Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments

In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra.

The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss IDA's 'R' key mapping, but that is currently taken by View/Edit References From. You can change that or create your own key mapping, Ctrl-Alt-R isn't currently taken, so that's what I use. Just like in IDA, you can right-click on the value, but then you have to choose Convert and then Char from the submenu.

Another of the features I use regularly, is renaming arguments, variables, and functions as I begin to figure out their purposes. In IDA, this is the 'N' key, in Ghidra, it is the 'L' key for Label. It works exactly like in IDA. In the screenshot below, you'll see it in the right-click menu.

And below is the actual dialog to do the renaming.

And, the last functionality I want to cover in this post is comments. There are 4 (well, 5) types of comments that you can create with Ghidra. Pre-comments which will appear above the instruction where you place it, post-comments which appear below, EOL (and repeatable) comments at the end of the line, and Plate comments, which change the generic "Function" comment at the top of the function. I actually like some of the additions, especially the plate comment which can be used to fill in info on what I've discovered about the functionality of the function in question.

And here are examples of each

I've got at least one more post in this series, probably next week. As with the others, if you have any tips, comments, corrections, etc. let me know via our contact page, e-mail, or via the comments below. Until next time,...

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Live Online Europe February 2022 Volume 1


423 Posts
ISC Handler
May 3rd 2019

Sign Up for Free or Log In to start participating in the conversation!