Read as
Why this module exists. Ghidra — the NSA’s open-source reverse-engineering platform — is the canonical free disassembler and decompiler. This module is the practitioner workflow: setting up a project, navigating the disassembly, using the decompiler to read pseudo-C, identifying common malware patterns at the bytecode level.
Why this module exists. When static and dynamic analysis are not enough — the sample is too novel, the obfuscation is too thick, or you need to understand exactly what an algorithm does — disassembly is the answer. Ghidra is free, capable, and the industry default now that IDA Pro’s pricing has shifted to subscription-only. This module is the structured workflow for productive use, not a button tour.
The workflow — six steps from binary to understanding
- Import. Ghidra auto-detects PE/ELF/Mach-O format and architecture. Accept defaults; analyse fully.
- Triage the function list. Symbol Tree → Functions. Sort by size. The largest functions are usually the interesting business logic; the smallest are CRT scaffolding.
- Identify the entry point and main. For C/C++ binaries, real entry point is wrapped by CRT init.
__main,WinMain, orDllMainis where user logic starts. - Read the decompilation. Right-click any function → Decompile. Ghidra’s decompiler produces readable pseudo-C. Rename variables and functions as you understand them.
- Cross-reference (XREF). Right-click any symbol → References → Show References. Critical for following control flow and data flow.
- Annotate. As you understand things, rename functions to meaningful names. The next analyst (often future-you) needs the legacy.
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants