In this blog series, I will be putting the spotlight on useful Ghidra features you may have missed. Each post will look at a different feature and show how it helps you save time and be more effective in your reverse engineering workflows. Ghidra is an incredibly powerful tool, but much of this power comes from knowing how to use it effectively.

Programmers commonly define composite data types to group related data for access with a single pointer. When programming in C (or various derivatives), this can be implemented with the struct data type. As a programmer, the member elements can then be accessed via named entries that correspond to fixed offsets from the struct pointer. As a reverse engineer, it is necessary to identify structures and correlate given offsets to specific data types and member variables. Fortunately, Ghidra makes this relatively painless with automatic struct creation and a visual editor to create or modify layouts. In this blog post, I will briefly show what a struct looks like in disassembly and decompilation before going over how to represent these data structures in your Ghidra project.

Disassembled Struct Access

When looking in disassembly, struct references can be spotted where a pointer (e.g. a register) is being dereferenced at various offsets. In the following example, from a Linux ls binary, RDI is a register-based function parameter containing the address of a FILE struct:

FILE struct

Explanation: At 0x413470, the data at offset 0x8 from the pointed struct is moved into RAX for comparison against the value at a 0x10 byte offset from the base of the struct. If the values are equal, the jump will be taken to LAB_00413480 where the value at offset 0x20 is compared against the value at offset 0x28 before a final NULL check of the value at (Read more...)