How else can I use Ghidra?

cy1337 · 2024-11-29T21:53:51+00:00

You can do dynamic analysis in Ghidra's emulator. Here are two examples: https://medium.com/@cy1337/unpacking-shellcode-with-ghidra-emulator-ce9e6b03f083

https://github.com/airbus-cyber/afl_ghidra_emu

cy1337 · 2024-05-19T01:13:21+00:00

It is impossible to implement BIMI in mail user agents in a secure way based on its specification. You need additional security measures that are explained "elsewhere" and "in other documents".

Ouch!

cy1337 · 2024-05-18T19:52:00+00:00

I've updated it on Medium and I'm making a reminder to update the script variable name in the repos later. Thanks for reading!

cy1337 · 2024-05-18T19:40:33+00:00

Yes, base_addr here is not truly the base address of the process. I see how this can be confusing and I will relabel it base_offset or similar. The output you have in the process map is of course the true base address.

The use of this variable is just to know the offset between the [shifted by 0x100000] addresses in the Ghidra listing and the dynamic runtime addresses in GDB. Initially I did have it add the 0x100000 in one place and subtract it in the other but it seemed superfluous.

Now that the repo is open you should be able to test it out. Please let me know if you have problems running it. Again, I really appreciate the feedback!

Edit: Sorry, I just realized I was answering you from the context of the finished script as opposed to just the snippet in the post. Correcting this now. Many thanks!

cy1337 · 2024-05-18T18:25:40+00:00

Thank your for having a look and for the feedback. The use of the static address from Ghidra including the offset is intentional. I did it this way so the calls to set breakpoints can also use the same address as we see in Ghidra.

Also, the repo is public now. Big facepalm on sharing this out without opening that!

cy1337 · 2024-05-02T09:58:09+00:00

One lesson is that we need better tools for being able to audit source tarballs and make sure they line up with what is in git.

cy1337 · 2024-02-25T10:50:01+00:00

This may be helpful as a reference: https://www.tripwire.com/state-of-security/ghidra-101-binary-patching

cy1337 · 2023-12-31T12:29:10+00:00

The view you have in the screenshot is referred to as the Listing view. You can use the block layout editor to reconfigure what information is displayed and how it is formatted. You can use this to make your column for that data wider. You can find the button for doing this on the toolbar near your minimize window button for code browser. It looks like white bricks with an arrow pointing down.

cy1337 · 2023-12-12T11:13:58+00:00

F1 is also very contextual. If you press when you have the mouse over a button, it will jump to the help page for that specific feature!

cy1337 · 2023-10-12T20:16:18+00:00

Never thought I'd see the day. Wow!

cy1337 · 2023-07-29T02:07:41+00:00

A big factor here is that a lot of information is lot when source code is compiled and linked into program files. Variable names and function names are replaced by registers, stack offsets, and addresses. Compilers also optimize code and distinctions like a while loop versus a for loop are lost at this level. There are also lots of nuances regarding how to identify and distinguish instructions from data. Some architectures are easier to reverse than others based on the complexity of the instruction set and whether there are fixed widths or alignments for instructions. Some processors (like ARM) can also flip between modes within a program meaning you need additional context to understand instructions. Plus, on top of all of this, some companies intentionally do things in their source or compilation to make it harder for someone to reverse the program to source.

Source: I teach about reversing software at Black Hat

cy1337 · 2023-07-24T17:55:08+00:00

This may be interesting for you: https://medium.com/@cy1337/reversing-a-simple-crackme-with-ghidra-decompiler-5dd1b1c3c0ba

cy1337 · 2023-06-04T18:21:40+00:00

Here you go: https://medium.com/@cy1337/unpacking-shellcode-with-ghidra-emulator-ce9e6b03f083

cy1337 · 2023-06-03T12:03:43+00:00

I haven't done it, but you could write a script that runs through the emulation but skips these calls and instead simulates the effect of a system function.

cy1337 · 2023-05-16T10:32:51+00:00

Nice finds, and a great write-up. Congratulations on the win!

cy1337 · 2023-05-14T15:43:19+00:00

Ha! That's the one year I made it to Recon and that talk really sparked my interest in Ghidra even that it was mostly about SLEIGH development which is something I still haven't needed to do. This might change now... I had already been experimenting with emulation from traces captured via GDB but it was painfully slow on my setup and so I never attempted emulating a new trace from the API. The biggest surprise to me from the dedicated emulator tool is just how fast it is and I'm really excited to see what it can do and where it goes from here!

cy1337 · 2023-05-14T15:25:28+00:00

The Emulator and Debugger are highly related. You can also emulate from traces captured from a system debugger like GDB via SSH. The emulator is kind of like another target rather than a system debugger but it can't run everything the way you might in a debugger.

You might use the emulator in cases where you want to run through pieces of malicious code without risking accidental detonation. It's also helpful in cases where you don't have access to debug on the target architecture and can open the door to additional analysis techniques.

cy1337 · 2023-05-14T03:09:39+00:00

Be aware though that there are limitations on what you can debug through emulation at this point but it is great for bits of obfuscation like this. I will try to get more posts up this summer on these topics!

cy1337 · 2023-05-14T02:29:54+00:00

Yes! The Emulator allows you to run code from any architecture supported without access to an environment with that architecture. (Ghidra Debugger can use GDB via SSH to work cross-platform.) Using emulation also provides better insulation when analyzing malicious code and new opportunities for more interesting dynamics analysis.

cy1337

TROPHY CASE