Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies
  3. Manual Code Reversing

Reverse Engineering re_lotsastuff.exe Using Ghidra

1. Setting Up Ghidra:

  • Create a New Project:

    • Open Ghidra and create a new project.

    • Import the Sample:

      • Drag and drop the re_lotsastuff.exe sample into the project or press I on the keyboard to import it.

2. Analyzing the File:

  • Open in Default Tool:

    • After importing, right-click the sample and select Open in Default Tool to begin the analysis.

    • Follow the dialogues and choose the options that allow Ghidra to analyze the file.

3. Navigating the Disassembly and Decompiled Code:

  • Symbol Tree Navigation:

    • In the left pane, expand the Symbol Tree under the Functions folder.

    • Look for the entry function to begin your analysis.

  • Viewing Decompiled Code:

    • Clicking on the entry function will bring up both the disassembled code and the decompiled version of the code in the right pane.

  • Finding the Main Function:

    • To locate the main function:

      • Use the address identified in IDA Pro (in this case, 0x401480).

      • Search within the Symbol Tree for functions prefixed with FUN_ followed by an underscore and the relevant address.

      • This brings up the main function in a more readable, decompiled view.

4. Ghidra Plugins:

  • Exploration of Plugins:

    • Ghidra has a variety of plugins that can aid in analyzing files more efficiently.

    • It's recommended to explore and utilize these plugins to enhance the speed and accuracy of your analysis.

5. Key Takeaways:

  • Ghidra’s Strengths:

    • Provides both disassembly and a high-level decompiled view, making it easier to understand the code.

    • Symbol Tree helps in quick navigation to critical functions like the main function.

  • Plugin Support:

    • Leverage the available plugins in Ghidra to improve your analysis workflow.

  • Learning Resources:

    • The course series includes sessions on assembly language, which can be beneficial if you're new to low-level programming.

These notes cover the fundamental steps for using Ghidra to analyze and decompile a C++ compiled 32-bit executable. Ghidra’s combination of disassembly and decompiled views, along with its plugins, make it a powerful tool for reverse engineering.

PreviousReverse Engineering re_lotsastuff.exeNextAnalyzing PowerShell Scripts

Last updated 9 months ago