Ghidra was originally developed by the National Security Agency as a reverse engineering framework, similar to IDA Pro. In 2019 it was released and is now FOSS. It has many processo...
Show More
Ghidra was originally developed by the National Security Agency as a reverse engineering framework, similar to IDA Pro. In 2019 it was released and is now FOSS. It has many processor specifications implemented already, but it is not an exhaustive list. Thus, a new processor module had to be implemented for my particular needs.
Having had the opportunity to guide an intern through the process of adding an ISA recently, as well as doing this myself, I plan on breaking down all of the steps of implementing an ISA in Ghidra. First of all, while other binary analysis tools are out there, Ghidra is free and some of us prefer to utilize more accessible tools. Ghidra is available https://github.com/NationalSecurityAgency/ghidra.
In addition to installing Ghidra, the architecture modifications will likely require a compiler program which is included in the base Ghidra on github. The package also includes documentation of the Ghidra DSL called SLEIGH, as well as trainings on how to utilize Ghidra. There are two plugins for the Eclipse IDE that exist with the base Ghidra package; one plugin called the GhidraSleighEditor is particularly helpful. It can be found in <GhidraInstallDirectory>/Extensions/Eclipse/GhidraDev/. Note that as mentioned in the Ghidra docs, the extensions only work with Eclipse IDE for Java and DSL Developers. The SLEIGH Editor allows for some error catching prior to compilation time or runtime, which significantly reduces troubleshooting time.
To extend an ISA in Ghidra one must become extremely familiar with the instruction set. For some architectures, the documentation can be left wanting. (ARM is still the exception with their fantastic, verifiable documentation.) Fully understanding the documentation for an architecture requires many read-throughs and often filling in the gaps, or correcting typos and misprints. It’s an unfortunate truth. Once the particulars of the specific architecture are understood, then one can move on to working with Ghidra. I often keep all ISA docs open throughout the Ghidra extending process.
