Muutke küpsiste eelistusi

Ghidra Book: A Definitive Guide [Pehme köide]

4.31/5 (65 hinnangut Goodreads-ist)
,
  • Formaat: Paperback / softback, 608 pages, kõrgus x laius: 235x178 mm
  • Ilmumisaeg: 01-Sep-2020
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718501021
  • ISBN-13: 9781718501027
Teised raamatud teemal:
Ghidra Book: A Definitive GuideSuurem pilt
  • Formaat: Paperback / softback, 608 pages, kõrgus x laius: 235x178 mm
  • Ilmumisaeg: 01-Sep-2020
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718501021
  • ISBN-13: 9781718501027
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781718501027.html
Märksõnad:
A guide to using the Ghidra software reverse engineering tool suite.

The ability to analyze software with a disassembler is a crucial reverse engineering skill and one of the core competencies expected of malware analysts and software security researchers. Ghidra is one of the world's most capable disassemblers, and it's the only one that includes an environment for collaborative reverse engineering. Ghidra is also a comprehensive open source tool suite and a powerful alternative to the commercial competitors that come with a hefty price tag and steep learning curve.

The Ghidra Book teaches you how to use Ghidra to answer the hardest problems about software behavior. It is a tutorial about Ghidra's features that includes instructions on how to use and modify the open source software to make it meet the needs of any individual or organization.

The book begins with some background on the reverse engineering process. You are then introduced to important Ghidra features together with examples showing how to customize and augment the suite. You'll learn how to:

  &;  Navigate a disassembly
  &;  Use Ghidra's built-in decompiler to expedite analysis
  &;  Analyze obfuscated binaries
  &;  Extend Ghidra to recognize new data types
  &;  Build new Ghidra analyzers
  &;  Build new Ghidra loaders
  &;  Add support for new processors and instruction sets
  &;  Script Ghidra tasks to automate workflows
  &;  Set up and use a collaborative reverse engineering environment

By the end of the book, readers will have learned how to use Ghidra efficiently and maximize its effectiveness.

Arvustused

"The Ghidra Book provides a thorough introduction for new users, using clear examples with plenty of background information . . . a valuable addition to the skill set of a malware analyst." Max Kersten

"The book takes you from the beginning of your Ghidra journey to the end. From an introduction to disassembly and working with the basics of Ghidra to scripting in Ghidra to extend its capabilities, this book covers it all. . . . a perfect 5/5 for me." Tyler Reguly, Tripwire Book Club

"I would highly recommend this book. Rather than simply being a Ghidra user guide, the authors did an exceptional job of laying out many of the fundamental concepts involved in software reverse engineering." Craig Young, Principal Security Researcher, Tripwire

"I enjoyed The Ghidra Book, and it was a good starting point for me in entering the world of reverse engineering and the many different tools that are accessible due to being open-sourced. I encourage anyone that has an interest in reverse engineering or who just wants to investigate cool open-sourced tools to give The Ghidra Book a read." Matthew Jerzewski, Security Researcher, Tripwire

Acknowledgments xix
Introduction xxi
About This Book xxii
Who Should Read This Book? xxii
What's in This Book? xxii
Part I Introduction xxiii
Part II Basic Ghidra Usage xxiii
Part III Making Ghidra Work for You xxiii
Part IV A Deeper Dive xxiv
Part V Real-World Application xxiv
PART I INTRODUCTION
1(38)
1 Introduction To Disassembly
3(12)
Disassembly Theory
4(1)
The What of Disassembly
5(1)
The Why of Disassembly
6(1)
Malware Analysis
6(1)
Vulnerability Analysis
6(1)
Software Interoperability
7(1)
Compiler Validation
7(1)
Debugging Displays
7(1)
The How of Disassembly
7(7)
A Basic Disassembly Algorithm
8(1)
Linear Sweep Disassembly
9(2)
Recursive Descent Disassembly
11(3)
Summary
14(1)
2 Reversing And Disassembly Tools
15(18)
Classification Tools
15(5)
File
16(2)
PE Tools
18(1)
PEiD
19(1)
Summary Tools
20(7)
Nm
20(2)
Idd
22(2)
Objdump
24(1)
Otool
25(1)
Dumpbin
25(1)
C++filr
26(1)
Deep Inspection Tools
27(4)
Strings
28(1)
Disassemblers
29(2)
Summary
31(2)
3 Meet Ghidra
33(6)
Ghidra Licenses
34(1)
Ghidra Versions
34(1)
Ghidra Support Resources
34(1)
Downloading Ghidra
35(1)
Installing Ghidra
35(3)
The Ghidra Directory Layout
36(1)
Starting Ghidra
37(1)
Summary
38(1)
PART II BASIC GHIDRA USAGE
39(176)
4 Getting Started With Ghidra
41(14)
Launching Ghidra
41(2)
Creating a New Project
43(5)
Ghidra File Loading
44(2)
Using the Raw Binary Loader
46(2)
Analyzing Files with Ghidra
48(4)
Auto Analysis Results
51(1)
Desktop Behavior During Initial Analysis
52(2)
Saving Your Work and Exiting
53(1)
Ghidra Desktop Tips and Tricks
54(1)
Summary
54(1)
5 Ghidra Data Displays
55(34)
CodeBrowser
56(2)
CodeBrowser Windows
58(20)
The Listing Window
61(3)
Creating Additional Disassembly Windows
64(2)
Ghidra Function Graph View
66(5)
The Program Trees Window
71(1)
The Symbol Tree Window
72(3)
The Data Type Manager Window
75(1)
The Console Window
75(1)
The Decompiler Window
75(3)
Other Ghidra Windows
78(9)
The Bytes Window
78(2)
The Defined Data Window
80(1)
The Defined Strings Window
81(1)
The Symbol Table and Symbol References Windows
82(3)
The Memory Map Window
85(1)
The Function Call Graph Window
86(1)
Summary
87(2)
6 Making Sense Of A Ghidra Disassembly
89(30)
Disassembly Navigation
90(3)
Names and Labels
90(1)
Navigation in Ghidra
91(1)
Go To
92(1)
Navigation History
92(1)
Stack Frames
93(12)
Function Call Mechanics
94(2)
Calling Conventions
96(4)
Additional Stack Frame Considerations
100(1)
Local Variable Layout
101(1)
Stack Frame Examples
101(4)
Ghidra Stack Views
105(9)
Ghidra Stack Frame Analysis
106(1)
Stack Frames in Listing View
106(3)
Decompiler-Assisted Stack Frame Analysis
109(1)
Local Variables as Operands
110(1)
The Ghidra Stack Frame Editor
111(3)
Searching
114(3)
Search Program Text
115(1)
Search Memory
116(1)
Summary
117(2)
7 Disassembly Manipulation
119(1)
Manipulating Names and Labels
120(1)
Renaming Parameters and Local Variables
121(3)
Renaming Labels
124(1)
Adding a New Label
125(1)
Editing Labels
126(1)
Removing a Label
127(1)
Navigating Labels
128(1)
Comments
128(5)
End-of-Line Comments
129(1)
Pre and Post Comments
130(1)
Plate Comments
130(1)
Repeatable Comments
131(1)
Parameter and Local Variable Comments
132(1)
Annotations
132(1)
Basic Code Transformations
133(7)
Changing Code Display Options
133(2)
Formatting Instruction Operands
135(2)
Manipulating Functions
137(2)
Converting Data to Code (and Vice Versa)
139(1)
Basic Data Transformations
140(5)
Specifying Data Types
141(1)
Working with Strings
142(2)
Defining Arrays
144(1)
Summary
145(2)
8 Data Types And Data Structures
147(36)
Making Sense of Data
148(2)
Recognizing Data Structure Use
150(16)
Array Member Access
150(9)
Structure Member Access
159(7)
Creating Structures with Ghidra
166(6)
Creating a New Structure
166(3)
Editing Structure Members
169(2)
Applying Structure Layouts
171(1)
C++ Reversing Primer
172(10)
The this Pointer
173(1)
Virtual Functions and Vftables
173(4)
The Object Life Cycle
177(2)
Name Mangling
179(1)
Runtime Type Identification
180(1)
Inheritance Relationships
181(1)
C++ Reverse Engineering References
182(1)
Summary
182(1)
9 Cross-References
183(14)
Referencing Basics
184(9)
Cross-References (Back References)
185(3)
References Example
188(5)
Reference Management Windows
193(3)
XRefs Window
193(1)
References To
194(1)
Symbol References
194(1)
Advanced Reference Manipulation
195(1)
Summary
196(1)
10 Graphs
197(18)
Basic Blocks
198(1)
Function Graphs
198(10)
Function Call Graphs
208(6)
Trees
214(1)
Summary
214(1)
PART III MAKING GHIDRA WORK FOR YOU
215(146)
11 COLLABORATIVE SRE
217(24)
Teamwork
218(1)
Ghidra Server Setup
218(3)
Shared Projects
221(3)
Creating a Shared Project
222(1)
Project Management
223(1)
Project Window Menus
224(8)
File
224(3)
Edit
227(2)
Project
229(3)
Project Repository
232(8)
Version Control
233(2)
Example Scenario
235(5)
Summary
240(1)
12 Customizing Ghidra
241(20)
CodeBrowser
242(7)
Rearranging Windows
242(1)
Editing Tool Options
243(3)
Editing the Tool
246(1)
Special Tool Editing Features
247(1)
Saving the CodeBrowser Layout
248(1)
Ghidra Project Window
249(4)
Tools
253(5)
Workspaces
258(1)
Summary
259(2)
13 Extending Ghidra's Worldview
261(24)
Importing Files
262(3)
Analyzers
265(1)
Word Models
265(2)
Data Types
267(5)
Creating New Data Type Archives
269(3)
Function IDs
272(1)
Function ID Plugin
273(11)
Function ID Plugin Example: UPX
275(4)
Function ID Plugin Example: Profiling a Static Library
279(5)
Summary
284(1)
14 Basic Ghidra Scripting
285(30)
Script Manager
286(3)
Script Manager Window
286(1)
Script Manager Toolbar
287(2)
Script Development
289(8)
Writing Java Scripts (Not JavaScript!)
289(1)
Edit Script Example: Regex Search
290(5)
Python Scripts
295(2)
Support for Other Languages
297(1)
Introduction to the Ghidra API
297(10)
The Address Interface
298(1)
The Symbol Interface
298(1)
The Reference Interface
299(1)
The GhidraScript Class
299(6)
The Program Class
305(1)
The Function Interface
306(1)
The Instruction Interface
306(1)
Ghidra Scripting Examples
307(6)
Example 1 Enumerating Functions
307(1)
Example 2 Enumerating Instructions
308(1)
Example 3 Enumerating Cross-References
308(2)
Example 4 Finding Function Calls
310(1)
Example 5 Emulating Assembly Language Behavior
311(2)
Summary
313(2)
15 Eclipse And Ghidradev
315(26)
Eclipse
316(2)
Eclipse Integration
316(1)
Starting Eclipse
316(1)
Editing Scripts with Eclipse
317(1)
GhidraDev Menu
318(11)
GhidraDev New
319(5)
Navigating the Package Explorer
324(5)
Example: Ghidra Analyzer Module Project
329(11)
Step 1 Define the Problem
330(1)
Step 2 Create the Eclipse Module
331(1)
Step 3 Build the Analyzer
331(6)
Step 4 Test the Analyzer Within Eclipse
337(1)
Step 5 Add the Analyzer to Our Ghidra Installation
337(1)
Step 6 Test the Analyzer Within Ghidra
338(2)
Summary
340(1)
16 Ghidra In Headless Mode
341(20)
Getting Started
342(13)
Step 1 Launch Ghidra
343(1)
Steps 2 and 3: Create a New Ghidra Project in a Specified Location
343(1)
Step 4 Import a File to the Project
344(1)
Steps 5 and 6: Auto Analyze the File, Save, and Exit
344(3)
Options and Parameters
347(8)
Writing Scripts
355(5)
HeadlessSimpleROP
355(4)
Automated FidDb Creation
359(1)
Summary
360(1)
PART IV A DEEPER DIVE
361(106)
17 Ghidra Loaders
363(38)
Unknown File Analysis
365(1)
Manually Loading a Windows PE File
366(9)
Example 1 SimpleShellcode Loader Module
375(12)
Step 0 Take a Step Back
377(2)
Step 1 Define the Problem
379(1)
Step 2 Create the Eclipse Module
379(1)
Step 3 Build the Loader
380(5)
Step 4 Add the Loader to Our Ghidra Installation
385(1)
Step 5 Test the Loader Within Ghidra
385(2)
Example 2 Simple Shellcode Source Loader
387(4)
Update 1 Modify the Response to the Importer Poll
388(1)
Update 2 Find the Shellcode in the Source Code
388(1)
Update 3 Convert Shellcode to Byte Values
389(1)
Update 4 Load Converted Byte Array
389(1)
Results
389(2)
Example 3 Simple ELF Shellcode Loader
391(9)
Housekeeping
392(1)
ELF Header Format
392(1)
Find Supported Load Specifications
393(1)
Load File Content into Ghidra
394(1)
Format Data Bytes and Add an Entry Point
395(1)
Language Definition Files
396(1)
Opinion Files
397(1)
Results
398(2)
Summary
400(1)
18 Ghidra Processors
401(26)
Understanding Ghidra Processor Modules
403(4)
Eclipse Processor Modules
403(1)
SLEIGH
404(2)
Processor Manuals
406(1)
Modifying a Ghidra Processor Module
407(19)
Problem Statement
408(1)
Example 1 Adding an Instruction to a Processor Module
409(6)
Example 2 Modifying an Instruction in a Processor Module
415(9)
Example 3 Adding a Register to a Processor Module
424(2)
Summary
426(1)
19 The Ghidra Decompiler
427(16)
Decompiler Analysis
428(2)
Analysis Options
428(2)
The Decompiler Window
430(12)
Example 1 Editing in the Decompiler Window
431(5)
Example 2 Non-Returning Functions
436(1)
Example 3 Automated Structure Creation
437(5)
Summary
442(1)
20 Compiler Variations
443(24)
High-Level Constructs
444(7)
Switch Statements
444(5)
Example: Comparing gcc with Microsoft C/C++ Compiler
449(2)
Compiler Build Options
451(7)
Example 1 Modulo Operator
452(3)
Example 2 The Ternary Operator
455(2)
Example 3 Function Inlining
457(1)
Compiler-Specific C++ Implementation
458(5)
Function Overloading
458(1)
RTTI Implementations
459(4)
Locating the main Function
463(3)
Example 1 _Start to main with gcc on Linux x86-64
464(1)
Example 2 _Start to main with clang on FreeBSD x86-64
464(1)
Example 3 _Start to main with Microsoft's C/C++ compiler
465(1)
Summary
466(1)
PART V REAL-WORLD APPLICATIONS
467(84)
21 Obfuscated Code Analysis
469(36)
Anti-Reverse Engineering
470(21)
Obfuscation
470(1)
Anti-Static Analysis Techniques
470(12)
Imported Function Obfuscation
482(5)
Anti-Dynamic Analysis Techniques
487(4)
Static Deobfuscation of Binaries Using Ghidra
491(13)
Script-Oriented Deobfuscation
491(5)
Emulation-Oriented Deobfuscation
496(2)
Step 1 Define the Problem
498(1)
Step 2 Create the Eclipse Script Project
498(1)
Step 3 Build the Emulator
499(3)
Step 4 Add the Script to Our Ghidra Installation
502(1)
Step 5 Test the Script Within Ghidra
502(2)
Summary
504(1)
22 Patching Binaries
505(24)
Planning Your Patch
506(1)
Finding Things to Change
506(7)
Searching Memory
507(1)
Searching for Direct References
508(1)
Searching for Instruction Patterns
508(4)
Finding Specific Behaviors
512(1)
Applying Your Patch
513(9)
Making Basic Changes
513(6)
Making Nontrivial Changes
519(3)
Exporting Files
522(3)
Ghidra Export Formats
522(1)
The Binary Export Format
523(1)
Script-Assisted Export
523(2)
Example: Patching a Binary
525(3)
Summary
528(1)
23 Binary Differencing And Version Tracking
529(22)
Binary Differencing
529(9)
Program Diff Tool
531(3)
Example: Merging Two Analyzed Files
534(4)
Comparing Functions
538(8)
Function Comparison Window
538(3)
Example: Comparing Crypto Routines
541(5)
Version Tracking
546(3)
Version Tracking Concepts
547(2)
Summary
549(2)
GHIDRA FOR IDA USERS
551(6)
The Basics
552(4)
Database Creation
552(2)
Basic Windows and Navigation
554(2)
Scripting
556(1)
Summary
556(1)
Index 557
Chris Eagle has been reverse engineering software for 40 years. He is the author of The IDA Pro Book (No Starch Press) and is a highly sought-after provider of reverse engineering training. He has published numerous reverse engineering tools and given numerous talks at conferences such as Blackhat, Defcon, and Shmoocon.

Dr. Kara Nance is a private security consultant. She has been a professor of computer science for many years. She has served on the Honeynet Project Board of Directors and has given numerous talks at conferences around the world. She enjoys building Ghidra extensions and regularly provides Ghidra training