WEBVTT 00:00.860 --> 00:01.610 Now. 00:01.610 --> 00:05.570 It's about time we got down to actually using Ghidra. 00:05.900 --> 00:11.630 The remainder of this course is dedicated to various features of Ghidra and how you can leverage them 00:11.630 --> 00:14.720 to best meet your reverse engineering needs. 00:14.750 --> 00:18.960 In this section, we will begin covering the options you are presented with. 00:18.980 --> 00:20.660 So when launching Ghidra. 00:20.780 --> 00:26.570 And then we describe what happens when you open a single binary file for analysis. 00:26.580 --> 00:33.170 Finally, we present a quick overview of the user interface to lay the groundwork for the remaining 00:33.170 --> 00:33.990 chapters. 00:34.010 --> 00:36.560 And here, anytime you launch ghidra here. 00:36.560 --> 00:39.290 So we will first run the Ghidra here. 00:39.710 --> 00:46.790 So anytime you launch Ghidra, you will be greatly briefly greeted briefly by a splash screen that displays 00:46.790 --> 00:48.470 a little logo build information. 00:48.710 --> 00:52.130 The Ghidra and Java version numbers and the licensing information. 00:52.460 --> 00:59.630 If you wish to truly read the splash screen to learn more about your version so you can display it at 00:59.630 --> 01:06.300 any time by clicking on help and about Ghidra from the Ghidra project window. 01:06.420 --> 01:12.450 And once the splash screen clears, zero displays the Ghidra project window behind the tip of the date 01:12.450 --> 01:17.940 dialog and you can scroll through the tips by clicking the next tip button. 01:18.150 --> 01:25.740 But if you prefer not to see the tips, feel free to uncheck the show tips on startup like this. 01:25.770 --> 01:32.310 And here, if you uncheck the box and you find yourself missing the top of the Tip of the Day dialog, 01:32.310 --> 01:38.100 you can easily restore it through the Ghidra help menu right here. 01:39.180 --> 01:39.890 Tip of the day. 01:39.900 --> 01:41.610 Click on that and that's it. 01:41.730 --> 01:45.890 Here we will select on the show tips on Startup and click on Close. 01:45.900 --> 01:50.940 And if you close the Tip of the Day dialog or uncheck the box and restart the jitter, you will be presented 01:50.940 --> 01:53.040 with a project window. 01:53.070 --> 01:59.670 The Ghidra uses a project environment to allow you to manage and control the tools and data associated 01:59.670 --> 02:03.310 with the file or group of files as you are working with them. 02:03.330 --> 02:09.660 This initial interaction focuses on single file as component of Non-shared project, so more complex 02:09.660 --> 02:16.950 project capabilities are will be discussed in next sections and lectures of our course. 02:16.950 --> 02:22.290 So if this is your first time launching Ghidra, you will need to create a project. 02:22.290 --> 02:29.910 If you have launched previously, the active project will be the one you used most recently choosing 02:29.910 --> 02:30.270 file. 02:30.270 --> 02:39.150 Here, you can reopen this alloted specify characteristics of the new project and here you can. 02:39.150 --> 02:44.310 The first step is creating a project to choose between a non-shared project and shared project. 02:44.310 --> 02:48.210 In this lecture, we will begin with a Non-shared project. 02:48.240 --> 02:53.100 With that choice out of the way, you will be present that with this dialog here. 02:53.100 --> 02:53.520 Right? 02:53.520 --> 03:00.270 So once you have entered the project location information and after the project name in this case we 03:00.270 --> 03:06.510 will use Typhoon zero one and click on finish here. 03:06.510 --> 03:11.640 And once you have entered the project location and project name, click on Finish to complete the project 03:11.640 --> 03:12.750 creation process. 03:12.750 --> 03:18.840 And here this will return the project window with a newly created project selected here, as you can 03:18.840 --> 03:19.620 see here. 03:19.830 --> 03:26.850 And to do any useful work, you will need to add at least one file to your project so you can open a 03:26.850 --> 03:34.620 file either by choosing new file like here or like right clicking on it. 03:35.260 --> 03:35.890 Or. 03:36.600 --> 03:37.770 File here. 03:38.900 --> 03:40.100 Import file. 03:40.940 --> 03:41.840 This year. 03:43.280 --> 03:51.740 And browsing to the file you wish to import, or by dragging and dropping file directly into this project 03:51.740 --> 03:52.280 window here. 03:52.280 --> 03:53.930 In this case, our file is deleted. 03:53.930 --> 04:03.320 So here let's actually first we will create a just a basic C plus plus file C plus plus program, and 04:03.320 --> 04:06.910 we will compile it so it will show the hello world. 04:06.920 --> 04:10.340 We will just simple C plus plus program here. 04:10.340 --> 04:12.980 So main.cpp here. 04:13.010 --> 04:13.610 Yes. 04:13.610 --> 04:24.950 And open it with some notepad and here we will include include studio dot h here and after that we will 04:24.950 --> 04:27.080 integer main here. 04:27.740 --> 04:29.750 After that we will print f. 04:30.870 --> 04:32.160 Hello world. 04:32.180 --> 04:33.490 And that's it. 04:33.510 --> 04:34.980 And after that. 04:35.130 --> 04:35.460 Sorry. 04:36.240 --> 04:37.380 After that. 04:38.660 --> 04:44.450 Well, it will return zero and that's it. 04:44.810 --> 04:49.430 And here, let's go to CMD and compile our project. 04:54.860 --> 04:55.820 Is c. 04:55.850 --> 04:57.410 G c compiler installed? 04:57.410 --> 04:57.800 Yes. 04:57.830 --> 05:09.590 So we will go to CD desktop and GCC main.cpp or here main dot exe here and there. 05:09.590 --> 05:10.790 As you can see here. 05:11.000 --> 05:16.460 Let's run this exit and as you can see, we printed Hello world on the screen. 05:16.460 --> 05:20.480 But this is just a basic simple C plus plus program. 05:21.260 --> 05:24.410 And here we have this main dot exe here. 05:25.000 --> 05:28.690 We will drag and drop this to Jira in Jira. 05:28.930 --> 05:33.970 But instead of this, we can also just use the press E button. 05:34.140 --> 05:34.810 E keyboard. 05:34.840 --> 05:35.890 E on the keyboard. 05:35.920 --> 05:43.060 I in the keyboard and we can select the main dot x and after selecting this we will select file to import. 05:43.060 --> 05:45.040 And that is it. 05:45.220 --> 05:51.880 And here when you import something, ghidra generates a list of potential. 05:53.280 --> 05:59.160 File types and provides these in the format Picklist. 06:00.020 --> 06:05.540 Or at the top of the dialog here and clicking the information button to the right of the. 06:07.080 --> 06:16.710 Dialog will provide you with a list of supported formats here which are which we will describe in next 06:16.710 --> 06:17.000 lecture. 06:17.010 --> 06:20.010 Here we have input format here. 06:20.010 --> 06:24.150 Let's actually can here Dalvik executable and so on. 06:24.150 --> 06:25.770 So here. 06:27.830 --> 06:33.920 And the format Picklist provides the subset of data loaders that are best suited for dealing with a 06:33.920 --> 06:34.630 selected file. 06:34.640 --> 06:38.730 For this example, the two options are provided in the format Picklist. 06:38.750 --> 06:42.670 The first is portable executable P. 06:44.740 --> 06:48.030 Or old style dos executable and raw binary. 06:48.040 --> 06:55.270 The raw binary option will always be present present in your since it's just default for loading files 06:55.270 --> 06:57.190 that it does not recognize. 06:57.550 --> 07:01.210 This provides the lowest level option for loading any file. 07:01.210 --> 07:07.900 So when offered the choice of several loaders, it's not a bad strategy to accept the default selections 07:07.900 --> 07:12.790 unless poses specific information that contradicts Jesus determination. 07:12.790 --> 07:14.710 So the language field here. 07:14.710 --> 07:23.980 So we will just not touch the format here because selected it for us and here in this language field 07:23.980 --> 07:29.200 allows you to specify which processor model should be used during the disassembly process. 07:29.230 --> 07:39.370 A Ghidra language compiler specification can consist of a processor type and in endian specification 07:39.400 --> 07:43.930 L a B here a bitterness value here. 07:45.250 --> 07:52.690 Like 1632 and 64, a processor variant and the compiler ID here. 07:52.690 --> 07:54.850 So we have several options to check here. 07:54.850 --> 08:01.750 But as you can see, it's Uncheckable because Chitra already checked for it for us and the destination 08:01.750 --> 08:08.740 folder field lets you select a project folder in which the newly imported file will be displayed and 08:08.740 --> 08:11.680 the default is to display the top level project folder. 08:11.680 --> 08:20.890 But the sub folders can be added to organize imported programs with the within the project so you can 08:20.890 --> 08:23.470 select the extension buttons to the right of the. 08:24.730 --> 08:30.220 Uh, so the right of the language and destination folder fields to we've other options for each. 08:30.400 --> 08:34.450 So you can also edit the text in the program name field. 08:35.610 --> 08:38.820 And don't be confused by the change in terminology. 08:38.860 --> 08:45.000 The program name is a name that Ghidra uses to refer to the important binary within the project, including 08:45.000 --> 08:47.190 for display in the project window. 08:47.460 --> 08:52.350 So it defaults to the name of the imported file, but it could be changed to something more descriptive 08:52.350 --> 08:57.730 like simple Hello world. 08:57.750 --> 09:06.160 Print here and you can like you can also do it for malware from target computer and so on. 09:06.180 --> 09:13.200 In addition to the four fields shown in this dialog, you can access other options to control the loading 09:13.200 --> 09:16.230 process via options button here. 09:19.940 --> 09:20.390 Here. 09:20.630 --> 09:24.140 So these options are dependent on the selected format and processor. 09:25.310 --> 09:27.380 The options for, for example. 09:28.280 --> 09:41.210 Mean that the AP file six a x86 are shown here here and with the default option selected right so while 09:41.210 --> 09:46.400 moving ahead with the default options is generally a good approach, you may choose other options as 09:46.400 --> 09:48.200 you gain experience here. 09:48.200 --> 09:53.600 For example, apply processor defined labels and your processor defined labels. 09:53.600 --> 09:55.730 We have the load system libraries from disk. 09:55.730 --> 09:57.980 We can also edit paths here. 09:59.390 --> 10:04.490 Your project library search folder and so on, which we will just click on the cancel here. 10:04.490 --> 10:11.180 We will not touch anything on it and the import options here are used again. 10:12.490 --> 10:14.740 Finer control over the file loading process. 10:14.740 --> 10:20.560 So these options are not applicable to all input file types, and in most cases you can rely on the 10:20.560 --> 10:28.960 default selections here and additional information about options is available in ghidra help also. 10:29.050 --> 10:36.550 So when you're happy with your loading options and click okay to close the dialogs and you're presented 10:36.550 --> 10:41.200 with the input results summary window here. 10:42.310 --> 10:44.140 We will see right here. 10:44.560 --> 10:49.600 And that's this is this is called import results summary. 10:50.530 --> 10:57.430 So this import result summary, this provides you an opportunity to review the selected import options 10:57.430 --> 11:07.180 along with the basic information that the loader has extracted from your chosen file and in this importing 11:07.180 --> 11:08.230 files here. 11:09.750 --> 11:19.170 Or here we have additional information that isn't reflected on input results, which you will learn 11:19.470 --> 11:21.000 in next lectures. 11:22.760 --> 11:23.990 And after that we will. 11:24.020 --> 11:24.830 We can click. 11:24.860 --> 11:25.820 Okay. 11:26.330 --> 11:27.590 So that's it. 11:27.620 --> 11:31.550 We imported the Excel file at times. 11:32.180 --> 11:37.140 Here we the raw binary will be the only entry in the format Picklist. 11:37.160 --> 11:41.150 So for example, we can create some. 11:42.020 --> 11:46.190 New text folder and that exit here. 11:48.440 --> 11:51.380 Beard, Codex and. 11:52.860 --> 11:53.370 Here. 11:53.370 --> 11:59.520 We will edit with Notepad and we will just write some codes here, which this is obviously not a program, 11:59.520 --> 12:03.840 but we will import the ghidra and let's see what will happen again. 12:03.840 --> 12:10.560 We will use the shortcut and weird code dot x and here, as you can see here, at times, as I said, 12:11.280 --> 12:14.160 raw binary will be the only entry in the format picklist. 12:14.160 --> 12:20.160 So this is the way of telling you that none of its loaders recognize the choosen file. 12:21.330 --> 12:26.280 Examples of situations that may call for the use of the raw binary loader include the analysis of a 12:26.280 --> 12:34.290 custom firmware images and exploit payloads that may have been extracted from the network package captures 12:34.290 --> 12:35.190 or log files. 12:35.220 --> 12:35.610 Or. 12:35.610 --> 12:39.890 This is just a raw, weird code that we write at some characters in it. 12:39.900 --> 12:46.680 It doesn't represent anything on the operating system side, and in these cases, Ghidra cannot recognize 12:46.680 --> 12:50.100 any file header information to guide the loading process. 12:50.190 --> 12:57.590 So it's up to you to step in and perform tasks that loaders often do automatically, like specifying 12:57.600 --> 13:02.280 a processor, the bit size and in some cases a particular compiler. 13:02.280 --> 13:10.590 For example, if you know the binary contains x86 code, many choices are available in the language 13:10.590 --> 13:12.360 dialog here. 13:15.230 --> 13:21.710 And often some research and occasionally some trial and error is required to narrow your language choices 13:21.710 --> 13:24.410 to something that will work for your binary. 13:24.560 --> 13:30.770 Any information you can obtain about the device the file was designed to run on will be useful. 13:30.950 --> 13:38.120 If you are confident that the file is not intended for a Windows system, you should select GCC or default 13:38.120 --> 13:38.390 here. 13:38.390 --> 13:45.470 In this case, it actually is not for any system because we just made it file from the characters. 13:45.470 --> 13:46.010 Right. 13:46.490 --> 13:47.570 And. 13:48.440 --> 13:53.240 If the binary file contains no hidden information, Ghidra can work with it. 13:53.240 --> 13:57.020 So Ghidra also will recognize the memory layout of the file. 13:57.020 --> 14:03.230 So if you know the base address file offset or length of the file, you can enter those values 14:06.140 --> 14:10.610 in into the corresponding loader option fields as shown here. 14:12.060 --> 14:12.780 And. 14:14.610 --> 14:18.990 Here we have also text filter options again and so on. 14:19.770 --> 14:23.730 Now in next lecture we will analyze filters with.