Matthew Profile picture
Security Research and Educational Content

Oct 18, 2022, 9 tweets

🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.

These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄

[1/9] 🧵

#Malware #RE #Ghidra

2/ The sample I'm using can be found here if you'd like to follow along. It is a cobalt strike DLL often found in Gootloader campaigns.

bazaar.abuse.ch/sample/a2513cc…

3/ Enable "Cursor Text Highlighting". 🖱️

This will automatically highlight areas of interest when using the Ghidra decompiler.

This is useful for quickly identifying where a value has or will be used.

4/ Disable print type casting. 🖨️

This removes the (VOID *) (Byte *) etc from the decompiler.

I think this results in a much more readable and python-like experience for new analysts.

(These should eventually be re-enabled when you're more comfortable with Ghidra/C)

5/ Enable the entropy view 🟥

Ghidra has a not-so-obvious feature to display high entropy areas within code.

This can be used to identify sections of data that are encrypted, compressed, or otherwise obfuscated.

6/ Utilise Labels and X-refs. 🏷️

Once you've identified a suspicious area, make sure to check where that area starts, and where it is used.

Using the example above, you can use the entropy view (combined with labels and x-refs) to identify the associated decryption code.

7/ Ignore the data type manager. 🤛

This is a complex feature that is largely irrelevant for those new to Ghidra/RE.

If you're a beginner, I think you can safely ignore it until you're at least comfortable with the Decompiler and other features.

8/ Utilise X-refs from imported Functions/API's. 🕵️‍♂️

Check where suspicious API's are being used!

Once you've identified suspicious imports.
Make sure you utilise the x-refs (show references to) feature to see where that API is used within the code.

9/ Read the Docs! 📖

When you encounter a windows API, it's useful to read the MSDN docs.
You can then use this information to rename variables and significantly clean up the Ghidra code.

This is a short example to explain the concept.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling