reverse engineering workflows.


Part 8: Final Thoughts and Key Takeaways​

Summary of Key Techniques​

Throughout this guide, we have explored:

  • Setting up a secure environment for malware analysis.
  • Loading, disassembling, and decompiling malware binaries using Ghidra.
  • Identifying malicious indicators, such as suspicious API calls and obfuscation patterns.
  • Bypassing obfuscation techniques and automating analysis with scripting.
  • Performing a practical malware analysis case study using real-world samples.
  • Integrating Ghidra with other reverse engineering tools to enhance analysis workflows.

Best Practices for Malware Analysis​

  • Always use a sandboxed environment (VMs, isolated networks) when handling malware.
  • Regularly update your toolset (Ghidra, IDA, Radare2, Wireshark, x64dbg, etc.).
  • Develop custom scripts to automate tedious analysis tasks.
  • Use YARA rules and threat intelligence to detect similar malware variants.
  • Continuously document findings and share knowledge within the security community.

Future Trends in Malware Analysis​

  • AI-assisted reverse engineering: Machine learning models to detect malicious patterns.
  • Automated malware classification: Using behavioral analysis and clustering techniques.
  • Enhanced obfuscation techniques: Malware developers are adopting more complex anti-analysis methods, requiring advanced countermeasures.
  • Collaboration between tools: Deeper integration between reverse engineering platforms and dynamic analysis frameworks.

Final Words​

Reverse engineering malware is a continuously evolving field that requires constant learning and adaptation. By leveraging tools like Ghidra and combining them with other powerful analysis techniques, cybersecurity professionals can stay ahead of threats and develop more robust defense strategies.

Whether you are a beginner or an advanced analyst, mastering Ghidra and its integration with complementary tools will greatly enhance your malware analysis capabilities.

Stay safe, keep learning, and keep reversing!​


References and Download Links

Below is a list of all the references mentioned in the document, including links to tools used:

⚠️ Final Notes

This PoC is for educational and research purposes only. Performing these attacks without explicit permission is illegal and violates cybersecurity ethics.

Latest comments

dEEpEst
‎7 Years of Service‎
dEEpEst made a new blog post:

Guide Reverse Engineering with Ghidra

Reverse-Engineering-with-Ghidra.webp

Reverse Engineering with Ghidra: A Practical Malware Analysis



Part 1: Introduction and Environment Setup​


Introduction to Malware Reverse Engineering​


Malware reverse engineering is a fundamental discipline in cybersecurity, allowing analysts to understand the behavior of malicious software, identify indicators of compromise...
Click to expand...

Read the full blog post here...

Other posts from this author

HTDark - Hack Tools Dark dEEpEst
Cybersecurity Career Roadmap
Views
86
Blog
HTDark - Hack Tools Dark
HTDark - Hack Tools Dark dEEpEst
VPN vs. Tor vs. Proxy
Views
32
Blog
HTDark - Hack Tools Dark
HTDark - Hack Tools Dark dEEpEst
How to Perform a Web Application Pentest
Views
69
Blog
HTDark - Hack Tools Dark
HTDark - Hack Tools Dark dEEpEst
Red Team Techniques: Server and Network
Views
85
Blog
HTDark - Hack Tools Dark
Back
Top