Malware Analysis - Ghidra vs Cutter vs Binary Ninja vs IDA Free
Вставка
- Опубліковано 7 лют 2025
- This video has a newer, updated version here: • IDA vs Binary Ninja vs...
I tried three free disassemblers and decompilers and a paid one, namely IDA Free, Ghidra, Cutter and Binary Ninja. Which one is the best? Which one should I use for future videos?
My malware analysis course for beginners: www.udemy.com/...
Buy me a coffee: ko-fi.com/stru...
Follow me on Twitter: / struppigel
Sample: bazaar.abuse.c...
In interviews I offer people their choice of Binary Ninja, Ghidra, IDA Free, and Cutter. For the past couple of years the vast majority of people have picked Ghidra as their disassembler/decompiler of choice during the interview. If you want to reach the majority of users I would recommend going with Ghidra, even though I personally do not like Ghidra and I prefer IDA for my daily reversing activities..
Thank you for this insight. It reflects also in the poll results from Twitter and Mastodon. Ghidra was on top.
But IDA cost. Ghidra doesn't.
This is an awesome breakdown! Would love to see an advanced breakdown that is specific to different languages and challenges, C++ with STL, GoLang, obfuscation, etc.
Yeah, that would be awesome to have. :)
Great video! I've had a lot of thoughts on these:
Binary Ninja is sometimes really good and the flow of the cross references is really nice, but it fails often to recognize referenced strings and struggles with readability because it's always showing data types by variables.
Cutter is consistently getting better and honestly has impressed me lately. One nice feature is the ESIL emulation. You can emulate small functions when you're unsure how data is manipulated and set the registers how you want. However you can't re-type functions and rename variables in the decompiler (seems like the fix should not be far off but who knows).
Ghidra is as we all know a pain and a shit UI. Graph mode also basically doesn't exist which is sad. But the scripting engine is really powerful and once you get a handle on it, the decompiler engine responds really well to your edits, and you end up with very intuitive output. Unfortunately it's missing a ton of Windows types and structs, but you can pull these from headers and import them into the data type manager. Well worth the time if you use Ghidra for work.
IDA Free is alright for triage, and it's nice they let you decompile x64 with the cloud decompiler, but you'll quickly hit a wall given that you can't script on encrypted strings.
Personally, although I've had IDA Pro paid for by work, I hate being dependent on it. Working on converting fully to Ghidra while I wait for Cutter to catch up
Thank you for sharing your insights on the decompilers/disassemblers. It is certainly a good idea to check in on Cutter and also on Binary Ninja from time to time as I assume they will improve a great deal in the future.
Agreed, use Ghidra, while waiting for Cutter to get better.
To answer a usecase for the IL levels in Binary Ninja, you can use different IL to help you deobfuscate code, I did see lifting IL there which could be like llvm lifting. I'd have to play around with it but that's what I think the usecase might be. Asides from the user usecase, their decompiler probably exposes this as part of the process they use to decompile.
Thank you for the explanation!
You can do more than just deobfuscation with the ILs. Personally i've done config extractions + stack string recovery. You can even use the ILs to write a emulator similar to the Unicorn framework.
This video has a newer, updated version here: ua-cam.com/video/k2gzFV2-czc/v-deo.html
I tried three free disassemblers and decompilers and a paid one, namely IDA Free, Ghidra, Cutter and Binary Ninja. Which one is the best? Which one should I use for future videos?
Buy me a coffee: ko-fi.com/struppigel
Follow me on Twitter: twitter.com/struppigel
Or Mastodon: struppigel@infosec.exchange
Sample: bazaar.abuse.ch/sample/baa1df04894900ceb57857eaf5d906384d7c4fe8bf0e67db152cc19fd710c70d/
I use Binary Ninja and IDA Free, kind of want to try Ghidra, but I did not like the interface that much, might need some configuration.
Binary Ninja is indeed not free, but for the 299 or so it is cheaper than IDA home and renewal is a lot cheaper compared to that.
why do you go from the bottom to the top in the entry point to find the main function? how and where did you learn this?
Because the return value or in this case the value pushed to the exit call is at the bottom. That value is set by main, so by following where it is set, I know where main is. I don't know anymore where I learnt this.
truthfully... the only choice for the majority of people is Ghidra. It's worth learning Ghidra, and can do almost everything as IDA Pro (paid version). Cutter has potential maybe in the future, but still is beta. IDA Free is useless.
Amazing video!
Hello. Can you put official website links for download?
So ida pro is the clear winner after all
I need to make an update video on this because this was just the first impression.
I used to pay for a disassembler, not gonna say which one because it doesn't matter, when time came to install on my new computer the license had expired and I'm just gonna suck it up and get used to ghidra. It's probably the one on the best trajectory feature-wise.
bros really selling binary disassemblers expecting it not to get cracked 💀
Have you tried x64dbg? Which tool do you think has the best features/plugins?
Yes, I use it regularly for debugging. I did not look into it here because I was checking disassemblers that are suitable for static analysis and x64dbg is not the tool for this use case.
Best features has IDA Pro. For the free ones I believe it is Ghidra which has the most features.
Theres just something about radare2 and rizin that every little ctf challenge I manage to complete in Cutter, I end up re-doing in rizin because I just want to be a terminal god and not use a mouse. Ps. Im the type that uses vim bindings to surf the web in the browser. lol
hey which tool can update the export directory of and exe?
CFF Explorer should work
@@MalwareAnalysisForHedgehogs i tried to add a brand new ED manually but failed. consider to make a vid of doing it? later when debugging that exe at breakpoint that method name should show up in devenv stacktrace then ?
Only if I have a proper use case and sample to show in a video.
Maybe you have seen this already, but the answer here looks pretty good: reverseengineering.stackexchange.com/questions/25292/pe-32-add-export-function-segment-by-extending-with-dll-or-patching-pe
@@MalwareAnalysisForHedgehogs thx
angr?
i still, to this day thank the russian guy reversed IDA for me
It is an unfair comparison, since if you used one way, everything would be more even. In addition, binary is paid and you are mixing free and paid products.
Yes. It is not meant to be a fair or comprehensive comparison. Those are really the tools I considered using for the future (hence paid and free mixed) and my thoughts while trying them initially.
Have you compared iaito VS cutter? Radare was forked to Rizin, and so did the GUIs...
I have not tried iaito yet. Gonna check it. Thanks.
Any chance you can share that sample binary?
Sure, here you go: bazaar.abuse.ch/sample/baa1df04894900ceb57857eaf5d906384d7c4fe8bf0e67db152cc19fd710c70d
Seems to be very old malware though.