Description: Adventures in double-clicking malware / by Anuj Soni
I’m excited to announce that the SANS FOR610 Reverse-Engineering Malware course I co-author with Lenny Zeltser now uses Ghidra for static code analysis. Ghidra is a free and open-source software (FOSS) reverse engineering platform developed by the National Security Agency (NSA). It has an active community of users and contributors, and we are optimistic about the future of this analysis tool. I found it an invaluable addition to my toolkit, as have many other malware analysts.
Ghidra includes a full-featured, visual disassembler. Moreover, it comes with a built-in decompiler, which provides a C representation of the disassembly. Decompiled output complements disassembly nicely, and this additional perspective can accelerate the malware analysis process. For example, let’s compare some disassembly (Figure 1) with the decompiled code (Figure 2):
Figure 1: Disassembly Example