Ghidra cheat sheet

These are a few notes to remind myself about some features of the Ghidra SRE framework, which I keep forgetting!

The default assignment for label highlighting in IDA is a left-click on the name of the label. Ghidra also has this feature, but the default binding is the middle mouse button. To change this:

• In the CodeBrowser, select: Edit → Tool Options
• In the option tree, select: Options → Listing Fields → Cursor Text Highlight
• Enable Cursor Text Highlight, and set the “Mouse button to activate” field to “Left”.

References:

• Ghidra Advanced class, "improving disassembly and decompilation, page 60]]
• https://github.com/NationalSecurityAgency/ghidra/issues/226#issuecomment-474664894

If a computed jump instruction (e.g. JMP (jumptableAddr, X)) doesn't include a range check guard above it, Ghidra may assume that the valid range is the full range of the index register. This completely screws up disassembly and decompiling.

1. Navigate to the jump table (find the computed JMP instruction and follow the reference).
2. Set the first element to be a pointer (keyboard: P).
3. Press [ to define the number of elements in the jump table.
   • This will trigger a disassembly of the jump table targets, but these functions are not yet part of the function.
4. Navigate to the JMP instruction which performs the jump, e.g. JMP (jumpTable, X).
5. Press R to bring up the References Editor and click on the mnemonic. Either:
   1. Use the green plus to add COMPUTED_JUMP references to each address stored, one at a time, or
   2. Use the CodeBrowser's forward-references feature:
      1. Select the JMP instruction in the CodeBrowser.
      2. Select → Forward Refs (may have to do this twice)
      3. Drag the selection into the References Editor.
6. Right-click on the function which contains the jump table, and select Function → Recreate Function
7. Finally, navigate back to the JMP instruction, and use the Script Manager to run SwitchOverride.java.
   • This fixes the JumpTable references used by the decompiler

Follow the instructions above, but don't try to add the references. Instead, remove the extraneous ones.

1. Navigate to the JMP instruction which performs the jump, e.g. JMP (jumpTable, X).
2. Press R to bring up the References Editor and click on the mnemonic.
   • Edit the reference list to remove any incorrect table references.
3. Right-click on the function which contains the jump table, and select Function → Recreate Function
4. Finally, navigate back to the JMP instruction, and use the Script Manager to run SwitchOverride.java.
   • This fixes the JumpTable references used by the decompiler

• Replica – Ghisra auto-analysis enhancer
  • Detect crypto algorithm constants
  • Fix undefined ASCII strings and data
• SVD Loader – Loads ARM CMSIS SVD (System View Description) files into Ghidra to describe and annotate ARM processor SFRs. See also the project homepage

• GhidraEmu – Native Pcode emulation. Uses SLEIGH descriptions to emulate a processor.
• AngryGhidra – Use angr for binary analysis and symbolic execution.

• GhidraBoy – Sharp SM83 and Game Boy support

• Ghidra Snippets – examples showing how to work with the Ghidra Python APIs
• Ghidrathon – Python 3 inside Ghidra

• Tacnetsol's scripts
  • Call chain between two functions
  • Highlight function calls
  • ROP gadget finders for MIPS and ARM

• Flatlaf Dark Theme installer

These tools don't integrate into Ghidra, but may be useful to supplement it.

• ImHex – ludicrously powerful hex editor
  • File hashing, disassembler, data analyser (file magic based identification, entropy graph, …)
  • C++-like pattern description language (like Synalyze It!) for parsing binary data
  • Built-in disassembler
• Kaitai Struct – file format description language
• Radare2
  • r2ghidra – Integrate the Ghidra decompiler and disassembler into Radare2
  • Cutter GUI (uses the Rizin fork of Radare2)