🔬 What is Static Analysis?
Analyzing software without running it. Reading the code, understanding the structure, and identifying functions and variables.
Advantages:
- Safe - no risk from running malicious code
- See all the code, including parts that don't always run
- Allows understanding the overall structure
Disadvantages:
- Code can be encrypted or packed
- Can't see runtime values
- Hard to follow dynamic code
The most popular tool for static analysis. Expensive (~$2000+) but very powerful. There's a free version (IDA Free) with limited capabilities.
- Excellent disassembler with automatic recognition
- Decompiler (Hex-Rays) - converts to C
- Support for many architectures
- Python scripting (IDAPython)
Released in 2019 by the NSA. Completely free and competes with IDA.
- Built-in decompiler (unlike IDA Free)
- Open source - can be extended
- Support for various formats and architectures
- Scripting in Java and Python
- Recommended for beginners!
🚀 Getting Started with Ghidra
Installation
- Install Java JDK 17+
- Download from
ghidra-sre.org - Extract and run
ghidraRun.bat(Windows)
Importing a File
- Create a new Project: File → New Project
- Import a file: File → Import File
- Ghidra will auto-detect the format
- Click Yes for Auto Analysis
- Open in CodeBrowser (double-click)
Main Windows
| Window | Purpose |
|---|---|
| Listing | Assembly code - the main view |
| Decompiler | Reconstructed C code - more readable! |
| Symbol Tree | List of functions, imports, exports |
| Data Type Manager | Data types and structures |
| Functions | List of all functions |
Important Keyboard Shortcuts
| Shortcut | Action |
|---|---|
| G | Go to Address - jump to address |
| L | Rename - change name |
| ; | Add comment |
| X | Cross References - where is this used |
| Ctrl+Shift+E | Search text |
| D | Convert to Data |
| C | Convert to Code |
🔷 Getting Started with IDA
IDA Keyboard Shortcuts
| Shortcut | Action |
|---|---|
| G | Jump to address |
| N | Rename |
| ; | Add comment |
| X | Cross References |
| Space | Toggle between Graph and Text view |
| F5 | Decompile (if Hex-Rays available) |
| Esc | Go back |
| Ctrl+E | Entry Points |
🎯 Analysis Tips
- Imports - What does the program use? (CreateFile, socket, RegOpenKey...)
- Strings - Search for interesting text (URLs, errors, messages)
- Entry Point - Start from the entry point
- Cross References - Follow calls to interesting functions
- Rename - Give meaningful names to functions
- Comments - Document what you understand
Searching for Strings
Ghidra: Search → For Strings
IDA: View → Open Subviews → Strings (or Shift+F12)
Look for:
- URLs, IPs, Domain names
- File paths
- Error messages
- Registry keys
- API function names
Cross References (XRefs)
A link between locations in the code. "Where is this function called from?" or "Where is this variable used?"
; Let's say we have a function decrypt()
; XRefs will show us all places that call it:
00401100: call decrypt ; XRef #1
00401250: call decrypt ; XRef #2
00401380: call decrypt ; XRef #3
🔄 Decompiler
A tool that converts Assembly back to C code (approximately). Makes understanding the logic much easier!
In Ghidra, the Decompiler is built-in. In IDA, you need the Hex-Rays plugin (expensive).
; Assembly
push ebp
mov ebp, esp
sub esp, 8
mov dword [ebp-4], 0
jmp check
loop:
mov eax, [ebp-4]
add eax, 1
mov [ebp-4], eax
check:
cmp dword [ebp-4], 10
jl loop
...
// Decompiled C
int counter = 0;
while (counter < 10) {
counter++;
}
Decompiler isn't perfect! The reconstructed code:
- Isn't always 100% accurate
- Variable names are generic (var1, param_1)
- Structures and types aren't always identified correctly
- Good to verify against Assembly
📋 Chapter Summary
- Static Analysis - analysis without running
- IDA Pro - the professional tool (expensive)
- Ghidra - free and recommended for beginners!
- Decompiler - conversion to C for easy reading
- Start with Imports and Strings
- Use XRefs to follow the code
- Rename and add comments!