My next class:
Reverse-Engineering Malware: Malware Analysis Tools and TechniquesOnline | Australia Eastern Standard TimeSep 16th - Sep 21st 2024

A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters

Published: 2019-04-03. Last Updated: 2019-04-03 13:39:59 UTC
by Jim Clausing (Version: 1)
0 comment(s)

If you haven't been living under a rock, you probably heard that the NSA released its reverse-engineering tool, Ghidra, at RSA last month. I've been an IDA user for years (it's the primary disassembler we use when I teach FOR610), but I've been trying out Ghidra over the last few days since it is free and other malware analysts have been talking about it. This is the first of several diaries I plan to write with suggestions on how to get Ghidra to do things I've come to rely on in IDA. And, being a good computer scientist, I start counting a 0, hence part 0.

Let me state, right up front, I have only spent a couple of hours using Ghidra, so this is very preliminary. On first glance, one feature I missed from IDA was the comments where IDA gave me the names of parameters for Windows API calls (e.g., the first parameter to RegOpenKeyExA in MSDN is listed as hKey with a type HKEY). It turns out Ghidra can do this to. It requires changing one of the defaults in the AutoAnalysis settings (you see this when you first open a file for analysis or when you choose AutoAnalysis from the Analysis menu). The option WindowsPE x86 Propagate External Parameters is disabled by default, if you enable this option then you get the comments you expect.

If you forget to do it in the opening dialog or don't change the default, you can apply the analysis later from the Analysis menu, using the One Shot option (or rerunning AutoAnalysis, which will give you the same dialog above).

The last thing that I wanted to change about Ghidra's defaults is probably just a personal thing that I could get over, but it annoyed me at first and I found it was easy to fix. I was used to writing comments in assembly by prefacing them with a semicolon (;) and I was used to IDA (and x64dbg) showing comments with a semicolon in front of them, but Ghidra by default wasn't. It turns out that behavior is simple to change, too.  In this case, you can choose Tool Options from the Edit menu.

And then turn on 'Show Semicolon at Start of Each Line' in Listing Fields>EOL Comments.

And with that, I can now see the comments showing parameter names and types for Windows API calls.

That's enough for one diary. I'll post a few more of these tips as I figure Ghidra out. If you have other thoughts or useful tips, e-mail me or leave your comments below.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

0 comment(s)
My next class:
Reverse-Engineering Malware: Malware Analysis Tools and TechniquesOnline | Australia Eastern Standard TimeSep 16th - Sep 21st 2024

Comments


Diary Archives