JxTx

Ghidra Stuff

Posted on

I don't really use much Ghidra in my day job, I tend to use a compination of IDA and Binary Ninja. My experience with Ghidra has been limited to CTF's.

I did pick up some tips and tricks when using Ghidra, and I feel like I should document that somewhere.

Custom Highlight

When looking at the decompiler and you select a value, it does not make it overly clear if the value its used elsewhere. We have to change the setting to enable this to LEFT.

/images/2024-01-19_21-41-57_screenshot.png

IDA Feels

Using this I can make Ghidra feel and behave more like IDA. Mainly replacing the keybindings with the ones I'm used to from IDA.

Ghidra Cheat Sheet

Stolen from https://ghidra-sre.org/CheatSheet.html.

Load Project/Program

ActionShortcutMenu -> Path
New ProjectCtrl+NFile → New Project
Open ProjectCtrl+OFile → Open Project
Close ProjectCtrl+WFile → Close Project
Save ProjectCtrl+SFile → Save Project
Import FileIFile → Import File
Export ProgramOFile → Export Program
Open File SystemCtrl+IFile → Open File System

Mark up

ActionShortcutMenu -> Path
UndoCtrl+ZEdit → Undo
RedoCtrl+Shift+ZEdit → Redo
Save ProgramCtrl+SFile → Save program name
DisassembleD❖ → Disassemble
Clear Code/DataC❖ → Clear Code Bytes
Add LabelL❖ → Add Label
Edit LabelL❖ → Edit Label
Rename FunctionL❖ → Function → Rename Function
Remove LabelDel❖ → Remove Label
Remove FunctionDel❖ → Function → Delete Function
Define DataT❖ → Data → Choose Data Type OR ❖ → Data → type
Repeat Define DataY❖ → Data → Last Used: type
Rename VariableL❖ → Rename Variable
Retype VariableCtrl+L❖ → Retype Variable
Cycle Integer TypesB❖ → Data → Cycle → byte, word, dword, qword
Cycle String Types'❖ → Data → Cycle → char, string, unicode
Cycle Float TypesF❖ → Data → Cycle → float, double
Create Array`[`❖ → Data → Create Array
Create PointerP❖ → Data → pointer
Create StructureShift+`[`❖ → Data → Create Structure
New Structure❖ → New → Structure
Import C HeaderFile → Parse C Source
Cross References❖ → References → Show References to context

Navigation

ActionShortcutMenu -> Path
Go ToGNavigation → Go To
BackAlt+←
ForwardAlt+→
Toggle DirectionCtrl+Alt+TNavigation → Toggle Code Unit Search Direction
Next InstructionCtrl+Alt+INavigation → Next Instruction
Next DataCtrl+Alt+DNavigation → Next Data
Next UndefinedCtrl+Alt+UNavigation → Next Undefined
Next LabelCtrl+Alt+LNavigation → Next Label
Next FunctionCtrl+Alt+F OR Ctrl+↓Navigation → Next Function
Previous FunctionCtrl+↑Navigation → Go To Previous Function
Next Non-function InstructionCtrl+Alt+NNavigation → Next Instruction Not In a Function
Next Different Byte ValueCtrl+Alt+VNavigation → Next Different Byte Value
Next BookmarkCtrl+Alt+BNavigation → Next Bookmark

Windows

ActionShortcutMenu -> Path
BookmarksCtrl+BWindow → Bookmarks
Byte ViewerWindow → Bytes: program name
Function Call Trees
Data TypesWindow → Data Type Manager
DecompilerCtrl+EWindow → Decompile: function name
Function GraphWindow → Function Graph
Script ManagerWindow → Script Manager
Memory MapWindow → Memory Map
Register ValuesVWindow → Register Manager
Symbol TableWindow → Symbol Table
Symbol ReferencesWindow → Symbol References
Symbol TreeWindow → Symbol Tree

Search

ActionShortcutMenu -> Path
Search MemorySSearch → Memory
Search Program TextCtrl+Shift+ESearch → Program Text
Search For … Matching Instructions, Address Tables, Direct References, Instruction Patterns, Scalars, StringsSearch → For what

Miscellaneous

ActionShortcutMenu -> Path
SelectSelect → what
Program Differences2Tools → Program Differences
Rerun ScriptCtrl+Shift+R
AssembleCtrl+Shift+G❖ → Patch Instruction

Help/Customize/Info

ActionShortcutMenu -> Path
Ghidra HelpF1Help → Contents
About GhidraHelp → About Ghidra
About ProgramHelp → About program name
PreferencesEdit → Tool Options
Set Key BindingF4
Key BindingsEdit → Tool Options →
Processor Manual❖ → Processor Manual