NSA Release Ghidra 11.3 - Software Reverse Engineering Tool

The U.S. National Security Agency (NSA) Research Directorate has released version 11.3 of Ghidra, an open-source software reverse engineering (SRE) framework. This version introduces several enhancements and new features, providing advanced analysis tools for dissecting compiled code across Windows, macOS, and Linux.

Ghidra is a free and open-source reverse engineering tool developed by the NSA. Its binaries were released at the RSA Conference in March 2019, followed by the source code publication on GitHub a month later. Many security researchers consider Ghidra a competitor to IDA Pro.

The software is primarily written in Java, utilizing the Swing framework for its graphical user interface (GUI). Its decompiler, written in C++, can also function independently. Ghidra supports scripting for automated analysis in Java and Python (via Jython), with extensibility for additional programming languages through community-developed plugins. Developers can further enhance Ghidra by creating plugins using a Java-based extension framework.

Brief History

Ghidra's existence was first revealed in March 2017 through the Vault 7 leaks. However, the software itself remained classified until its official release two years later. Comments within its source code suggest that Ghidra has been in development since at least 1999.

Ghidra 11.3 - What's New?

11.3 Compatibility

Ghidra 11.3 remains fully backward compatible with project data from previous versions. However, programs and data type archives created or modified in this version will not be compatible with earlier versions of Ghidra.

Visual Studio Code Integration

Ghidra 11.3 enhances support for Visual Studio Code by replacing the VSCodeProjectScript.java GhidraScript (introduced in version 11.2) with two new actions in the CodeBrowser tool:

• Create VSCode Module Project - Sets up a VS Code project folder with a skeleton module for Ghidra extension development, including launchers for debugging and a Gradle task for exporting as a Ghidra extension.
• Edit Script with Visual Studio Code - Opens a selected script in a VS Code workspace automatically created in Ghidra’s user settings directory. This provides a modern alternative to Eclipse, featuring autocomplete and navigation.

Ghidra attempts to locate your VS Code installation automatically. If needed, you can configure it via: Edit → Tool Options → Visual Studio Code Integration.

PyGhidra: Python Integration

The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center (DC3) as Pyhidra, enables direct access to the Ghidra API within a native CPython 3 interpreter via JPype. It allows users to:

• Set up analysis on a given sample
• Execute Ghidra scripts locally
• Integrate CPython 3 support directly into the Ghidra GUI via a built-in Ghidra plugin

JIT-Accelerated Emulator

Ghidra 11.3 introduces a just-in-time (JIT) accelerated p-code emulator, improving performance for dynamic analysis. While not yet integrated into the UI, the JitPcodeEmulator is available for scripting and plugin development, acting as a near drop-in replacement for the PcodeEmulator.

This update enhances emulation speed but is still in early stages, meaning developers should expect potential bugs. Users can refer to Javadoc for details on usage and integration.

Debugger Enhancements

The debugging infrastructure in Ghidra 11.3 has been streamlined, with the removal of legacy IN-VM and GADP launchers and connectors. These have been replaced with TraceRmi-based implementations, leading to a cleaner and more efficient API.

Additionally, the update enhances kernel-level debugging:

• macOS kernel debugging is now supported via Ghidra’s lldb connector.
• Windows kernel debugging is enabled through the dbgeng connector, which supports VM debugging via eXDI.

Function Graph Improvements

New updates enhance Function Graph navigation and visualization:

• Flow Chart Layout – Provides an alternative method for analyzing function control flow.
• Customizable Satellite View Position – Allows users to adjust the mini-map for better usability.
• Quick View Toggle – A new shortcut (Ctrl + Space) lets users switch between the Listing View and Function Graph, with options to start fully zoomed in or out.

Source File Information

Ghidra 11.3 improves source code mapping by allowing integration of source file and line information using a Program’s SourceFileManager.

Enhancements include:

• Automatic source data recording in DWARF, PDB, and Go analyzers
• Manual source file addition via scripts in the SourceMapping script category
• Source Map Listing Field – Displays integrated source file information
• SourceFilesTablePlugin – Lets users modify stored source file paths before launching them in Eclipse or VS Code

A new “View Source…” action enables users to open source files at the correct line in Eclipse or VS Code.

Processor Enhancements

Ghidra 11.3 includes improvements to processor support:

• x86 AVX-512 Support – Implements EVEX instruction write and read masking for better accuracy.
• TI_MSP430 Decompilation – Enhances processor compiler specifications for improved analysis.
• ARM VFPv2 Fixes – Resolves prior disassembly issues in ARM processors.

String Translation & Text Search

New features enhance text analysis and search capabilities:

• LibreTranslate Support – A new self-hosted translation option for increased privacy. (Disabled by default; enable via File → Configure)
• Full-Text Search – Users can now search across all decompiled functions, dynamically incorporating the latest decompilation results (Search → Decompiled Text…).

Disclaimer:

Ghidra should only be used in a sandboxed environment such as a virtual machine designed for analyzing malware, do not attempt to analyze malware on your host operating system.

Download Ghidra 11.3 on GitHub Here