How to get started using Ghidra, the free reverse engineering tool

The National Security Agency (NSA), the same agency that brought you blockbuster malware Stuxnet, has now released Ghidra, an open-source reverse engineering framework, to grow the number of reverse engineers studying malware. The move disrupts the reverse engineering market, which top dog IDA Pro has long dominated, and enables more people to learn how to reverse engineer without having to pay for an IDA Pro license, which can be prohibitively expensive for most newcomers to the field.

Existing IDA Pro users are not rushing to make the switch, however, as the time and effort required to port their existing workflow and customizations into Ghidra are not worth it for most, at least not in the immediate future. That said, as the Ghidra ecosystem continues to develop it is likely the open-source tool will cannibalize IDA Pro’s market share and hasten the decline of the also-rans in the market.

Released under the Apache License at RSA in March, Ghidra — pronounced “ghee-dra” with a hard ‘g’ — can also be easily modified to suit your needs, and security researchers were quick to start hacking on the Ghidra source code. No need to keep track of how many computers have a licensed copy installed; deploy Ghidra on as many workstations (or servers) as you need.

Ghidra has been available for a few short months, but in that time has become widely viewed as a worthy alternative to IDA Pro. Here’s what you need to know to get started.

What is Ghidra?

Ghidra is a reverse engineering framework developed in-house by the U.S. government. In 2017, Wikileaks broke the news of Ghidra’s existence as part of its Vault 7 investigation, and the NSA officially released the source code at RSA in 2019 in a move seen by many as a public relations exercise.

J.M. Porup

Regardless of the NSA’s motives for releasing Ghidra, its usefulness is indisputable. Its features include a reverse compiler, contextual help menus, and a user interface geared towards less-than-expert users. This reporter, who has no previous reverse engineering experience, was able to get Ghidra up and running in less than an hour, and was editing assembly and recompiling binaries with little trouble.

J.M. Porup

While the framework is cross-platform and runs on Windows, Linux and Mac, most user reports so far suggest that the OS X version is a bit flaky and to use Linux or Windows if possible. (We used Linux to take Ghidra for a spin.)

J.M. Porup

Ghidra supports headless mode, enabling researchers to spin up any number of cloud instances and reverse engineer at scale — something that would be both technically difficult and very expensive to do in IDA Pro. Ghidra can also be deployed in headless mode as a server to enable group collaboration when reverse engineering large binaries, a feature IDA Pro does not offer.

Getting started with Ghidra

We found getting started with Ghidra to be quite easy, although mastery of reverse engineering as a discipline has a steep learning curve. Beginners new to reverse engineering will find numerous “crackmes” online, binaries built as training tools for self-study beginner reverse engineers. Plenty of crackme tutorials and walkthroughs are available for those with the Google-fu to find them.

Beginner programming experience helpful. Knowledge of C useful. Some assembly required.

One of the most useful features for newcomers to reverse engineering is Ghidra’s decompiler, Steven Patterson, a vulnerability researcher at Shogun Lab, tells CSO. “If you have a portion of assembly selected, then the decompiled code in the decompiler window is also highlighted. That provides you with a good way of understanding how high-level code maps to the disassembled code.”

“If you’re looking to get started with reverse engineering, [Ghidra is] a very low barrier to entry,” he adds.

Experienced reverse engineers will find the exercise files included in Ghidra useful to quickly learn the Ghidra way to do things. Those who want to bend Ghidra to their will can script or otherwise customize how the open-source program works, unlike IDA Pro’s proprietary code base.

How does Ghidra compare to IDA Pro?

The verdict from experienced reverse engineers has been mixed so far. While Ghidra is a mature, well-developed software project used in production at NSA, and can in many cases replace IDA Pro, shops with existing infrastructure and workflows may find the time required to retool more expensive than keeping their existing IDA Pro licenses.

“The tools, helpers and scripts you are using in your current solution won’t be available for Ghidra. If you or your organization relies on them and you don’t have time to port everything over to Ghidra, I can fully understand,” Michael Gruhn (@0x6d696368) wrote in a blog post last week.

“It’s all these small simple things missing that add up to making Ghidra unusable for many entities,” Gruhn writes. “Those entities often also have put a large amount of engineering work into their existing tool chains. Imagine countless plugins, extensions, workflows, past analysis, trained personal, … All this is missing from Ghidra and would require starting from zero again.”

For some reverse engineers, though, Ghidra’s collaboration tool is irresistible. “Collaboration is the killer feature for us,” Ralf-Philipp Weinmann, managing director of Comsecuris, tells CSO. “We’re a distributed shop, and we all live in different cities. It’s essential to us to have software that allows us to collaborate efficiently, and IDA is not that software, sorry.”

While in the near term Ghidra is unlikely to disrupt how many existing shops work, it does lower the barrier to entry and will help train a new generation of reverse engineers. In the medium-to-long term, it seems almost inevitable that this free, open-source tool will cannibalize IDA Pro’s market share. It may well be a Ghidra user who identifies and reverse engineers NSA malware one day.