1
00:00:00,860 --> 00:00:01,610
Now.

2
00:00:01,610 --> 00:00:05,570
It's about time we got down to actually using Ghidra.

3
00:00:05,900 --> 00:00:11,630
The remainder of this course is dedicated to various features of Ghidra and how you can leverage them

4
00:00:11,630 --> 00:00:14,720
to best meet your reverse engineering needs.

5
00:00:14,750 --> 00:00:18,960
In this section, we will begin covering the options you are presented with.

6
00:00:18,980 --> 00:00:20,660
So when launching Ghidra.

7
00:00:20,780 --> 00:00:26,570
And then we describe what happens when you open a single binary file for analysis.

8
00:00:26,580 --> 00:00:33,170
Finally, we present a quick overview of the user interface to lay the groundwork for the remaining

9
00:00:33,170 --> 00:00:33,990
chapters.

10
00:00:34,010 --> 00:00:36,560
And here, anytime you launch ghidra here.

11
00:00:36,560 --> 00:00:39,290
So we will first run the Ghidra here.

12
00:00:39,710 --> 00:00:46,790
So anytime you launch Ghidra, you will be greatly briefly greeted briefly by a splash screen that displays

13
00:00:46,790 --> 00:00:48,470
a little logo build information.

14
00:00:48,710 --> 00:00:52,130
The Ghidra and Java version numbers and the licensing information.

15
00:00:52,460 --> 00:00:59,630
If you wish to truly read the splash screen to learn more about your version so you can display it at

16
00:00:59,630 --> 00:01:06,300
any time by clicking on help and about Ghidra from the Ghidra project window.

17
00:01:06,420 --> 00:01:12,450
And once the splash screen clears, zero displays the Ghidra project window behind the tip of the date

18
00:01:12,450 --> 00:01:17,940
dialog and you can scroll through the tips by clicking the next tip button.

19
00:01:18,150 --> 00:01:25,740
But if you prefer not to see the tips, feel free to uncheck the show tips on startup like this.

20
00:01:25,770 --> 00:01:32,310
And here, if you uncheck the box and you find yourself missing the top of the Tip of the Day dialog,

21
00:01:32,310 --> 00:01:38,100
you can easily restore it through the Ghidra help menu right here.

22
00:01:39,180 --> 00:01:39,890
Tip of the day.

23
00:01:39,900 --> 00:01:41,610
Click on that and that's it.

24
00:01:41,730 --> 00:01:45,890
Here we will select on the show tips on Startup and click on Close.

25
00:01:45,900 --> 00:01:50,940
And if you close the Tip of the Day dialog or uncheck the box and restart the jitter, you will be presented

26
00:01:50,940 --> 00:01:53,040
with a project window.

27
00:01:53,070 --> 00:01:59,670
The Ghidra uses a project environment to allow you to manage and control the tools and data associated

28
00:01:59,670 --> 00:02:03,310
with the file or group of files as you are working with them.

29
00:02:03,330 --> 00:02:09,660
This initial interaction focuses on single file as component of Non-shared project, so more complex

30
00:02:09,660 --> 00:02:16,950
project capabilities are will be discussed in next sections and lectures of our course.

31
00:02:16,950 --> 00:02:22,290
So if this is your first time launching Ghidra, you will need to create a project.

32
00:02:22,290 --> 00:02:29,910
If you have launched previously, the active project will be the one you used most recently choosing

33
00:02:29,910 --> 00:02:30,270
file.

34
00:02:30,270 --> 00:02:30,840
Here.

35
00:02:30,840 --> 00:02:39,150
You can reopen this to specify characteristics of the new project and here you can.

36
00:02:39,150 --> 00:02:44,310
The first step is creating a project to choose between a Non-shared project and shared project.

37
00:02:44,310 --> 00:02:48,210
In this lecture, we will begin with a Non-shared project.

38
00:02:48,240 --> 00:02:53,100
With that choice out of the way, you will be present that with this dialog here.

39
00:02:53,100 --> 00:02:53,520
Right?

40
00:02:53,520 --> 00:03:00,270
So once you have entered the project location information and after the project name in this case we

41
00:03:00,270 --> 00:03:06,510
will use Typhoon zero one and click on finish here.

42
00:03:06,510 --> 00:03:11,640
And once you have entered the project location and project name, click on Finish to complete the project

43
00:03:11,640 --> 00:03:12,750
creation process.

44
00:03:12,750 --> 00:03:18,840
And here this will return the project window with a newly created project selected here, as you can

45
00:03:18,840 --> 00:03:19,620
see here.

46
00:03:19,830 --> 00:03:26,850
And to do any useful work, you will need to add at least one file to your project so you can open a

47
00:03:26,850 --> 00:03:34,620
file either by choosing new file like here or like right clicking on it.

48
00:03:35,260 --> 00:03:35,890
Or.

49
00:03:36,600 --> 00:03:37,770
File here.

50
00:03:38,900 --> 00:03:40,100
Import file.

51
00:03:40,940 --> 00:03:41,840
This year.

52
00:03:43,280 --> 00:03:51,740
And browsing to the file you wish to import, or by dragging and dropping file directly into this project

53
00:03:51,740 --> 00:03:52,280
window here.

54
00:03:52,280 --> 00:03:53,930
In this case, our file is deleted.

55
00:03:53,930 --> 00:04:03,320
So here let's actually first we will create a just a basic C plus plus file C plus plus program, and

56
00:04:03,320 --> 00:04:06,910
we will compile it so it will show the hello world.

57
00:04:06,920 --> 00:04:10,340
We will just simple C plus plus program here.

58
00:04:10,340 --> 00:04:12,980
So main.cpp here.

59
00:04:13,010 --> 00:04:13,610
Yes.

60
00:04:13,610 --> 00:04:24,950
And open it with some notepad and here we will include include studio dot h here and after that we will

61
00:04:24,950 --> 00:04:27,080
integer main here.

62
00:04:27,740 --> 00:04:29,750
After that we will print f.

63
00:04:30,870 --> 00:04:32,160
Hello world.

64
00:04:32,180 --> 00:04:33,490
And that's it.

65
00:04:33,510 --> 00:04:34,980
And after that.

66
00:04:35,130 --> 00:04:35,460
Sorry.

67
00:04:36,240 --> 00:04:37,380
After that.

68
00:04:38,660 --> 00:04:44,450
Well, it will return zero and that's it.

69
00:04:44,810 --> 00:04:49,430
And here, let's go to CMD and compile our project.

70
00:04:54,860 --> 00:04:55,820
Is c.

71
00:04:55,850 --> 00:04:57,410
G c compiler installed?

72
00:04:57,410 --> 00:04:57,800
Yes.

73
00:04:57,830 --> 00:05:09,590
So we will go to CD desktop and GCC main.cpp or here main dot exe here and there.

74
00:05:09,590 --> 00:05:10,790
As you can see here.

75
00:05:11,000 --> 00:05:16,460
Let's run this exit and as you can see, we printed Hello world on the screen.

76
00:05:16,460 --> 00:05:20,480
But this is just a basic simple C plus plus program.

77
00:05:21,260 --> 00:05:24,410
And here we have this main dot exe here.

78
00:05:25,000 --> 00:05:28,690
We will drag and drop this to Jira in Jira.

79
00:05:28,930 --> 00:05:33,970
But instead of this, we can also just use the press E button.

80
00:05:34,150 --> 00:05:34,810
E keyboard.

81
00:05:34,840 --> 00:05:35,890
E on the keyboard.

82
00:05:35,920 --> 00:05:43,060
I in the keyboard and we can select the main dot x and after selecting this we will select file to import.

83
00:05:43,060 --> 00:05:45,040
And that is it.

84
00:05:45,220 --> 00:05:51,880
And here when you import something, ghidra generates a list of potential.

85
00:05:53,280 --> 00:05:59,160
File types and provides these in the format Picklist.

86
00:06:00,020 --> 00:06:05,540
Or at the top of the dialog here and clicking the information button to the right of the.

87
00:06:07,080 --> 00:06:16,710
Dialog will provide you with a list of supported formats here which are which we will describe in next

88
00:06:16,710 --> 00:06:17,000
lecture.

89
00:06:17,010 --> 00:06:20,010
Here we have input format here.

90
00:06:20,010 --> 00:06:24,150
Let's actually can here Dalvik executable and so on.

91
00:06:24,150 --> 00:06:25,770
So here.

92
00:06:27,830 --> 00:06:33,920
And the format Picklist provides the subset of data loaders that are best suited for dealing with a

93
00:06:33,920 --> 00:06:34,630
selected file.

94
00:06:34,640 --> 00:06:38,730
For this example, the two options are provided in the format Picklist.

95
00:06:38,750 --> 00:06:42,680
The first is portable executable P.

96
00:06:44,740 --> 00:06:48,030
Or old style dos executable and raw binary.

97
00:06:48,040 --> 00:06:55,270
The raw binary option will always be present present in your since it's just default for loading files

98
00:06:55,270 --> 00:06:57,190
that it does not recognize.

99
00:06:57,550 --> 00:07:01,210
This provides the lowest level option for loading any file.

100
00:07:01,210 --> 00:07:07,900
So when offered the choice of several loaders, it's not a bad strategy to accept the default selections

101
00:07:07,900 --> 00:07:12,790
unless poses specific information that contradicts Jesus determination.

102
00:07:12,790 --> 00:07:14,710
So the language field here.

103
00:07:14,710 --> 00:07:23,980
So we will just not touch the format here because selected it for us and here in this language field

104
00:07:23,980 --> 00:07:29,200
allows you to specify which processor model should be used during the disassembly process.

105
00:07:29,230 --> 00:07:39,370
A Ghidra language compiler specification can consist of a processor type and in endian specification

106
00:07:39,400 --> 00:07:43,930
L a B here a bitterness value here.

107
00:07:45,250 --> 00:07:52,690
Like 1632 and 64, a processor variant and the compiler ID here.

108
00:07:52,690 --> 00:07:54,850
So we have several options to check here.

109
00:07:54,850 --> 00:08:01,750
But as you can see, it's Uncheckable because Chitra already checked for it for us and the destination

110
00:08:01,750 --> 00:08:08,740
folder field lets you select a project folder in which the newly imported file will be displayed and

111
00:08:08,740 --> 00:08:11,680
the default is to display the top level project folder.

112
00:08:11,680 --> 00:08:20,890
But the sub folders can be added to organize imported programs with the within the project so you can

113
00:08:20,890 --> 00:08:23,470
select the extension buttons to the right of the.

114
00:08:24,730 --> 00:08:30,220
Uh, so the right of the language and destination folder fields to we've other options for each.

115
00:08:30,400 --> 00:08:34,450
So you can also edit the text in the program name field.

116
00:08:35,610 --> 00:08:38,820
And don't be confused by the change in terminology.

117
00:08:38,860 --> 00:08:45,000
The program name is a name that Ghidra uses to refer to the important binary within the project, including

118
00:08:45,000 --> 00:08:47,190
for display in the project window.

119
00:08:47,460 --> 00:08:52,350
So it defaults to the name of the imported file, but it could be changed to something more descriptive

120
00:08:52,350 --> 00:08:57,730
like simple Hello world.

121
00:08:57,750 --> 00:09:06,160
Print here and you can like you can also do it for malware from target computer and so on.

122
00:09:06,180 --> 00:09:13,200
In addition to the four fields shown in this dialog, you can access other options to control the loading

123
00:09:13,200 --> 00:09:16,230
process via options button here.

124
00:09:19,940 --> 00:09:20,390
Here.

125
00:09:20,630 --> 00:09:24,140
So these options are dependent on the selected format and processor.

126
00:09:25,310 --> 00:09:27,380
The options for, for example.

127
00:09:28,280 --> 00:09:41,210
Mean that the AP file six a x86 are shown here here and with the default option selected right so while

128
00:09:41,210 --> 00:09:46,400
moving ahead with the default options is generally a good approach, you may choose other options as

129
00:09:46,400 --> 00:09:48,200
you gain experience here.

130
00:09:48,200 --> 00:09:53,600
For example, apply processor defined labels and your processor defined labels.

131
00:09:53,600 --> 00:09:55,730
We have the load system libraries from disk.

132
00:09:55,730 --> 00:09:57,980
We can also edit paths here.

133
00:09:59,390 --> 00:10:04,490
Your project library search folder and so on, which we will just click on the cancel here.

134
00:10:04,490 --> 00:10:11,180
We will not touch anything on it and the import options here are used again.

135
00:10:12,490 --> 00:10:14,740
Finer control over the file loading process.

136
00:10:14,740 --> 00:10:20,560
So these options are not applicable to all input file types, and in most cases you can rely on the

137
00:10:20,560 --> 00:10:28,960
default selections here and additional information about options is available in ghidra help also.

138
00:10:29,050 --> 00:10:36,550
So when you're happy with your loading options and click okay to close the dialogs and you're presented

139
00:10:36,550 --> 00:10:41,200
with the input results summary window here.

140
00:10:42,310 --> 00:10:44,140
We will see right here.

141
00:10:44,560 --> 00:10:49,600
And that's this is this is called import results summary.

142
00:10:50,530 --> 00:10:57,430
So this import result summary, this provides you an opportunity to review the selected import options

143
00:10:57,430 --> 00:11:07,180
along with the basic information that the loader has extracted from your chosen file and in this importing

144
00:11:07,180 --> 00:11:08,230
files here.

145
00:11:09,750 --> 00:11:19,170
Or here we have additional information that isn't reflected on input results, which you will learn

146
00:11:19,470 --> 00:11:21,000
in next lectures.

147
00:11:22,760 --> 00:11:23,980
And after that we will.

148
00:11:24,020 --> 00:11:24,830
We can click.

149
00:11:24,860 --> 00:11:25,820
Okay.

150
00:11:26,330 --> 00:11:27,590
So that's it.

151
00:11:27,620 --> 00:11:31,550
We imported the Excel file at times.

152
00:11:32,180 --> 00:11:37,140
Here we the raw binary will be the only entry in the format Picklist.

153
00:11:37,160 --> 00:11:41,150
So for example, we can create some.

154
00:11:42,020 --> 00:11:46,190
New text folder and that exit here.

155
00:11:48,440 --> 00:11:51,380
Beard, Codex and.

156
00:11:52,860 --> 00:11:53,370
Here.

157
00:11:53,370 --> 00:11:59,520
We will edit with Notepad and we will just write some codes here, which this is obviously not a program,

158
00:11:59,520 --> 00:12:03,840
but we will import the ghidra and let's see what will happen again.

159
00:12:03,840 --> 00:12:10,560
We will use the shortcut and weird code dot x and here, as you can see here, at times, as I said,

160
00:12:11,280 --> 00:12:14,160
raw binary will be the only entry in the format picklist.

161
00:12:14,160 --> 00:12:20,160
So this is the way of telling you that none of its loaders recognize the choosen file.

162
00:12:21,330 --> 00:12:26,280
Examples of situations that may call for the use of the raw binary loader include the analysis of a

163
00:12:26,280 --> 00:12:34,290
custom firmware images and exploit payloads that may have been extracted from the network package captures

164
00:12:34,290 --> 00:12:35,190
or log files.

165
00:12:35,220 --> 00:12:35,610
Or.

166
00:12:35,610 --> 00:12:39,890
This is just a raw, weird code that we write at some characters in it.

167
00:12:39,900 --> 00:12:46,680
It doesn't represent anything on the operating system side, and in these cases, Ghidra cannot recognize

168
00:12:46,680 --> 00:12:50,100
any file header information to guide the loading process.

169
00:12:50,190 --> 00:12:57,590
So it's up to you to step in and perform tasks that loaders often do automatically, like specifying

170
00:12:57,600 --> 00:13:02,280
a processor, the bit size and in some cases a particular compiler.

171
00:13:02,280 --> 00:13:10,590
For example, if you know the binary contains x86 code, many choices are available in the language

172
00:13:10,590 --> 00:13:12,360
dialog here.

173
00:13:15,230 --> 00:13:21,710
And often some research and occasionally some trial and error is required to narrow your language choices

174
00:13:21,710 --> 00:13:24,410
to something that will work for your binary.

175
00:13:24,560 --> 00:13:30,770
Any information you can obtain about the device the file was designed to run on will be useful.

176
00:13:30,950 --> 00:13:38,120
If you are confident that the file is not intended for a Windows system, you should select GCC or default

177
00:13:38,120 --> 00:13:38,390
here.

178
00:13:38,390 --> 00:13:45,470
In this case, it actually is not for any system because we just made it file from the characters.

179
00:13:45,470 --> 00:13:46,010
Right.

180
00:13:46,490 --> 00:13:47,570
And.

181
00:13:48,440 --> 00:13:53,240
If the binary file contains no hidden information, Ghidra can work with it.

182
00:13:53,240 --> 00:13:57,020
So Ghidra also will recognize the memory layout of the file.

183
00:13:57,020 --> 00:14:03,230
So if you know the base address file offset or length of the file, you can enter those values

184
00:14:06,140 --> 00:14:10,610
in into the corresponding loader option fields as shown here.

185
00:14:12,060 --> 00:14:12,780
And.

186
00:14:14,610 --> 00:14:18,990
Here we have also text filter options again and so on.

187
00:14:19,770 --> 00:14:23,730
Now in next lecture we will analyze filters with.