Ghidra is a powerful, open-source software reverse engineering (SRE) framework developed by the NSA and released to the public. This cheat sheet covers essential commands, shortcuts, and workflows that security researchers, malware analysts, and cybersecurity professionals need to know for effective binary analysis.
Getting Started
Project Setup
- Create Project: File → New Project → Non-Shared Project
- Import Binary: File → Import File (or drag and drop)
- Auto-Analysis: Analyze → Auto Analyze (recommended for first-time analysis)
Key Windows
- CodeBrowser: Main analysis interface
- Listing: Assembly code and decompiled view
- Decompiler: C-like pseudocode representation
- Symbol Tree: Functions, labels, and data structures
- Data Type Manager: Built-in and custom data types
Essential Keyboard Shortcuts
Navigation
| Shortcut | Action |
|---|---|
G | Go to address/symbol |
Ctrl + E | Go to entry point |
Alt + Left/Right | Navigate back/forward in history |
Ctrl + Shift + E | Go to external location |
L | Add label at cursor |
Ctrl + L | Show location references |
Analysis
| Shortcut | Action |
|---|---|
F | Create function at cursor |
U | Clear code units (undo disassembly) |
D | Disassemble at cursor |
C | Clear and create code |
Ctrl + Shift + G | Create structure |
P | Create pointer |
Viewing and Display
| Shortcut | Action |
|---|---|
Ctrl + F | Find/Search |
Ctrl + Shift + F | Find strings |
Ctrl + H | Find/Replace |
Ctrl + D | Toggle decompiler view |
T | Show data type chooser |
Ctrl + T | Toggle listing format |
Code Manipulation
| Shortshot | Action |
|---|---|
Enter | Follow reference/jump |
Esc | Return from reference |
R | Add reference |
Ctrl + R | Remove reference |
N | Rename symbol |
Semicolon (;) | Add comment |
Core Analysis Workflows
1. Initial Binary Assessment
Quick Overview:
1. Import binary and run auto-analysis
2. Check entry point (Ctrl + E)
3. Review symbol tree for imported functions
4. Look for strings (Search → For Strings)
5. Identify main function and key routines
String Analysis:
- Search → For Strings → Filter by length/encoding
- Right-click string → References → Show references to
- Use string context to understand program behavior
2. Function Analysis
Function Creation:
- Position cursor at function start
- Press
Fto create function - Ghidra auto-detects function boundaries
Function Signatures:
- Right-click function → Edit Function Signature
- Set parameter types and return values
- Use standard calling conventions (cdecl, stdcall, etc.)
Decompiler Usage:
- Press
Ctrl + Dto open decompiler - Variables can be renamed (right-click → Rename Variable)
- Right-click → Retype Variable to change data types
3. Data Structure Analysis
Creating Structures:
- Data Type Manager → Right-click → New → Structure
- Define member types and offsets
- Apply to memory locations using
Tkey
Array Analysis:
- Select data range
- Right-click → Data → Choose Array type
- Specify element count and type
Advanced Techniques
Cross-References (XREFs)
- Find References: Right-click → References → Show References to
- Reference Types:
- Read references (data access)
- Write references (data modification)
- Call references (function calls)
- Jump references (control flow)
Script Management
- Script Manager: Window → Script Manager
- Built-in Scripts: Numerous analysis and utility scripts
- Custom Scripts: Write Python or Java scripts for automation
- Popular Scripts:
FindCrypt.py– Identify cryptographic constantsStringsScript.py– Enhanced string analysisXrefAnalyzer.py– Cross-reference analysis
Memory Map Analysis
- Memory Map: Window → Memory Map
- Key Sections:
.text– Executable code.data– Initialized data.bss– Uninitialized data.rodata– Read-only data
Function Graph View
- Access: Window → Function Graph
- Navigation: Right-click nodes for options
- Layout: Various graph layout algorithms available
- Export: File → Export → Function Graph
Search and Analysis Features
Instruction Search
- Search → For Instruction Patterns
- Use wildcards for flexible matching
- Example:
MOV ??, 0x401000(find moves to specific address)
Byte Pattern Search
- Search → For Byte Patterns
- Hexadecimal pattern matching
- Useful for finding shellcode, signatures, or specific data
Regular Expression Search
- Search → For Regular Expressions
- Powerful text pattern matching
- Works across comments, labels, and operands
Data Type Management
Built-in Types
- Primitive types (int, char, float, etc.)
- Windows API types (DWORD, HANDLE, etc.)
- C standard library types
Custom Data Types
- Create custom structures and unions
- Import header files for API definitions
- Export/import data type archives (.gdt files)
Type Propagation
- Ghidra automatically propagates type information
- Manual type annotation improves analysis quality
- Use function signatures to improve decompilation
Debugging and Analysis Tips
Common Workflows
Malware Analysis:
- Check for packing/obfuscation
- Identify anti-analysis techniques
- Find decryption routines
- Analyze network communication
- Document IOCs (Indicators of Compromise)
Vulnerability Research:
- Identify input validation routines
- Track user input flow
- Look for buffer operations
- Analyze error handling
- Check boundary conditions
Patch Analysis:
- Compare before/after binaries
- Use version tracking tools
- Focus on modified functions
- Document security implications
Performance Optimization
- Disable unnecessary analysis options for large binaries
- Use selective analysis for specific regions
- Save analysis results regularly
- Consider analysis depth vs. speed tradeoffs
Collaboration Features
Project Sharing
- Export projects for sharing
- Version control integration (Git support)
- Merge analysis from multiple analysts
Documentation
- Add comprehensive comments
- Create bookmarks for important locations
- Use symbols and labels consistently
- Export analysis reports
Useful Plugins and Extensions
Popular Plugins
- BinExport: Export to other tools (IDA Pro, etc.)
- Ghidrathon: Python 3 scripting support
- GhidraEmu: Emulation capabilities
- FindCrypt: Cryptographic constant identification
Development
- Plugin development in Java
- Headless analysis capabilities
- API documentation available
- Community plugin repositories
Pro Tips
- Start with Auto-Analysis: Let Ghidra do initial heavy lifting
- Use Bookmarks: Mark important locations for quick navigation
- Leverage Scripts: Automate repetitive analysis tasks
- Cross-Reference Everything: Understanding data flow is crucial
- Document Your Work: Add comments and labels liberally
- Learn the Decompiler: It’s one of Ghidra’s strongest features
- Practice with CTFs: Capture The Flag challenges improve skills
- Join the Community: Active forums and Discord channels available
Common Issues and Solutions
Decompiler Not Working:
- Check function boundaries
- Verify calling convention
- Clear and recreate problematic functions
Missing Symbols:
- Import debugging symbols if available
- Create manual symbols for important functions
- Use signature matching for known libraries
Performance Issues:
- Reduce analysis scope
- Disable unused analyzers
- Increase JVM memory allocation
Conclusion
Ghidra is an incredibly powerful tool for reverse engineering and binary analysis. This cheat sheet covers the essentials, but mastery comes with practice. Start with simple binaries, gradually work up to more complex samples, and don’t hesitate to explore Ghidra’s extensive documentation and community resources.
Remember that reverse engineering should only be performed on software you own or have explicit permission to analyze. Always follow responsible disclosure practices when discovering vulnerabilities, and respect intellectual property rights.
Additional Resources:
- Official Ghidra Documentation
- Ghidra Courses and Training Materials
- Community Forums and Discord Channels
- Practice CTF Challenges
- Malware Analysis Sandboxes
Happy reversing!
Leave a Reply