Ghidra is a free open source disassembler that allows you to inspect binaries at the assembly level to determine functionality. A disassembler is an essential tool in any malware reverse engineer’s toolbox. Ida Pro is the industry standard disassembler, but is very expensive which makes it infeasible for most analysts trying to break into the field. Ghidra is a powerful tool that is great for just starting out before you want to invest in Ida Pro. The only downside is that many of the default user interface options in Ghidra are less than optimal. We will discuss a few tools settings to change which makes the user interface significantly better.
Ghidra has 3 primary views we are concerned with:
- Listing View
- Decompiler View
- Graph View
The listing view is a flat view of the assembly. Each instruction is listed in order and is not organized around related code blocks.
The decompiler view shows pseudo C code for the currently selected function. This can be very helpful for determining the capability of a function, but does not help identify unique code constructs where you can make strong Yara rules. Signaturing malware is an important part of a malware analysts job which makes this view less than ideal.
The graph view is the best of both worlds for a malware analyst. You see the straight assembly code which helps you identify key instructions to create powerful Yara rules. But unlike the listing view, code blocks are organized in a logical grouping so that related blocks flow in a natural order. It’s not quite as easy to determine the functions capability as the decompiled view, but it is much easier than the flat listing view. With a decent amount of practice, you can identify a functions capability nearly as quick in the graph view as you can in the decompiler. But in addition, you will also naturally find Yara signatures while you are determining capabilities. That tends to make this view the most optimal for a malware analyst.
Each of these views are helpful in different situations and has many options to configure. Most of the options we want to configure are located from Ghidra’s Edit / Tool Options menu.
Ghidra makes it easy if you want to share your configurations, either with another analyst or between VM’s. The configurations in Ghidra are stored as “tools”. The primary tool we use that has the 3 views previously referenced is called the “Code Browser” tool. You can have multiple tools installed at the same time, including multiple code browser tools. Each tool can have different options and you can decide which tool to open a file with to load specific settings.
From the main Ghidra view prior to opening a file to analyze, select the Tools / Export Tool menu option. From there, pick the tool you want to export. The exported file contains all of your customizations.
Once you have an exported tool, you can use the Tools / Import Tool option to import the saved tool into Ghidra.
Exported Code Browser Tool
All of changes to the code browser tool listed in this post have been exported and saved in our github repository at https://github.com/AGDCservices/Ghidra-Configurations
The modified code browser tool can be downloaded and imported directly into Ghidra without needing to manually make the changes yourself.
Code Browser User Settings
All of the following settings should be made from inside the “Code Browser” tool, i.e. after you open a file for analysis.
The settings are specific to viewing a file and if you attempt to set the options prior to opening a file, the options will not be available.
Edit / Tool Options
The suggested user settings to change from the Edit / Tool Options menu are below.
- Scroll Wheel Pans: checked
- Use animation: unchecked
- Use Condensed Layout: unchecked
- The condensed view is in general better, but currently there is a bug in the graph edge routing algorithm that has the edges shown behind code blocks in the condensed view. In the expanded view, the routing algorithm works correctly. Keep this expanded until routing algorithm is fixed for condensed layout.
- View settings: start fully zoomed in
- Copy Special: set to Shift-E
- This is useful for copying byte strings out of the disassembler for use in yara signatures, to copy cryptographic keys out of the binary, etc.
Listing Display (Colors)
Note: All values shown are RGB hex values
- Font: Monospaced 14 Bold
- Address: 0x000000 (uncheck Custom / Bold option)
- Comment (all types): 0x000000
- Constant: 0x006400
- Function name: 0xFF00FF
- Function auto-parameter: 0x000000
- Labels, Primary (data section): 0x660066
- Mnemonic: 0x000000
- Register: 0x0000ff
- Variable (local): 0xff3000
- Xref: 0x006400
- Bytes Field
- “Maximum Lines to Display”: 1
- Cursor Text Highlight
- Mouse Button To Activate: Left
- Operand Fields
- Add Space After Separator: check
- Display library in namespace: uncheck
- Markup Register Variable References: uncheck
- This will stop Ghidra from renaming registers as arguments which is particularly annoying in fastcall functions because the arg is usually moved into another register, but the original register is labeled as arg for entire function
- Address Display: uncheck
- This provides a popup window that displays the difference between the address under the mouse to different locations, PE image base, function base, etc. It adds no significant value but can easily cover up important information.
- Reference Code Viewer: uncheck
- This provides a popup window that previews the function / data of relevant instructions under the mouse. Good in theory, but the area this applies to is very large which means you constantly get pop up windows that cover the current instructions as you are scrolling through a function. Because there is no way to turn down the sensitivity, it’s easier to turn this option off and simply go to the target function or data section to view the contents.
- Scalar Operand Display: uncheck
- This provides a popup window with different bases for numbers that you hover over. Similar to the Reference Code Viewer, it is simply too sensitive and is more distracting than helpful. You can view all of the same information by Right Clicking the value and choosing the Convert option from the context menu.
The following changes should be made from the toolbar in the actual graph view itself and are not stored in the Edit / Tool Options menu.
Main graph view, toolbar menu on the top right side of graph
- Block Hover Mode: off
- Turns off highlighting on code block connectors
- Block Focus Mode: off
- Turns off highlighting on code block connectors
The following settings are from the “Edit Code Block Fields” button from the graph toolbar. Within the “Edit Code Block Fields” pop up box, navigate to the “Instruction/Data” tab
- Resize address field to show the whole address
- Expand the operand fields to see the whole field, particularly calls to library functions
- Right click / Add Field / EOL Comment and move to above the Operands field
Cross References View
To make the following changes, select any function in an open file and press Ctrl + Shift + F to open up the cross references pop up box. All changes are made from this pop up box.
- Right click columns to select “Add/Remove Columns”
- Add “Function Name”