If you haven’t been living under a rock, you probably heard that the NSA released its reverse-engineering tool, Ghidra, at RSA last month. I’ve been an IDA user for years (it’s the primary disassembler we use when I teach FOR610), but I’ve been trying out Ghidra over the last few days since it is free and other malware analysts have been talking about it. This is the first of several diaries I plan to write with suggestions on how to get Ghidra to do things I’ve come to rely on in IDA. And, being a good computer scientist, I start counting a 0, hence part 0.
Let me state, right up front, I have only spent a couple of hours using Ghidra, so this is very preliminary. On first glance, one feature I missed from IDA was the comments where IDA gave me the names of parameters for Windows API calls (e.g., the first parameter to RegOpenKeyExA in MSDN is listed as hKey with a type HKEY). It turns out Ghidra can do this to. It requires changing one of the defaults in the AutoAnalysis settings (you see this when you first open a file for analysis or when you choose AutoAnalysis from the Analysis menu). The option WindowsPE x86 Propagate External Parameters is disabled by default, if you enable this option then you get the comments you expect.
If you forget to do it in the opening dialog or don’t change the default, you can apply the analysis later from the Analysis menu, using the One Shot option (or rerunning AutoAnalysis, which will give you the same dialog above).
The last thing that I wanted to change about Ghidra’s defaults is probably just a personal thing that I could get over, but it annoyed me at first and I found it was easy to fix. I was used to writing comments in assembly by prefacing them with a semicolon (;) and I was used to IDA (and x64dbg) showing comments with a semicolon in front of them, but Ghidra by default wasn’t. It turns out that behavior is simple to change, too. In this case, you can choose Tool Options from the Edit menu.
And then turn on ‘Show Semicolon at Start of Each Line’ in Listing Fields>EOL Comments.
And with that, I can now see the comments showing parameter names and types for Windows API calls.
That’s enough for one diary. I’ll post a few more of these tips as I figure Ghidra out. If you have other thoughts or useful tips, e-mail me or leave your comments below.
Jim Clausing, GIAC GSE #26
jclausing -at- isc [dot] sans (dot) edu
I will be teaching next: Malware Reverse-Engineering Challenge – SANS New York City 2019
*** This is a Security Bloggers Network syndicated blog from SANS Digital Forensics and Incident Response Blog authored by sansdfir. Read the original post at: http://feedproxy.google.com/~r/SANSForensics/~3/ATx1Gbd5Dh4/a-few-ghidra-tips-for-ida-users-part-0-automatic-comments-for-api-call-parameters