Intro to GHIDRA internals - Use Eclipse to Debug real-world Ghidra issue - Build Ghidra

Welcome everyone! Highlights... • Setup Ghidra dev environment. • Build/Debug Ghidra, gather real-world Ghidra bug details. • Debugging techniques for backtracking causal steps to problem origin. • Gather clues, build repro "fingerprint" for conditional breakpoints. • Ghidra internals around its PE loader (portable executable loader), abstraction of memory blocks, more! • Ghidra, Eclipse, Java, Visual Studio, VS tools such as dumpbin, ml64 (MASM). • MASM assembly, learn about DUP, STRUCT, .data, .bss, link map files, more! • Portable Executable Format (PE Format, PE executable), PE sections, Ghidra import. • Of course, implicitly the tutorial covers topics possibly helpful to those contributing to Ghidra. 00:00:00 Start 00:01:28 Install VS Code 00:01:50 Install VS 00:02:45 Ghidra setup start 00:02:56 Install JDK 00:05:47 Ghidra 11.0.1 00:09:18 Start Ghidra 00:10:38 Create console exe 00:12:32 Repro issue 00:18:34 Ghidra dev env 00:19:04 Setup Gradle 00:21:57 Setup Git 00:23:40 Clone Ghidra 00:24:33 Create Ghidra 11.0.1 branch 00:26:48 Additional deps 00:26:59 Build Ghidra from terminal 00:27:23 Run built Ghidra 00:28:42 Install Eclipse for Java devs 00:31:29 Prep Ghidra for Eclipse 00:37:42 Build Ghidra in Eclipse 00:38:18 Debug config, start debugger 00:39:07 Begin debugging issue 00:44:13 Debug Perspective 00:44:43 Breakpoint (BP) at error 00:46:43 Repro issue, trigger breakpoint 00:51:11 Examine the stack, frames 00:55:43 Examine DataDB 00:57:59 Breadth first recon 00:59:16 Open Implemention 01:01:46 View hex 01:02:33 DataDB.dataType, StructureDB 01:04:25 Going deeper 01:06:42 Rinse/repeat 01:07:37 BP before issue 01:07:48 Begin building "fingerprint" 01:09:29 Conditional BP, expression 01:14:39 Conditional BP pt2 01:18:46 Stepping deeper 01:28:12 MemoryMapDB.getBytes 01:32:18 MemoryMapDB.getBytes, success 01:35:29 Problematic block 01:40:59 UninitializedSubMemoryBlock 01:42:24 Open Declared Type 01:49:46 FileBytesSubMemoryBlock.getBytes success, UninitializedSubMemoryBlock.getBytes failure 01:53:07 Constructor BP 01:53:39 Build fingerprint pt2 01:54:19 DBRecord/Schema 01:58:09 UninitializedSubMemoryBlock construction 02:02:11 Glean design 02:02:55 Table subBlockTable 02:06:06 createSubBlockRecord BP 02:10:27 DBRecord born elsewhere 02:12:20 ProgramDB/DBHandle 02:13:44 File-based DB 02:20:55 Strategy to find "1856" block 02:22:01 Re-import bins 02:22:52 createSubBlockRecord BP hit! 02:25:31 PeLoader 02:26:53 Glean design pt2 02:30:51 processMemoryBlocks, PE format 02:32:47 PE section processing 02:35:49 DBRecord creation 02:36:32 dumpbin 02:38:20 Famliar .data attrs 02:40:39 Binary, sect name cond BP 02:45:47 PeLoader, rawDataSize, virtualSize 02:49:37 Familiar face, 940 hex minus 200 hex 02:52:57 uninit block created 02:55:02 unint DBRecord created 02:59:23 orig failure 03:02:08 issue data type 03:04:30 8 byte alignment 03:07:00 Map files 03:08:05 The .bss uninit data section 03:14:43 EXCEPTION_RECORD in map file 03:16:34 Finding CRT vars 03:20:15 GS_ExceptionRecord spanning init/uninit 03:21:51 Simplify repro w/MASM asm 03:22:58 VS Tools Prompt 03:23:35 Assemble, ml64 03:24:50 .data vs .data? 03:25:31 DUP operator 03:26:15 STRUCT directive 03:27:11 DUP(?) operator 03:29:48 Repro w/MASM prog 03:31:32 STRUCT init/uninit spanning 03:34:23 Updating cond BP 03:36:30 Debug asm repro, recap, map file. 03:43:40 Ghidra's assumption 03:45:02 Minimal repro example 03:48:57 Updating PeLoader cond BP 03:50:35 dumpbin pt2 03:51:50 asm prog raw, virt sizes 03:53:42 PeLoader recap 03:54:14 Enough to report issue 03:55:07 Build Ghidra fix 03:59:02 Debug fix 04:02:16 The fix 04:05:40 Outro • Tutorial source: git clone https://github.com/AshleyT3/tutorial-sample-code.git Other vids: • Ghidra Intro https://www.youtube.com/watch?v=OWEZQMVLMPs • dumpbin.exe, link, and the PE Format: https://www.youtube.com/watch?v=ZF9QTM87H4Q • Microsoft MASM assembly, link, WinDbg: https://www.youtube.com/watch?v=I8TL2BbKnbQ Buy Me a Coffee https://www.buymeacoffee.com/ricochettech Subscribe to the the RicochetTech email list: https://ricochettech.net/subscribe The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement.