GHIDRA is the name of a free reverse engineering tool that will be released by the NSA during the upcoming RSA security conference in March in San Francisco. The software is a disassembler that is designed to break down executable files into assembly code.
This code can be analyzed by security researchers. It is interesting to note that the NSA developed the tool in the early 2000s, and the agency started sharing it with other government entities that are meant to examine malware.
GHIDRA Became Known to the Public with the Vault7 Documentation
Even though GHIDRA is not a state secret, many were unaware of its existence, not until WikiLeaks published the infamous Vault7 documentation. The documents revealed that the CIA had access to the GHIDRA tool. As revealed by WikiLeaks, “Ghidra is a GOTS reverse engineering tool developed @NSA”. The tool is also coded in Java, has a graphical user interface, and runs on Windows, Mac, and Linux.
In terms of installing and using the tool, the following should be noted:
Regardless of what platform you use to run Ghidra or what types of binaries you are going to analyze in Ghidra, you will need the common package. Other packages provide the ability to analyze different platforms (windows, osx, linux, mobiledevices, etc.) or include plugins that allow for additional functionality (Cryptanalysis, interaction with OllyDbg, the Ghidra Debugger).
The GHIDRA tool is capable of analyzing binaries for Windows, Mac, Linux, as well as Android and iOS. Users can add packages to the tool if they need more features, and this is possible thanks to its modular architecture.
Apparently, the tool is quite handy for operators that analyze malware on government networks. In comparison with another well-known reverse engineering tool known as IDA, GHIDRA appears to be slower and buggier. However, NSA’s plan to make it open source should improve it.
That’s not the first internal tool that NSA makes open source. The agency has done this with several other tools in the past several years. Its most successful experiment in that direction is the Apache NiFi.
The GHIDRA disassembler will be presented during the RSA conference in March, and should be released soon after that.