Skip to content

Latest commit

 

History

History
373 lines (301 loc) · 5.56 KB

ghidra.md

File metadata and controls

373 lines (301 loc) · 5.56 KB
Raw

Ghidra Comprehensive Cheatsheet

Installation Instructions

All Platforms (Java Required)

# Install Java Development Kit (JDK) 11 or later first
# Download Ghidra from https://ghidra-sre.org/

Windows

  1. Download ZIP file
  2. Extract to desired location
  3. Run ghidraRun.bat

Linux

# Download ZIP file
unzip ghidra_*.zip
cd ghidra_*
./ghidraRun

macOS

# Using Homebrew
brew install --cask ghidra

# Manual Installation
# Extract ZIP and run ghidraRun

Basic Operations

Project Management

  1. Create New Project
  • File → New Project
  • Select Shared or Non-Shared
  • Choose Project Directory
  1. Import Files
File → Import File
Dragon drop files into project
  1. Open Program
Double-click program in project window
File → Open from project window

Analysis

  1. Auto Analysis
Analysis → Auto Analyze
Configure analysis options
Click 'Analyze'
  1. Function Analysis
Right-click in Function Window
Create Function
Edit Function
  1. Data Type Analysis
Window → Data Type Manager
Import Additional Archives

Navigation

  1. Go To Address
G or Ctrl+G
Enter address
  1. Find
Search → Program Text
Search → Memory
Search → Labels
  1. Cross References
Right-click → References
Show References to Address
Show References from Address

Decompilation

  1. View Decompiler
Window → Decompiler
Double-click function in listing
  1. Rename Variables
Right-click variable
Rename Variable
  1. Retype Variables
Right-click variable
Retype Variable

Code Analysis

  1. Function Graph
Window → Function Graph
Display → Layout Mode
  1. Data Flow Analysis
Right-click → Data Flow
Forward Slice
Backward Slice
  1. Control Flow Analysis
Right-click → Control Flow
Show Dominance Tree

Scripting

Python Scripting

  1. Basic Script Structure
#@category Analysis
#@keybinding 
#@menupath 
#@toolbar 

def run():
    program = getCurrentProgram()
    # Your code here
  1. Memory Access
memory = currentProgram.getMemory()
bytes = memory.getBytes(addr, length)
  1. Symbol Table Access
symbolTable = currentProgram.getSymbolTable()
symbols = symbolTable.getSymbols("main")

Java Scripting

  1. Basic Java Script
import ghidra.app.script.GhidraScript;

public class MyScript extends GhidraScript {
    @Override
    public void run() throws Exception {
        // Your code here
    }
}
  1. Program API
Program program = getCurrentProgram();
Memory memory = program.getMemory();

Advanced Features

  1. Batch Analysis
#@category Analysis
def analyzeBatch():
    project = getProject()
    folder = project.getProjectData()
    # Process all programs
  1. Custom Data Types
DataTypeManager dtm = getCurrentProgram().getDataTypeManager();
Structure struct = dtm.createStructure("MyStruct");

Patch Instructions

  1. Patch Bytes
memory = currentProgram.getMemory()
memory.setBytes(addr, bytes)
  1. Add Comments
listing = currentProgram.getListing()
listing.setComment(addr, PLATE_COMMENT, "My comment")

Advanced Usage

Binary Diffing

  1. Version Tracking
Tools → Version Tracking
Select two programs
Compare versions
  1. Function Matching
Right-click function
Apply Function Hash
Match Functions

Type Libraries

  1. Import Types
File → Parse C Source
Select header files
Import into program
  1. Create Structures
Window → Data Type Manager
Create Structure
Add fields

Function Analysis

  1. Stack Frame Analysis
Window → Function Stack Frame
Analyze local variables
Edit parameters
  1. Call Graph
Window → Function Call Graph
Analyze function relationships

Best Practices

Project Organization

  1. Folder Structure
Project/
  ├── Sources/
  ├── Libraries/
  └── Analysis/
  1. Naming Conventions
Functions: verb_noun
Variables: descriptive_name
Structures: Name_t

Analysis Workflow

  1. Initial Analysis
1. Import file
2. Run auto-analysis
3. Check entry points
4. Analyze strings
5. Check imports/exports
  1. Deep Analysis
1. Identify key functions
2. Analyze data structures
3. Track cross-references
4. Document findings

Keyboard Shortcuts

  1. Navigation
G         - Go to address
Ctrl+F    - Find
Ctrl+E    - Edit instruction
Ctrl+L    - Label
  1. Views
Space     - Toggle listing/decompiler
Ctrl+T    - Text view
Ctrl+G    - Graph view

Common Issues and Solutions

  1. Memory Issues
Edit → Tool Options
Increase memory allocation
Adjust cache settings
  1. Analysis Problems
Clear flow
Disassemble
Create function
Fix stack frame

Scripting Examples

  1. Find Strings
def findStrings():
    memory = currentProgram.getMemory()
    listing = currentProgram.getListing()
    # Search for strings
  1. Analyze Functions
def analyzeFunctions():
    fm = currentProgram.getFunctionManager()
    functions = fm.getFunctions(True)
    # Process functions

Custom Analysis

  1. Data Flow Analysis
public void analyzeDataFlow() {
    DataFlow df = new DataFlow(currentProgram);
    // Analyze data flow
}
  1. Control Flow Analysis
public void analyzeControlFlow() {
    ControlFlow cf = new ControlFlow(currentProgram);
    // Analyze control flow
}