Skip to content ↓ | Skip to navigation ↓

It’s been a little while since we last reviewed a book, but a lot of my team has been spending time with Ghidra this year. Craig Young taught a course on the subject, and I’ve used it with my students at Fanshawe College in their Malware Analysis course. Given our fascination with Ghidra, reviewing The Ghidra Book: The Definitive Guide by Chris Eagle and Kara Nance from No Starch Press made sense. I have a few of Chris’s books on my shelf, and I’ve always enjoyed them, so I was looking forward to digging into this one.

The book takes you from the beginning of your Ghidra journey to the end. From an introduction to disassembly and working with the basics of Ghidra to scripting in Ghidra to extend its capabilities, this book covers it all. One of my favorite aspects of the book is that it doesn’t read like a technical manual. When books are focused on a specific product, they can become very focused on a bland approach that can turn off readers. It feels more like reading the owner’s manual for your car than a book. Thankfully, that didn’t happen with this book, and it was enjoyable. I will admit that I did not read this book sequentially, instead jumping to topics that were relevant to my current work or that interested me. I think that’s the sign of a good technical book when you can move around freely and use it as reference material.

Here’s what others had to say about the book.

The Ghidra Book: The Definitive Guide by Chris Eagle and Kara Nance is an excellent choice for a reference book. This book provides explanations on how to modify the UI and other features that Ghidra provides. This allows any user to customize their layout to suit their specific needs. The authors provide a description of the reverse engineering process and the aspects of Ghidra that can be used. The authors explain the process of obfuscation and the techniques that might be used to prevent the reverse engineering process. They continue on to explain how Ghidra can be used in these situations. This allows readers to understand that if any of these methods are implemented, there are ways that Ghidra can be used to continue the reverse engineering process. Overall, it can be tedious to read through the chapters that explain how to customize the UI.

Rating: 3.9/5

Andrew Swoboda
Senior Security Researcher
Tripwire

I would highly recommend this book. Rather than simply being a Ghidra user guide, the authors did an exceptional job of laying out many of the fundamental concepts involved in software reverse engineering. As they walk through various aspects of Ghidra functionality, they take the opportunity to explain not only what Ghidra is showing with its data displays but also providing insight into how Ghidra extracts the information from a program. For example, great attention is paid to making sure the reader will understand, at least at a high-level, how compilers arrange stack frames and how they can be reconstructed through static analysis. This is critical knowledge not only for Ghidra users but more generally for anyone involved in software reversing.

The sections in Chapter 8 pertaining to identifying data structures was immensely helpful for me in one of my personal research projects. Specifically, this chapter spells out various patterns of how programmers make use of structured data types as well as how the compiler reflects this in the machine code. In my case, this helped me correct an incorrect function prototype which had impeded my understanding of the program I was analyzing. Another section of particular interest to me is the Ghidra basic scripting guide in Chapter 14. From what I was able to find, this seems to be one of the more comprehensive and well-documented introductions to the Ghidra scripting API.

The later chapters also offer a lot of great material including advanced topics like creating loaders, diffing/patching binaries and working with obfuscated programs. Although Ghidra is not necessarily the best suited for these tasks, the book does a good job of presenting what is possible and what limitations exist. For example, I had previously attempted to modify and patch an ELF binary within Ghidra only to find that this generally didn’t work the way I expected. Although this was not clear to me from the Ghidra documentation, The Ghidra Book does greatly clarify how binary loading and export works in Ghidra, which in turn explains why you cannot export a functional binary after using the ELF loader. The Ghidra Book has answers to this and countless other questions.

Rating: 5/5

Craig Young
Principal Security Researcher
Tripwire

Having no prior experience with reverse engineering, I was excited to get the opportunity to dive into The Ghidra Book. The book made clear from the very beginning that it was not a user manual for Ghidra. Instead, it was to be used as an enabling tool giving practical examples on how to properly use Ghidra. Being new to reverse engineering and thus software reverse engineering suites (SRE’s) the book did well on laying out the what, why, and how of disassembly and the challenges that arise around them in the first section of the book. Later, common tools that are available to the public give an insight on what motived the creation of Ghidra as well as give the reader a taste of what to expect from Ghidra’s UI and the different data displays. I found this section to be essential in order to understand what you’re looking at as you move further into the book.

The second part of the book is all about basic usage in Ghidra. In this section, the reader is introduced to many screen shots of the GUI and how to navigate the various displays to render data. I found Chapter 6 was very helpful for understanding the basic navigational techniques and getting used to the disassembly constructs. As you read further, the book discusses how to customize Ghidra to work for you. This section talks about collaboration with others on shared projects and introducing basic scripting in Ghidra with both Java and Python languages. This section of the book was the most interesting to me for reasons of automating repetitive tasks such as enumerating functions, function calls, instructions and cross-references.

Overall, I enjoyed The Ghidra Book, and it was a good starting point for me in entering the world of reverse engineering and the many different tools that are accessible due to being open-sourced. I encourage anyone that has an interest in reverse engineering or who just wants to investigate cool open-sourced tools to give The Ghidra Book a read.

Rating: 4.5/5

Matthew Jerzewski
Security Researcher
Tripwire

Personally, I’m with Craig on this one. The book is a perfect 5/5 for me.

Overall Rating: 4.6/5

We don’t have any plans for another book at the moment, so if you have any suggestions, let us know on Twitter!

Mastering Configuration Management Across the Modern Enterprise