Installing NSA’s Ghidra reverse engineering tool on CentOS 7 in 10 minutes.

Today’s topic is how to install NSA Ghidra reverse engineering tool on CentOS 7 in 10 minutes. Reverse engineering of malware normally requires software that is priced out of the reach of folks that are trying to get into forensics or incident response; not anymore! NSA released the Ghidra reverse engineering tool at no cost for the end user. This is great news for people wanting to join the ranks of security analysts.

Installation prerequisites

Installing Ghidra is pretty easy, it relies on Java 11.0.2 as the only real dependency. The first order of business is to make sure your machine is updated, you will need root privileges for this:

yum -y update

Then check the current Java version:

java -version

If the version is not 11.0.2 and does not include the developers kit then it will need to be updated. Visit the following link and grab the rpm for the java developers kit: https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html

Perform a local install with the downloaded jdk rpm file by executing the following command as root:

yum localinstall jdk-11.0.2_linux-x64_bin.rpm

Configure the new java with the alternatives command:

alternatives --config java

Installing Ghidra

Ghidra is a self contained installation that you just need to unpack. It does not need to be compiled and will run from any location as long as java is in your path. Installing Ghidra is as easy as downloading it and unzipping it in your home directory. Download it from https://ghidra-sre.org/

To unpack it just unzip it like so:

unzip ghidra_9.0_PUBLIC_20190228.zip

Running Ghidra

Running Ghidra is pretty simple, just cd into the directory and execute the ghidraRun script.

./ghidraRun

This will start Ghidra and you will initially be presented with a dialog box and will need to accept the users agreement. Next you will need to create a new project and import some malware for analysis.

Screen shot of NSA’s Ghidra code browser and function graph during the analysis of sample malware.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.