Ghidra tips
GUI tips
Cursor Text Highlight
By default, you need to use the middle mouse button on a variable to highlight all other occurences in the code browser. You can change it to the left mouse button for a more natural feel.
Go to Edit -> Tool Options and then in the new window: Options -> Listing Fields -> Cursor Text Highlight and change the Mouse Button To Activate from MIDDLE to LEFT:
Add entropy margin
You can add an entropy margin in the Listing view which may be useful to identify encrypted/compressed data:
Better route edges in graph view
If in the graphical view you have difficulties to read properly routes edges, you can try the graph option to route edges around vertices (which is disabled by default): Edit -> Tool Options -> Options -> Graph -> Nested Code Layout -> Route Edges Around Vertices:
Increase fields size in graph view
If in graph view addresses and some operands are not entirely shown, you can increase the size of the display fields by selecting Edit Code Block Fields in Function Graph toolbar.
This will open a new window, go to the Instruction/Data tab. You can then resize each field and increase there length to your need:
Those changes will then be applied to the Function Graph view:
Analyzers
Decompiler Parameter ID Analyzer
You may notice differences in a function parameters between the disassembly and decompiler views. Ghidra decompiler keeps only useful parameters. The Decompiler Parameter ID analyzer uses decompiler-derived parameter informaion for function’s parameters in the disassembly view.
If the analyzer was not enabled during the first analysis, it can be run later with Analysis -> One Shot -> Decompiler Parameter ID.
Disable PDB Analyzer
If analyzing executables that you compiled yourself, you may not want to load related PDB files as it is very rare to have them when analysing malware samples. This is enabled by default during the analysis step and you can disable it at that point :
Cross-references (XREFS)
Unwanted XREFS
If the address of a function happens to be at the very beginning of the .text section, some PE fields in the Headers section (like BaseOfCode for example) indirectly reference the start of the .text section, which may create additional XREFS.
Types of references
Data references:
- (R): Read
- (W): Write
- (*): Pointer
Code references:
- (c): call
- (j): jump
Namespaces
To better organize functions through your analysis, you can create namespaces and drag an drop the function into it. When adding a function into a namespace, it will no longer be available in the Functions directory. You can also create sub-namespaces:
If a function is part of a namespace, it will be appended at the beginning of its name, as well as all sub-namespaces it is a part of:
Useful shortcuts
Convert to hexadecimal in Decompile view
Go to Edit > Tool Options and then Key bindings > "Convert To Hexadecimal":
Plugin Name column, this shortcut can be only used in the Decompile window.References
- The Ghidra Book: The Definitive Guide by Chris Eagle and Kara Nance
- Matthew Ghidra’s tips
- c3rb3ru5d3d53c youtube video: Malware Lab - Reverse Engineering String Decryption Algorithms with Ghidra