No announcement yet.

Reverse Engineering Embedded ARM with Ghidra

  • Filter
  • Time
  • Show
Clear All
new posts

  • Reverse Engineering Embedded ARM with Ghidra

    Friday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
    Audience: Offense, Defense, AppSec, Mobile, Hardware Max Compston

    The ARM processor is the most prevalent processor in the world. ARM devices encompass mobile phones, network devices and appliances, and devices comprising what is now called the Internet of Things. Before April 2019, the only professional tool available for Reverse Engineering ARM processors was IDA Pro. With the release of Ghidra by the National Security Agency (NSA) to the Open Source Community this April, a professional grade Reverse Engineering tool is now available for ARM. This Demo Lab setup will include a Linux Host Laptop running Ubuntu Linux. The target system is an embedded Raspberry Pi ARM v8a running Ubuntu Linux Core. This demonstration will consist of static Reverse Engineering a demonstration Banking Application daemon using Ghidra. Static analysis of the fictitious application with this tool should reveal areas prone to PLT/GOT infection. This analysis will focus on shared libraries prone to infection. Next, an Injection / Hook program will perform Linux PTRACE Injection / Function Hooking on the Banking Application. The function hooking is based upon the results from the Ghidra analysis performed earlier. The hook function will send the user data back to our host using a method unknown to the developer of the Banking Application.

    Max Compston
    Max Compston is the Principal Software Engineer with Embedded Software Solutions. He has 30+ years of embedded software development experience. He has worked for 20+ years as a government defense contractor developing embedded systems. He has worked 10+ years in the commercial sector on mobile devices, network devices, network access points and IPTV set-tops. Max has a love of the outdoors. He plays tennis, hikes, bikes and is always training for his next triathlon. He has an undergraduate education in Computer Science with graduate work in Computer Security and Info Assurance.

  • #2
    This Demo Lab will illustrate how to use Ghidra to Reverse Engineer a fictitious Banking Application daemon. Next, the demonstration will show how to use the results from this Ghidra analysis to run an application on the target that will use Linux Process Tracing (PTRACE) to inject into the Banking Application and hijack the fictitious user data as he enters his banking information in real-time. His data will be forwarded to our remote laptop for our pretend malicious intent.

    Below, please find links to all the resources used in this Demo Lab.

    # Hardware

    Target ARM v8a Raspberry Pi, URL below:

    # Software

    Link to Ghidra Reverse Engineering Tool, URL below:

    Ubuntu Linux Core for Raspberry Pi 3

    # Source Code

    Fictitious Banking Application Source Code, URL below:

    Injection and Hook Sources for Ubuntu Linux 18.04 x86-64 and ARM64


    • #3
      Hi! It's been a great lab. Where can I find the lab's slides? Thanks in advance.


      • #4
        Below, please find a link to my slides from the Demo Lab.

        # Presentation Slides

        Def Con Demo Lab Slides, URL below: