Does GHIDRA have a debugger attached for dynamic analysis of application?
Asked
Active
Viewed 2.5k times
10
-
Take a look at GDB integration: https://github.com/Comsecuris/gdbghidra – mluis Nov 21 '19 at 00:25
-
[ret-sync](https://github.com/bootleg/ret-sync) lets you use any debugger youre comfortable with and send the debugger information (like $sp, registers, etc) over to ghidra so you can look at the de compiled code – brother-bilo Feb 25 '21 at 18:21
5 Answers
12
Edit: As the question is a little unclear there might be a misunderstanding. From my point of view there are 2 possible answers:
GHIDRA does not offer a debugger for other binaries currently. (It is a planned feature)
GHIDRA has a debug mode to debug GHIDRA itself. This debugger is even accessible from the network, as the exposed port is not only locally bound.
Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely ♂️.. to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://static.hacker.house/releasez/expl0itz/jdwp-exploit.txt
Euphrasius von der Hummelwiese
- 1,018
- 4
- 20
-
1
-
This is not the kind of debugger the question is referring to. The debugger in your answer is to debug Ghidra itself. The question wants to execute and instrument a target application. – David Mar 07 '19 at 21:28
-
Thanks for your feedback. I might have gotten the question wrong and updated my response. – Euphrasius von der Hummelwiese Mar 08 '19 at 06:21
5
From Ghidra 10.0, Ghidra debugger is included in the official release: https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_10.0_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html
From WikiLeaks' "Vault 7: CIA Hacking Tools Revealed", I see Ghidra has a plugin for interaction with OllyDbg ("the Ghidra Debugger") but this OllyDbg plugin has not been released in the Ghidra public release yet. https://wikileaks.org/ciav7p1/cms/page_51183656.html
Minh-Triet Pham Tran
- 500
- 3
- 7
4
As of December 17th (2020), it has. See the announcement in Twitter https://twitter.com/NSACyber/status/1339652646513291264 and the debugger branch of Ghidra in GitHub https://github.com/NationalSecurityAgency/ghidra/tree/debugger
Juanan
- 171
- 1
- 5
2
Now yes!
From Ghidra 10.0 change history
New Features
- Debugger. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See Help -> Contents -> What's New for more details. (GP-986)
Mah35h
- 121
- 3
1
Ghidra does not have a debugger to date, but can be synchronized with a debugger (eg., x64dbg), with [ret-sync][1]:
ret-sync stands for Reverse-Engineering Tools SYNChronization. It is a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg/OllyDbg2/x64dbg) with a disassembler (IDA/Ghidra/Binary Ninja). The underlying idea is simple: take the best from both worlds (static and dynamic analysis).
In particular:
Debuggers and dynamic analysis provide us with:
- local view, with live dynamic context (registers, memory, etc.)
- built-in specialized features/API (ex: WinDbg's !peb, !drvobj, !address, etc.)
Disassemblers and static analysis provide us with:
- macro view over modules
- code analysis, signatures, types, etc.
- fancy graph view
- decompilation
- persistent storage of knowledge within IDBs/GPRs
Key features:
- synchronize graph and decompilation views with debugger's state
- no need to deal with ASLR, addresses are rebased on-the-fly
- pass data (comment, command output) from debugger to disassembler
- multiple IDBs/GPRs can be synced at the same time allowing to easily trace through multiple modules
- disassembler and debugger can be on different hosts / VMs
Soleil
- 111
- 1
- 5