Disassembling an Object File: A Beginner’s Guide with Ghidra

Introduction

Disassembling a binary file allows analysts to translate machine-readable ones and zeros into a more human-readable format, such as assembly code, making it possible to extract meaningful information about the file’s behavior. This process is especially valuable for malware analysis, reverse engineering, and debugging.

In this guide, we will explore how to use Ghidra, an open-source reverse engineering toolkit developed by the NSA, to analyze a Windows Portable Executable (PE) malware sample. From hex editing to creating projects in Ghidra, this tutorial provides a practical introduction to disassembling and analyzing object files.

---

What is Disassembly?

Disassembly is the process of translating machine code (binary instructions) into assembly language, a human-readable representation of low-level code. It provides insights into a file’s structure, behavior, and functionality without requiring access to the source code.

Why Use Disassembly?

• Analyze Malware: Understand malicious intent and behavior.
• Debug Applications: Identify vulnerabilities and bugs.
• Reverse Engineer Software: Learn how a program operates, even without source code.

---

Tools for Disassembly

1. Hex Editor

A hex editor allows you to view the raw binary content of a file. On REMnux, WX Hex Editor is pre-installed and useful for:

• Inspecting the file’s structure in hexadecimal format.
• Viewing ASCII translations of the hex values.
• Modifying specific bytes for analysis or testing purposes.

2. Ghidra

Ghidra is an open-source reverse engineering tool that provides:

• Disassembly: Converts binary into assembly code.
• Decompilation: Converts assembly into high-level pseudocode.
• Visualization: Offers features like control flow graphs and function call graphs.

Other notable tools include IDA Pro (paid and free versions) and Radare2, but Ghidra has gained significant popularity due to its robust features and open-source nature.

---

Steps to Disassemble a Binary File Using Ghidra

1. Set Up a New Project

1. Open Ghidra and create a new project (e.g., “walk1”).
2. Import the binary file:
   • Click on File > Import File and select the malware sample.
   • Ghidra will automatically detect file attributes (e.g., file type, architecture, etc.).
3. Review the import summary and confirm the details.

2. Analyze the File in the Code Browser

1. Double-click the imported file to open it in Ghidra’s Code Browser.
2. When prompted, select Analyze to start automated reverse engineering.
3. Enable options to extract as much information as possible (e.g., add comments from external parameters).

---

Exploring the Code Browser

Program Tree View

• Displays the file’s structure and its sections (e.g., .text, .rdata, .data).
• Common sections in a Portable Executable (PE) file include:
  • Header: Contains metadata about the file.
  • Text Section: Contains executable machine code.
  • Rdata Section: Stores read-only data like constants.
  • Data Section: Holds initialized global variables.

Symbol Tree

• Lists the libraries (DLLs) and functions the file imports.
• Example: Under a DLL, you can see Windows APIs the file calls, such as RegOpenKeyExA.

Functions

• Displays all functions in the code, often assigned generic names like FUN-00401....
• Names are lost during compilation but can be renamed for clarity (e.g., rename FUN-00401 to main).

---

Making the Code More Readable

1. Renaming Functions:
   • Right-click a function and select Edit Function Name to rename it (e.g., “Main Function” or “Registry Updater”).
2. Editing Constants:
   • Replace hardcoded values (e.g., 8002) with meaningful names.
   • Example: 8002 corresponds to HKEY_LOCAL_MACHINE in Windows.
     • Right-click the value, select Set Equate, and assign the correct constant.
3. Updating Labels:
   • Labels are used for jumps or branches in the code.
   • Rename them to reflect their purpose (e.g., “Loop Start” or “Error Handler”).

---

Advanced Features in Ghidra

1. Function Graphs

• Function Graph:
  • Visualizes the flow within a function.
  • Highlights branches and labels to show where the function jumps or continues.
• Function Call Graph:
  • Displays relationships between functions, including which APIs are called.
  • Example: A function might call APIs like RegOpenKeyExA, RegSetValueExA, and RegCloseKey to update Windows registry keys.

2. Decompiled View

• Ghidra attempts to decompile assembly into pseudocode, resembling high-level languages like C.
• Example: A function using push 8002 and call RegOpenKeyExA can be decompiled to:cCopyEditRegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion", ...);

---

Practical Analysis Example

Scenario: Registry Modification

1. Search for APIs related to registry changes, such as RegOpenKeyExA.
2. Filter symbol references for registry-related APIs.
3. Navigate to the relevant function in the Code Browser.
4. Identify the parameters passed to the API (e.g., HKEY_LOCAL_MACHINE, Software\\Microsoft\\Windows\\CurrentVersion).
5. Rename constants and labels to reflect their purpose, improving readability.

Outcome:

You discover the malware modifies a critical registry key to persist across reboots or alter system settings.

---

Tips for Effective Disassembly

1. Familiarize Yourself with File Formats:
   • Understand the structure of PE and ELF files to interpret sections effectively.
2. Use Documentation:
   • Refer to Microsoft’s API documentation (e.g., RegOpenKeyExA) for function details.
3. Iterative Analysis:
   • Analyze one function or segment at a time, renaming and documenting as you go.
4. Leverage Ghidra’s Features:
   • Use comments, labels, and graphs to organize your findings.

---

Conclusion

Disassembling object files with tools like Ghidra enables cybersecurity professionals to uncover hidden behaviors, analyze malware, and reverse engineer software. By leveraging Ghidra’s powerful features, you can transform complex binaries into human-readable insights, making it easier to understand and mitigate potential threats.