Ghidra — CySA+ Tools — Thiago Teixeira

Ghidra

NSA

NSA-released reverse-engineering suite with decompiler — free IDA Pro alternative.

Malware Analysis & Sandboxing Free & Open Source GUI Learning Cross-platform

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Ghidra is the reverse engineering suite released by the NSA in 2019. It is now the leading free alternative to IDA Pro for static analysis of malware binaries and supports an enormous range of architectures (x86/x64, ARM, MIPS, PowerPC, AVR, and many more).

Headline features:

Decompiler producing readable C-like pseudocode.
Project-based workflow with multi-user collaboration.
Scripting in Java and Python (Jython).
Headless analyzer for batch processing in CI pipelines.
Cross-platform (runs on Windows, Linux, macOS).

Use cases

Static analysis of unpacked malware samples
Patch diffing to understand a CVE
Recovering algorithms from firmware