The National Security Agency released a free software reverse engineering tool called Ghidra which is useful for malware analysts and software engineers. The agency had been using this internally for more than a decade.
At present, Ghidra is available for download only through its official website, and the NSA is planning to release its source code under an open source license on GitHub in the near future.
Ghidra is a free alternative to IDA Pro which is a reverse engineering tool similar to it and is very expensive priced at around thousands of US dollars per year.
Since Ghidra is available for free, most experts expect it to capture a large portion of the reverse engineering tools market share within weeks as it has some positive early user reviews.
Ghidra is coded in Java, has a graphical user interface (GUI), and works on Windows, Mac, and Linux.
The Senior Advisor at the National Security Agency, Rob Joyce stated that Ghidra can analyze binaries written for a wide variety of architectures, and can be easily extended with more when needed.
It is also very easy to install Ghidra as the Ghidra distribution file is simply extracted in-place on the filesystem. It requires only a version of the Java Development Kit 11 or later which is needed to run the app’s GUI.
Ghidra’s docs include installation guide, classes and exercises for beginners, intermediates, and advanced levels that helps users to familiarize with the tool’s GUI.
IDA Pro offers a debugger component as well which is not available in Ghidra.
First Bug Reported in GHIDRA Reverse Engineering Tool
Just minutes after the release of the tool, Matthew Hickey, co-founder and director of UK-based cyber-security firm Hacker House, reported the first security issue in it. He noticed that when a user launches GHIDRA in the debug mode, the reverse engineering suit opens JDWP debug port 18001 for all interfaces thereby letting anyone within the network to remotely execute arbitrary code on the analysts’ system.
However, the debug mode is not activated by default and it works as intended. Still the software should listen only to debug connections from the localhost, rather than any machine in the network. This issue can be fixed by just changing a line of code in the software.