NSA Releases Ghidra, a Free Software Reverse Engineering Toolkit

An anonymous reader writes: At the RSA security conference this week, the National Security Agency released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade. The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost, being similar to other reverse engineering tools like IDA Pro, Hopper, HexRays, and others.

The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private. Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license in the coming future.

Translate machine code into language

[XXongo]

So, basically, this is google translate, but for software!

Re: Translate machine code into language

Shut up

Re: Translate machine code into language

Kek

Re:Translate machine code into language

In other words a reverse compiler like we've had available for decades?

No thank you

I don't want any software from the NSA. I'll run that North Korean Linux before I run anything from the NSA.

Re:No thank you

Even if the software was 100% clean and trustworthy, just clicking on that link would probably put you on some kind of list.

Re:No thank you

You are already running things from the NSA...

Re:No thank you

Seriously, where do people think SELinux came from?

Re:No thank you

I run a custom kernel with SE Linux disabled.

Re: No thank you

Yet, you willingly use a phone you know was made in China with special hacks n add ons they didnt advertise on the box.

*eye roll*

Re:No thank you

[gweihir]

Makes you stupid, but be my guest. You are hardly alone.

Re:No thank you

An Anonymous Coward cautioned:

Even if the software was 100% clean and trustworthy, just clicking on that link would probably put you on some kind of list.

A list of people who use VPNs ... ?

(Posting as AC only so as not to undo prior upmods in this thread.)

--

Check out my novel ...

Re:No thank you

[AHuxley]

Recall "NSA likely targets anybody who's 'Tor-curious'" https://www.cnet.com/news/nsa-... (July 3, 2014)

Re: No thank you

Makes him "stupid" in your opinion only. And nobody cares about your opinion, it's worth the price you charge for it.

Re:No thank you

like SE linuX

Re:No thank you

Then you're not running ANY linux, or any windows for that matter.

CAPTCHA: reality

Q!!!!!

Q sent me!!!!!!!

Is it Open Source?

[3seas]

Wait till it is, otherwise no telling what it contains unless you use it to revers engineer itself.

Re:Is it Open Source?

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

direct download link, fwiw...

it's only 272MB.

what could possibly go wrong.

captcha : intercom

Re:Is it Open Source?

[PPH]

Is that source or a binary? Does it run on Linux?

Uh uh. I ain't clickin' that sh*.

Re:Is it Open Source?

Is that source or a binary? Does it run on Linux?

Uh uh. I ain't clickin' that sh*.

just pretend it is from the Chinese government. then you'd have no problem with it you hypocrite

Re:Is it Open Source?

[gweihir]

It is FOSS. The NSA will not place any exploits in there. First, they would be found and second, they would be all over the world pretty fast, making this an utter PR disaster.

Re:Is it Open Source?

[gweihir]

You seriously think the NSA would do an untargeted attack on the whole world with this? Maybe you should have your paranoia looked at professionally.

Re:Is it Open Source?

[gweihir]

Bullshit. If this is back-doored, it will have networking code that has no place in there. And that code will be found. Also, what purpose would an _untargeted_ attack against the whole world have? Right, none at all.

Re:Is it Open Source?

It is FOSS.

Is it, though? If the software was written by the NSA, doesn't that constitute a work of the United States government and thus make it public domain by default?

Re:Is it Open Source?

They posted a Free software license, but no code so far. I smell trap.

Re:Is it Open Source?

Why not? They did it with all electronic communications: text messages, chat rooms, you name it. And no, I'm not obligated to do your research for you. You must have been living under a rock for the past several years.

Re:Is it Open Source?

[ZoomieDood]

Well, I'll certainly use a tool like this to aim it at a piece of software I have to use with a CZURtek book scanner I purchased from a kickstarter campaign years ago that appears to be scanning across my hard drive in unrelated areas and opening a port to china while in the middle of scanning.

Re:Is it Open Source?

Who ever said anything about it phoning home? All that code would have to do is make it easier for an external entry which could be done by corrupting running services.

Re:Is it Open Source?

Is that source or a binary?

Both source and binary. Source is under the Apache 2.0 licence, at least the non-third-party parts.

Does it run on Linux?

It seems to be Java, so perhaps. It comes with a Bash launch script at least.

~350 MB of the archive seems to be processor support. It supports around 20 different CPU architectures, I think. All the major ones (68k, ARM, MIPS, PA-RISC, PowerPC, SPARC, x86) are there.

Re:Is it Open Source?

I have downloaded the archive and in the archive there are many archive containing the sources of the modules forming the application, it is not a convenient way to distribute the sources but it is compliant with the GPL...

Re: Is it Open Source?

cough EternalBlue cough

It's not as if they are lacking a past of untargetted world wide attacks. They invented the concept of untargetted world wide attacks.

Re:Is it Open Source?

I thought that whole attack of dissent by psychiatry went out with the fall of the Soviet Union.

You Stalinist boot-licker.

Re:Is it Open Source?

[gweihir]

So corrupting other services with exploit code that is worth quite a bit? Not really harder to spot. You really have no clue what you are talking about.

Re:Is it Open Source?

I pity you. You think you are smarter than all the professional spooks who do this 24x7.

If I was the NSA, here's what I'd do. Have this software use the network in an identifiable way, a traffic fingerprint. Drop some vulnerabilities in there 'by accident'. When the users run the application they can be found on the 'net and there are Zero Day exploits to allow access to their systems.

Why go to all this trouble? Well it seems to me that a self-selected group of hackers and reverse engineers are pretty interesting on just those merits. Maybe the NSA doesn't even go after all of them. Maybe they wait for a name to come up in connection with something else; if the NSA can make the connection, suddenly they have a channel directly to their target of interest.

Re:Is it Open Source?

[gweihir]

Paranoia and insight do not mix. Your statement is a nice example of that.

Re:Is it Open Source?

Just because you're not paranoid, doesn't mean they aren't out to get you.

A Quick Example

[chill]

http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html

That's a quick review of using Ghidra to analyze Trickbot. It shows the interface and many of the features, with a brief comparison to IDA.

Re:A Quick Example

[phantomfive]

Looks like it is really similar to IDA, but open source (eventually) and free.

Re: A Quick Example

[eatvegetables]

Thanks for posting link. Nice overview.

Here, eat this root!

We'll release the source code Real Soon Now (tm), but for now, here, run this NSA black box on your computer.

Do they really think we're that grotesquely fucking stupid?

Or is that actually the first test to get one of those jobs they spoke of?

Zero flies again!

Ghidra is released just in time for the Godzilla movie!

Better Ghidra than King Ghidorah

[Mspangler]

With a Three Letter Agency you are never quite sure what they are plotting.

Re:Better Ghidra than King Ghidorah

[omfglearntoplay]

That's the first thing that came to mind. I still think that's how they got the name.

Re:Better Ghidra than King Ghidorah

[K.+S.+Kyosuke]

Isn't it "Hydra" in Russian?

DRM

Will this help people remove DRM from software as well? Inquiring minds want to know.

What happens if you run in on Slashcode?

Will the world implode if this were run on Slashcode?

Hide in plain sight

[tepples]

Then let's get everybody we can to click the link, in order to destroy the value of the information that someone happens to have clicked the link.

Re: Hide in plain sight

[LifesABeach]

/ . The NSA? Cool, if course it's my tax dollars that will used to fix it, but cool.

More details

Reverse engineers in what form? And is it limited to specific languages?

Re:More details

[fibonacci8]

It takes any compiled binary and reverse engineers it into Brainfuck.

Work on Intel ME?

I *really* need the NSA's toolkit to fix all my backdoored Intel procesors!!

Bad Guys Too!

[nuckfuts]

The tool is ideal for software engineers...

Yes, there will be good guys who will use this to reverse-engineer malware to design patches. There will also be bad guys who will use it to reverse-engineer patches to design malware.

Here's a scenario: A security researcher discovers a critical vulnerability in Microsoft Windows. Remotely executable. Root-level access. Being a responsible researcher, the information is provided quietly to Microsoft before being announced publicly, so they are given a chance to develop a patch. Somewhere down the road, Microsoft releases a patch.

What happens immediately is that people start reverse-engineering the patch. What modules is it touching? Let's look very closely at those modules, maybe do some fuzzing, see if we can figure out what's exploitable. I once saw Halvar Flake give a talk on this that was both impressive and frightening. A person with his level of skill could potentially develop an exploit by reverse-engineering a patch in a matter of hours. Much faster than many people would be deploying the patch.

does anyone know list of platforms. G85ware only?

[yfeefy]

I guess we'll find out soon enough. People afraid of it could always run it in a sandboxed area. I wouldn't worry too much about being on a list, you are probably already on it. If the download consists of a stub that downloads a "downloader" like so much crapware today, maybe start to worry :-)

Run at your own risk

[hermi]

unless you want a TCP port opened that is reachable via internet with remote code execution source

I feel like someone in Strugatskys Roadside Picnic

[Dirk+Becher]

With the NSA in the role of the super-advanced aliens and the rest of humanity as the strugglers in the zone who feast on their junk.

Fuck you

And your three-headed kaiju.

Reverse engineer it

Has anybody reverse engineered it yet, using Ghidra?

This is just a recruiting tool

[Nocturrne]

You can be sure, this is not considered an advanced tool, worthy of protection. If you are able to use this tool to do something interesting, you might find yourself being contacted by a recruiter from a contractor with a strange name. If government salaries were not borderline poverty level, it might be fun.

"They would never do that"

Right, the NSA would never attempt something so unsubtle

Try Reko.

[cheesybagel]

Reko is already open source. It has a disassembler and a GUI.
https://uxmal.github.io/reko/
https://github.com/uxmal/reko