The NSA’s Research Directorate recently announced the release of Ghidra 11.3, the latest version of its open-source software reverse engineering framework. This new version offers advanced analysis tools that allow users to dissect and examine compiled code across various platforms, including Windows, macOS, and Linux.
One of the key features of Ghidra 11.3 is its backward compatibility with project data from previous versions. However, it is important to note that programs and data type archives created or modified in 11.3 will not be compatible with earlier versions of Ghidra.
In this update, Ghidra introduces a new integration with Visual Studio Code. The VSCodeProjectScript.java GhidraScript from version 11.2 has been replaced with two new actions in the CodeBrowser tool. The first action, “Create VSCode Module Project,” sets up a Visual Studio Code project folder with a skeleton module for Ghidra extension development. The second action, “Edit Script with Visual Studio Code,” allows users to open a selected script in a VS Code workspace created automatically in Ghidra’s user settings directory.
Additionally, the PyGhidra Python library has been enhanced in Ghidra 11.3. Originally developed by the Department of Defense Cyber Crime Center (DC3) as Pyhidra, this library now offers direct access to the Ghidra API within a native CPython 3 interpreter via JPype. It provides tools for setting up analysis on a given sample and executing Ghidra scripts locally, along with a Ghidra plugin that integrates CPython 3 support into the Ghidra GUI.
Another notable feature of Ghidra 11.3 is the introduction of a just-in-time (JIT) accelerated p-code emulator. This emulator is designed to enhance performance for dynamic analysis, offering a faster way to analyze and execute code. While this feature is still in its early stages, it provides advanced users with a valuable tool for efficiency in their reverse engineering processes.
The debugger infrastructure in Ghidra has also been streamlined in this release. Legacy launchers and connectors have been removed and replaced with new implementations, improving the overall debugging experience. Additionally, Ghidra now offers enhanced kernel-level debugging capabilities, including support for macOS kernel debugging and Windows kernel debugging in a virtual machine.
The Function Graph in Ghidra 11.3 has been updated to provide several enhancements for code navigation and visualization. A new “Flow Chart” layout option improves the organization of function structures, while customizable satellite view positions offer a more flexible workspace for users. A new shortcut for toggling between the Listing View and the Function Graph provides a smoother workflow for reverse engineering tasks.
Source code mapping has also been improved in this release, allowing for integration of source file and line information using a Program’s SourceFileManager. Users can now add source information programmatically and view it in the “Source Map” Listing Field or through the SourceFilesTablePlugin. The ability to open source files at the correct line in Eclipse or Visual Studio Code has been enhanced, offering a more seamless workflow for debugging and reverse engineering tasks.
Furthermore, Ghidra 11.3 includes enhancements to processor support, string translation capabilities, and text search functionalities. The update enhances x86 AVX-512 support, corrects ARM VFPv2 instruction handling issues, and introduces a new LibreTranslate option for string translation. Full-text search across decompiled functions is now available, providing users with a more comprehensive code analysis tool.
Overall, Ghidra 11.3 offers a range of new features and improvements to enhance the reverse engineering experience for users. The release is available on GitHub for download and further exploration.