Cipher Book Review, Issue E157

The Ghidra Book - The Definitive Guide
by Chris Eagle and Kara Nance

No Starch Press 2020.
ISBN ISBN-13: 978-1-71850-102-7 (print), ISBN-13: 978-1-71850-103-4 (ebook) . XXV, 580 pages

Reviewed by  Sven Dietrich   9/20/2020 

When the National Security Agency Research Directorate released the Ghidra reverse engineering tool, at version 9.0 in its initial public release, it became apparent that it was a mature tool. It is also free. The existence of Ghidra, pictured by its mythical red dragon figure, had been revealed by WikiLeaks in 2017, but the declassification and publication of the tool did not occur until two years later, in March 2019. It also became clear that Ghidra would compete with the big kid on the block, namely "The IDA Pro Book, 2nd Edition: The Unofficial Guide to the World's Most Popular Disassembler".

So it is not surprising that Chris Eagle, the author of the seminal IDA Pro book (which has been my author-signed reverse engineering bible to date), would co-author "The Ghidra Book" with the well-known computer security expert Kara Nance, published this month with No Starch Press in a roundabout 600-page volume. The book is aimed at aspiring and experienced reverse engineers alike, and it will please practitioners as well as students of the trade, whether in a software security course at a university or in a professional seminar.

The reverse engineering world is a fascinating one: an analyst is undoing the work of compilers and assemblers, creating something that describes the functionality of the binary program that is being scrutinized by transforming it into a disassembled, intermediate, or even decompiled form. In the early days that meant a lonely task: a former colleague, whose main job function was to reverse engineer malware manually while sitting with three large monitors in a mostly dark office, would keep the Windows Internals book series handy as bedtime reading. Back then it was acceptable to take a few weeks to reverse engineer a piece of malware. Nowadays we need better and faster situational awareness, and we need much better tools.

This book will help the reader understand and navigate the set of Ghidra tools that make reverse engineering possible not just as a lone hunter, but also as a collaborative, structured team with specific roles divided amongst it. The book is divided into five parts, for a total of 23 chapters, followed by an appendix. The book is illustrated with helful Ghidra screenshots and code samples. The latter are available from a book companion website for those readers whose curiosity has been piqued and can't wait to just try it out.

The five parts are, in order, 'Introduction', 'Basic Ghidra,' 'Making Ghidra work for you,' 'A Deeper Dive,' and 'Real-world Applications,' followed by an appendix called 'Ghidra for IDA Pro Users.'

In the first part 'Introduction', the reader learns the basics of the field. For the first chapter 'Introduction to Disassembly,' this means grasping the proper context of programming languages from machine languages to higher forms such as FORTRAN, C/C++ or Java, and understanding that the compilation process is lossy, making the job of the reverse engineer having to reverse that process a challenging task. For the second chapter, 'Reversing and Disassembly Tools,' the reader recognizes that there are two classical disassembly techniques, namely Linear Sweep and Recursive Descent, plus a few ways of expressing the disassembled code, such as the AT&T and Intel notation variants. The first part wraps up with a quick introduction to Ghidra.

The second part 'Basic Ghidra Usage' contains seven chapters that explain the basics of Ghidra, such as data displays (i.e. how you view the disassembly), untangling a Ghidra disassembly and how to manipulate it to your liking. Further chapters discuss data types that come with each programming language, as well as data structures, and capturing cross-references in a program, as well as graphs as a more or less simple way of displaying what a program does. In the end, the reader will realize that Ghidra is a database that allows you to label the code incrementally, sometimes automagically, as you move along. The basics explained here include initial guidance on accepting recommendations for code identification, such as processor type, bitness (16/32/64), or even compiler types that may have generated the binary program.

In the third part, 'Making Ghidra Work For You,' the authors explore the above-mentioned collaborative software reverse engineering across multiple analysts' devices, customization (Ghidra is available in source and can be adjusted to taste). Customization can include extending the worldview, such as improving the automagic labeling and function identification in the binary, and basic scripting for repeated or repetitive tasks. Moreover, one chapter discusses the integration of the Eclipse IDE of Java fame using GhidraDev plugin. Last but not least in this part, the authors guide the reader on the headless (dragon?) mode, to be used when a GUI is not needed (as in scripting mode).

For the fourth part 'A Deeper Dive,' the book goes even further into the nitty gritty of Ghidra, looking at Ghidra loaders for when Ghidra is at wit's end, say in the case of shellcode without proper program headers. Another chapter looks at Ghidra processors, for the (unlikely) event the reader may have to write their own processor definition for a firmware image running on an embedded processor that is not included in the Ghidra library. That chapter also mentions p-code or intermediate representation (IR), with an intermediate language (IL), an important concept found in the common reverse engineering and security literature. The authors also mention the Ghidra Decompiler, which builds on p-code among other things, and the challenges that may occur when dealing with Compiler Variations that can throw the analyst off.

In the last part, 'Real-world Applications,' the real fun stuff (well, ok, slightly biased, so for me it's fun) awaits: a discussion of Ghidra use in the context of Obfuscated Code Analysis such as anti-static analysis techniques (e.g. opcode obfuscation, dynamic target computation, control flow obfuscation) and anti-dynamic-analysis techniques (virtualization detection, debugging detection). They also mention Patching Binaries, for when the reader may want to modify a program for a variety of reasons (remove debugging, bypass system checks, phoning home), and Binary Differencing and Version Tracking for understanding the lineage of a malware family. The latter is an especially welcome feature for readers who are fans of the IDA Pro bindiff tool.

The book wraps up with an Appendix on 'Ghidra for IDA Pro Users,' for those die-hards who got used to another framework of thinking about reverse engineering and want to explore a new world, as this maps the concepts from the othere (IDA Pro) world to the Ghidra world discussed in the book.

Chris Eagle and Kara Nance have delivered a very readable and hands-on book on reverse engineering using a publicly available tool. As Chris Eagle's book on IDA Pro has had a steady spot on my bookshelf, this well-written book will also find its spot on the same bookshelf in my new office. I enjoyed reading this book by the Eagle-Nance team that is bound to make the black art of reverse engineering more accessible.


Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org.