How to become a reverse engineer

To install Ghidra, simply extract the Ghidra distribution file to the desired filesystem destination using any unzip program (built-in OS utilities, 7-Zip, WinZip, WinRAR, etc)

Installation Notes

Ghidra does not use a traditional installer program. Instead, the Ghidra distribution file is simply extracted in-place on the filesystem. This approach has advantages and disadvantages. On the up side, administrative privilege is not required to install Ghidra for personal use. Also, because installing Ghidra does not update any OS configurations such as the registry on Windows, removing Ghidra is as simple as deleting the Ghidra installation directory. On the down side, Ghidra will not automatically create a shortcut on the desktop or appear in application start menus.
Administrative privilege may be required to extract Ghidra to certain filesystem destinations (such as C:\), as well as install the Ghidra Server as a service.
Ghidra relies on using directories outside of its installation directory to manage both temporary and longer-living cache files. Ghidra attempts to use standard OS directories that are designed for these purposes in order to avoid several issues, such as storing large amounts of data to a roaming profile. If it is suspected that the default location of these directories is causing a problem, they can be changed by modifying the relevant properties in the support/launch.properties file.

Java Notes

Ghidra requires a supported version of a Java Runtime and Development Kit on the PATH to run. However, if there is a version of Java on the PATH that Ghidra does not support, it will use that version of Java (if 1.7 or later) to assist in locating a supported version on your system. If one cannot be automatically located, the user will be prompted to enter a path to the Java home directory to use (the Java home directory is the parent directory of Java's bin directory). This minimizes the impact Ghidra has on pre-existing configurations of Java that other software may rely on.
Ghidra is developed and tested against OpenJDK distributed from jdk.java.net. Consider using this OpenJDK distribution for the most stable experience.
If Ghidra failed to run because no versions of Java were on the PATH, a supported JDK should be manually installed and added to the PATH. The following steps outline how to add an OpenJDK distribution to the operating system's PATH.
- Windows: Extract the JDK distribution (.zip file) to your desired location and add the JDK's bin directory to your PATH:
  1. Extract the JDK:
    1. Right-click on the zip file and click Extract All...
    2. Click Extract
  2. Open Environment Variables window:
    1. Windows 10: Right-click on Windows start button, and click System
      
      Windows 7: Click Windows start button, right-click on Computer, and click Properties
    2. Click Advanced system settings
    3. Click Environment variables...
  3. Add the JDK bin directory to the PATH variable:
    1. Under System variables, highlight Path and click Edit...
    2. At the end of the the Variable value field, add a semicolon followed by <path of extracted JDK dir>\bin
    3. Click OK
    4. Click OK
    5. Click OK
  4. Restart any open Command Prompt windows for changes to take effect
- Linux and macOS (OS X): Extract the JDK distribution (.tar.gz file) to your desired location, and add the JDK's bin directory to your PATH:
  1. Extract the JDK:
    tar xvf <JDK distribution .tar.gz>
  2. Open ~/.bashrc with an editor of your choice. For example:
    vi ~/.bashrc
  3. At the very end of the file, add the JDK bin directory to the PATH variable:
    export PATH=<path of extracted JDK dir>/bin:$PATH
  4. Save file
  5. Restart any open terminal windows for changes to take effect
In some cases, you may want Ghidra to launch with a specific version of Java instead of the version that Ghidra automatically locates. To force Ghidra to launch with a specific version of Java, set the JAVA_HOME_OVERRIDE property in the support/launch.properties file. If this property is set to an incompatible version of Java, Ghidra will revert to automatically locating a compatible version. Note that some Java must still be on the PATH in order for Ghidra to use the JAVA_HOME_OVERRIDE property. This limitation will be addressed in a future version of Ghidra.

(Back to Top)

Ghidra Installation Directory Layout

When Ghidra is installed, the runnable software gets extracted to a new directory we will refer to as <GhidraInstallDir>. Below is a description of the top-level directories and files that can be found in <GhidraInstallDir> once extraction of the distribution file is complete.

Ghidra	Base directory for Ghidra distribution. Contains files needed to run Ghidra.
Extensions	Optional components that can extend Ghidra's functionality and integrate Ghidra with other tools. See the Extensions section for more information.
GPL	Standalone GPL support programs.
server	Contains files related to Ghidra Server installation and administration.
support	Contains files useful for debugging Ghidra, running Ghidra in advanced modes, and controlling how Ghidra launches.
docs	Contains documentation for Ghidra, such as release notes, API files, tutorials, etc.
ghidraRun(.bat)	Script used to launch Ghidra.
LICENSE.txt	Ghidra license information.
licenses	Contains licenses used by Ghidra.

(Back to Top)

Running Ghidra

GUI Mode

Navigate to <GhidraInstallDir>
Run ghidraRun.bat (Windows) or ghidraRun (Linux or macOS)

If Ghidra failed to launch, see the Troubleshooting section.

Ghidra Server

Ghidra can support multiple users working together on a single project. Individual Ghidra users launch and work on their own local copies of a particular Ghidra project but check changes into a common repository containing all commits to that repository. For detailed information on installing/configuring the Ghidra Server see the<GhidraInstallDir>/server/svrREADME.html file.

Headless (Batch) Mode

Ghidra is traditionally run in GUI mode. However, it is also capable of running in headless batch mode using the command line. For more information, see the<GhidraInstallDir>/support/analyzeHeadlessREADME.html file.

Single Jar Mode

Normally, Ghidra is installed as an entire directory structure that allows modular inclusion or removal of feature sets and also provides many files that can be extended or configured. However, there are times when it would be useful to have all or some subset of Ghidra compressed into a single jar file at the expense of configuration options. This makes Ghidra easier to run from the command line for headless operation or to use as a library of reverse engineering capabilities for another Java application.

A single ghidra.jar file can be created using the <GhidraInstallDir>/support/buildGhidraJar script.

(Back to Top)

Extensions

Extensions are optional components that can:

Extend Ghidra's functionality with experimental or user-contributed Ghidra plugins or analyzers.
Integrate other tools with Ghidra, such as Eclipse or IDAPro.

Ghidra comes with the following extensions available for use (and by default uninstalled), which can be found in the <GhidraInstallDir>/Extensions directory.

Eclipse: The GhidraDev Eclipse plugin for a pre-existing Eclipse installation. For information on installing and using the GhidraDev Eclipse plugin, see<GhidraInstallDir>/Extensions/Eclipse/GhidraDev/GhidraDev_README.html.
Ghidra: Ghidra extensions (formerly known as contribs). See Ghidra Extension Notes for more information.
IDAPro: IDAPro plugins/loaders for transferring items with Ghidra.

Ghidra Extension Notes

Ghidra extensions are designed to be installed and uninstalled from the Ghidra front-end GUI:
1. Click File → Install Extensions...
2. Check boxes to install extensions; uncheck boxes to uninstall extensions
3. Restart Ghidra for the changes to take effect
Installing or uninstalling Ghidra extensions may fail if the user does not have write permissions to <GhidraInstallDir>. This may occur if the user is running Ghidra from a shared installation location. In this situation, the owner of the Ghidra installation directory will be responsible for managing what Ghidra extensions are available for that particular installation of Ghidra.
It is possible to install and uninstall Ghidra extensions manually when the Ghidra front-end GUI is not available. This may be required if a system administrator is managing the Ghidra extensions of a shared Ghidra installation on behalf of a user, or if a user wishes to install an extension into a Ghidra installation that is only ever used headlessly.

To install an extension in these cases, simply extract the desired Ghidra extension archive file(s) to the <GhidraInstallDir>/Ghidra/Extensions directory. For example, on Linux or macOS:
cd <GhidraInstallDir>/Ghidra/Extensions
unzip ../../Extensions/Ghidra/<extension>.zip
1. The extension(s) will be installed the next time Ghidra is started.
To uninstall extensions, simply delete the extracted extension directories from <GhidraInstallDir>/Ghidra/Extensions. The extension(s) will be uninstalled the next time Ghidra is started.

NOTE: It may not be possible to uninstall an extension in this manner if there is an instance of Ghidra running that holds a file lock on the extension directory that is trying to be deleted.

(Back to Top)

Ghidra Development

Users can extend the functionality of Ghidra through the development of custom Ghidra scripts, plugins, analyzers, etc.

Ghidra supports development in Eclipse by providing a custom Eclipse plugin called GhidraDev, which can be found in the <GhidraInstallDir>/Extensions/Eclipse directory. For more information on installing and using the GhidraDev Eclipse plugin, see <GhidraInstallDir>/Extensions/Eclipse/GhidraDev/GhidraDev_README.html.

NOTE: Eclipse is not provided with Ghidra. The GhidraDev Eclipse plugin is designed to be installed in a pre-existing Eclipse installation.

(Back to Top)

Upgrade Instructions

General Upgrade Instructions

!!!Important!!! BACKUP YOUR OLD PROJECTS FIRST!! !!!Important!!!

Backup by manually copying the .rep directory and .gpr file from any Ghidra project directories to a safe location on your file system.

New installations of Ghidra will, by default, use the saved profile from a user's most recent version of Ghidra. This allows any saved tool configurations to be automatically ported to new projects. However, this may also prevent new tool options and features from automatically being configured in some cases. To open new tools containing the latest configurations, users should, from the Project Manager Window, choose Tools → Default Tools...
When you open a program that was created using a previous version of Ghidra, you will be prompted to upgrade the program before it can be opened. The upgrade will not overwrite your old file until you save it. If you save it (to its original file), you will no longer be able to open it using an older version of Ghidra. You could, however, choose to perform a “Save As” instead, creating a new file and leaving the old version unchanged. Be very careful about upgrading shared program files since everyone accessing the file must also upgrade their Ghidra installation.

Server Upgrade Instructions

Please refer to the<GhidraInstallDir>/server/svrREADME.html file for details on upgrading your Ghidra Server.

(Back to Top)

Troubleshooting & Help

Launching Ghidra

When launching Ghidra with the provided scripts in <GhidraInstallDir> and <GhidraInstallDir>/support, you may encounter the following error messages:

Problem: Java runtime not found.
- Solution: A Java runtime (java/java.exe) is required to be on the system PATH. Please see the Requirements section for what version of Java must be pre-installed for Ghidra to launch.
Problem: Failed to find a supported JDK.
- Solution: The Ghidra launch script uses the Java runtime on the system PATH to find a supported version of a Java Development Kit (JDK) that Ghidra needs to complete its launch. Please see the Requirements section for what version of JDK must be pre-installed for Ghidra to launch.
Problem: Exited with error. Run in debug mode for more details.
- Solution: Ghidra failed to launch in the background and the error message describing the cause of the failure is being suppressed. Rerun Ghidra using the <GhidraInstallDir>/support/ghidraDebug script to see the error message.

Using Ghidra

There are several ways you can get help with using Ghidra:

Tutorials and other documentation can be found in <GhidraInstallDir>/docs.
When Ghidra is running, extensive context sensitive help is available on many topics. To access Help on a topic, place your mouse on a window, menu or component and press <F1>. Help for that window/menu/component will be displayed.
When Ghidra is running, indexed help can be found under Help → Topics...

(Back to Top)

Known Issues for current release

All Platforms

Displaying the correct processor manual page for an instruction requires the installation of Adobe Reader 8.0.x or later. Adobe broke the goto page in Reader version 7.x. If a newer version of Reader is not installed, then the manual for the processor will display at the top of the manual. Using an Adobe Reader version later than 8.0.x works for most platforms, but some platforms and version of the reader still have issues.
Some actions may block the GUI update thread if they are long running.
Project archives only store private and checked out files within the archive. Project archives do not support server-based repositories.
When using a Ghidra server, all clients and the server must have a valid Domain Name Server (DNS) defined which has been properly configured on the network for both forward and reverse lookups.
Image base can not be changed if overlays have been defined.
Language versioning and migration does not handle complex changes in the use of the context register.
Ghidra uses Java reflection in a manner that has been deprecated in newer versions of Java. It is expected to see Java warnings the about illegal reflective access, especially when importing new files. Future versions of Ghidra will address this in order to ensure compatibility with the newest versions of Java.

Windows

Older versions of 7-Zip may not be able to unpack the Ghidra distribution file if it contains any files with a 0-byte length. Upgrade to a newer version of 7-Zip to fix this problem.

Linux

Ghidra Server does not support PAM-based user authentication (-a1 authentication mode).
Some users have reported Ghidra GUI rendering issues on 4k displays and multi-monitor thin client setups. These problems are attributed to reported bugs in Java. Upgrading to a newer version of Java may fix the issue.
At the time of writing, installing the openjdk-11 package in Ubuntu 18.04 results in openjdk-10 being installed which is incompatible with Ghidra.

macOS (OS X)

Building new Ghidra module extensions on macOS (OS X) using a network drive (including a network-mapped home directory) throws a Java exception. This issue is known to the Java/macOS community but a fix has not yet been released. See <GhidraInstallDir>/Extensions/Eclipse/GhidraDev/GhidraDev_README.html for more information on building Ghidra module extensions from Eclipse.

(Back to Top)

Key
ActionContext	Mods+Key	Menu → Path
The action may only be available in the given context. ❖ indicates the context menu, i.e., right-click. The Ctrl key is replaced by the command ⌘ key on Macintosh.

Key

ActionContext

Mods+Key

Menu → Path

The action may only be available in the given context.

❖ indicates the context menu, i.e., right-click.

The Ctrl key is replaced by the command ⌘ key on Macintosh.

Load Project/Program
New Project	Ctrl+N	File → New Project
Open Project	Ctrl+O	File → Open Project
Close Project1	Ctrl+W	File → Close Project
Save Project1	Ctrl+S	File → Save Project
Import File1	I	File → Import File
Export Program	O	File → Export Program
Open File System1	Ctrl+I	File → Open File System
1 These actions are only available if there is an active project. Create or open a project first.

Help/Customize/Info
Ghidra HelpHover on action	F1	Help → Contents
About Ghidra		Help → About Ghidra
About Program		Help → About program name
Preferences		Edit → Tool Options
Set Key BindingHover on action	F4
Key Bindings		Edit → Tool Options →
Processor Manual		❖ → Processor Manual

Markup
Undo	Ctrl+Z	Edit → Undo
Redo	Ctrl+Shift+Z	Edit → Redo
Save Program	Ctrl+S	File → Save program name
Disassemble	D	❖ → Disassemble
Clear Code/Data	C	❖ → Clear Code Bytes
Add LabelAddress field	L	❖ → Add Label
Edit LabelLabel field	L	❖ → Edit Label
Rename FunctionFunction name field	L	❖ → Function → Rename Function
Remove LabelLabel field	Del	❖ → Remove Label
Remove FunctionFunction name field	Del	❖ → Function → Delete Function
Define Data	T	❖ → Data → Choose Data Type
		❖ → Data → type
		Repeat Define Data	Y	❖ → Data → Last Used: type
Rename VariableVariable in decompiler	L	❖ → Rename Variable
Retype VariableVariable in decompiler	Ctrl+L	❖ → Retype Variable

Cycle Integer Types	B	❖ → Data → Cycle → byte,word, dword, qword
Cycle String Types	'	❖ → Data → Cycle → char,string, unicode
Cycle Float Types	F	❖ → Data → Cycle → float,double
Create Array2	[	❖ → Data → Create Array
Create Pointer2	P	❖ → Data → pointer
Create StructureSelection of data	Shift+[	❖ → Data → Create Structure
New StructureData type container		❖ → New → Structure
Import C Header		File → Parse C Source
Cross References		❖ → References → Show References to context
2 When possible, arrays and pointers are created of the data type currently applied.

Miscellaneous
Select		Select → what
Program Differences	2	Tools → Program Differences
Rerun Script	Ctrl+Shift+R
Assemble	Ctrl+Shift+G	❖ → Patch Instruction

Navigation
Go To	G	Navigation → Go To
Back	Alt+←
Forward	Alt+→
Toggle Direction	Ctrl+Alt+T	Navigation → Toggle Code Unit Search Direction
Next Instruction	Ctrl+Alt+I	Navigation → Next Instruction
Next Data	Ctrl+Alt+D	Navigation → Next Data
Next Undefined	Ctrl+Alt+U	Navigation → Next Undefined
Next Label	Ctrl+Alt+L	Navigation → Next Label
Next Function	Ctrl+Alt+F	Navigation → Next Function
	Ctrl+↓	Navigation → Go To Next Function
	Previous Function	Ctrl+↑	Navigation → Go To Previous Function
Next Non-function Instruction	Ctrl+Alt+N	Navigation → Next Instruction Not In a Function
Next Different Byte Value	Ctrl+Alt+V	Navigation → Next Different Byte Value
Next Bookmark	Ctrl+Alt+B	Navigation → Next Bookmark

Windows
Bookmarks	Ctrl+B	Window → Bookmarks
Byte Viewer		Window → Bytes: program name
Function Call Trees
Data Types		Window → Data Type Manager
Decompiler	Ctrl+E	Window → Decompile: function name
Function Graph		Window → Function Graph
Script Manager		Window → Script Manager
Memory Map		Window → Memory Map
Register Values	V	Window → Register Manager
Symbol Table		Window → Symbol Table
Symbol References		Window → Symbol References
Symbol Tree		Window → Symbol Tree

Search
Search Memory	S	Search → Memory
Search Program Text	Ctrl+Shift+E	Search → Program Text
Search For ... Matching Instructions Address Tables Direct References Instruction Patterns Scalars Strings		Search → For what

Ghidra Cheat Sheet

Ghidra is licensed under the Apache License, Version 2.0 (the "License"); Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

posted @ 2019-05-15 17:16 heycomputer 阅读(589) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

HeyComputer

吾生也有涯，而知也无涯。以有涯随无涯，殆已！已而为知者，殆而已矣！为善无近名，为恶无近刑。

How to become a reverse engineer

Ghidra Installation Guide

Platforms Supported