NSA Releases Ghidra, a Free Software Reverse Engineering Toolkit

An anonymous reader writes: At the RSA security conference this week, the National Security Agency released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade. The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost, being similar to other reverse engineering tools like IDA Pro, Hopper, HexRays, and others.

The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private. Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license in the coming future.

Translate machine code into language

[XXongo]

So, basically, this is google translate, but for software!

Hide in plain sight

[tepples]

Then let's get everybody we can to click the link, in order to destroy the value of the information that someone happens to have clicked the link.

Re: Hide in plain sight

[LifesABeach]

/ . The NSA? Cool, if course it's my tax dollars that will used to fix it, but cool.

Re:

[AHuxley]

Recall "NSA likely targets anybody who's 'Tor-curious'" https://www.cnet.com/news/nsa-... [cnet.com] (July 3, 2014)

Re:

[gweihir]

Makes you stupid, but be my guest. You are hardly alone.

Try Reko.

[cheesybagel]

Reko is already open source. It has a disassembler and a GUI.
https://uxmal.github.io/reko/ [github.io]
https://github.com/uxmal/reko [github.com]

Is it Open Source?

[3seas]

Wait till it is, otherwise no telling what it contains unless you use it to revers engineer itself.

Re:

[Anonymous Coward]

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

direct download link, fwiw...

it's only 272MB.

what could possibly go wrong.

captcha : intercom

Re:

[PPH]

Is that source or a binary? Does it run on Linux?

Uh uh. I ain't clickin' that sh*.

Re:

[gweihir]

You seriously think the NSA would do an untargeted attack on the whole world with this? Maybe you should have your paranoia looked at professionally.

Re: Is it Open Source?

[Anonymous Coward]

cough EternalBlue cough

It's not as if they are lacking a past of untargetted world wide attacks. They invented the concept of untargetted world wide attacks.

Re:

[gweihir]

Bullshit. If this is back-doored, it will have networking code that has no place in there. And that code will be found. Also, what purpose would an _untargeted_ attack against the whole world have? Right, none at all.

Re:

[gweihir]

So corrupting other services with exploit code that is worth quite a bit? Not really harder to spot. You really have no clue what you are talking about.

Re:

[gweihir]

Paranoia and insight do not mix. Your statement is a nice example of that.

Re:

[gweihir]

It is FOSS. The NSA will not place any exploits in there. First, they would be found and second, they would be all over the world pretty fast, making this an utter PR disaster.

Re:

[ZoomieDood]

Well, I'll certainly use a tool like this to aim it at a piece of software I have to use with a CZURtek book scanner I purchased from a kickstarter campaign years ago that appears to be scanning across my hard drive in unrelated areas and opening a port to china while in the middle of scanning.

A Quick Example

[chill]

http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html [peppermalware.com]

That's a quick review of using Ghidra to analyze Trickbot. It shows the interface and many of the features, with a brief comparison to IDA.

Re:

[phantomfive]

Looks like it is really similar to IDA, but open source (eventually) and free.

Re: A Quick Example

[eatvegetables]

Thanks for posting link. Nice overview.

Better Ghidra than King Ghidorah

[Mspangler]

With a Three Letter Agency you are never quite sure what they are plotting.

Re:

[omfglearntoplay]

That's the first thing that came to mind. I still think that's how they got the name.

Re:

[K. S. Kyosuke]

Isn't it "Hydra" in Russian?

What happens if you run in on Slashcode?

[Anonymous Coward]

Will the world implode if this were run on Slashcode?

Re:

[fibonacci8]

It takes any compiled binary and reverse engineers it into Brainfuck [wikipedia.org].

Bad Guys Too!

[nuckfuts]

The tool is ideal for software engineers...

Yes, there will be good guys who will use this to reverse-engineer malware to design patches. There will also be bad guys who will use it to reverse-engineer patches to design malware.

Here's a scenario: A security researcher discovers a critical vulnerability in Microsoft Windows. Remotely executable. Root-level access. Being a responsible researcher, the information is provided quietly to Microsoft before being announced publicly, so they are given a chance to develop a patch. Somewhere down the road, Micr

does anyone know list of platforms. G85ware only?

[yfeefy]

I guess we'll find out soon enough. People afraid of it could always run it in a sandboxed area. I wouldn't worry too much about being on a list, you are probably already on it. If the download consists of a stub that downloads a "downloader" like so much crapware today, maybe start to worry :-)

Run at your own risk

[hermi]

unless you want a TCP port opened that is reachable via internet with remote code execution source [twitter.com]

I feel like someone in Strugatskys Roadside Picnic

[Dirk Becher]

With the NSA in the role of the super-advanced aliens and the rest of humanity as the strugglers in the zone who feast on their junk.

This is just a recruiting tool

[Nocturrne]

You can be sure, this is not considered an advanced tool, worthy of protection. If you are able to use this tool to do something interesting, you might find yourself being contacted by a recruiter from a contractor with a strange name. If government salaries were not borderline poverty level, it might be fun.