Helping the next batch of Cyber-Defenders

This final year project is aimed at gaining insights about Ghidra to develop materials to used in Nanyang Polytechnic's School Of Information Technology's curriculum and training for competitions such as Capture-The-Flag (CTFs) as well as WorldSkills - Cyber Security Domain


Understanding Ghidra

This project focuses on Ghidra, a software reverse engineering (SRE) suite of tools developed by the National Security Agency (NSA). The binaries were released at RSA Conference in March 2019 with the source code were published one month later on GitHub. It is seen by many security researchers as a competitor to IDA Pro and JEB Decompiler. The software is written in Java using the Swing framework for the GUI. Its decompiler is written in C++. Ghidra uses Jython so plugins can be developed in Python. Ghidra's existence was originally revealed to the public via WikiLeaks in March of 2017, but it remained unavailable until its declassification and official release two years later.

Problem Statement

With the recent release of a new software reverse engineering (SRE) suite of tools by the NSA, Ghidra is expected to be a great addition to a cyber defender's toolbox as developing competency on it will benefit one's cybersecurity skillset.

However, for a beginner, the tutorials available on the Internet assumes that they have the experience in reverse engineering and by extension, assembly language, which they clearly don't have and therefore will have difficulties understanding and using it.

This may lead to increased investigation timelines if used in real-life.

Project Deliverables

Guides - These guides allow the reader to gain a foundational theoretical knowledge such as Assembly Language and Reverse Engineering as well as set up the environment and tools required to complete the practicals

Practicals - These practicals allow the reader to demonstrate their knowledge about assembly language at the code analysis level of reverse engineering, as well as explore the features of Ghidra

Observations - These observations serve to document notes about the features of Ghidra, issues faced when using Ghidra, as well as the difference between Ghidra and other forensic tools such as IDA

Analysis Reports - These reports showcase on how Ghidra is used during the analysis of unknown malware samples using the full reverse engineering framework

Ghidra Extensions - A guide to developing extensions in Ghidra and source codes of plugins developed to extend the functionality of Ghidra

Tools Used

FireEye's Flare Forensics Virtual Machine

VMWare WorkStation

National Security Agency's Ghidra

Hex-Rays' Interactive Dissassembler (IDA)

Mircrosoft's Visual Studio 2019

Malware-DB / theZoo

FireEye's FakeNet-NG

FireEye's FLOSS

VirusTotal

Eclipse Interactive Developer Environment (IDE)