Using Old Windows Symbols with Ghidra in Linux

Recently, while developing course material for a reverse engineering course I was making, I needed to get the symbols for the venerable sol.exe. Unfortunately the world’s greatest solitaire program is no longer shipped with windows, and subsequently Microsoft’s symbol servers have stopped providing debug information for it. The last complication was Ghidra’s support for PDB is limited to Windows only systems. This guide will walk through how I got the symbols for an unsupported OS (XP) working inside of the Ghidra Linux client.

Read More

Reverse Engineering Gootkit with Ghidra Part I

Ghidra is pretty handy for looking at malware. This series of post is an informal overview of what I do. Gootkit is a great implant to learn the functionality of Ghidra. Gootkit is a NodeJS server with packaged Javascript implementing the implant functionality. There are lots of libraries linked into the main executable including Node, OpenSSL, and many more. As a reverse engineer it is difficult to identify and identify open libraries. In this post, I will go through my analysis process to use and understand Ghidra’s functionality.

Read More

Ghidra Nation State Level Reverse Engineering Tools

Ghidra is the newly released tool by the United States National Security Agency for reverse engineering software. It has been under active development for years. There is a lot to love about it. From my initial exploration the string deobfuscation, including inline context, is phenomenal.

Read More