As the threats from malware persist, reverse engineering is remains an important discipline. Looking back at the many years that reverse engineering tools have been in use, whether in the back rooms of some agencies, the commercial labs at corporations large or small, or in research labs in general, there tend to be two main contenders over time: the greybeard that is the commercial software IDA Pro and the much younger open-source Ghidra that emerged unexpectedly from the US-based National Security Agency Research Directorate about 6 years ago or so.

Here we are in anticipation of the early 2026 release of the second edition of "The Ghidra Book - The Definitive Guide," again authored by the successful team Chris Eagle and Kara Nance, to be published by No Starch Press in February. The early review copy is of similar size to the previous edition at around 600 pages. When I reviewed the first edition of this book back in 2020, Ghidra had been released the year before and was the new kid on the block. Much excitement surrounded the idea of an open-source project that would allow reverse engineering across multiple architectures. The expected audience for the book remains unchanged: reverse engineers at various skill levels, professionals, and students alike. This review will be strongly based on the original review, with an emphasis on the changes for the second edition.

The reverse engineering world is a fascinating one: an analyst is undoing the work of compilers and assemblers, creating something that describes the functionality of the binary program that is being scrutinized by transforming it into a disassembled, intermediate, or even decompiled form. Many tools now exist that replace the manual and repetitive tasks that reverse engineers used to do by hand. The need for faster turnaround times have created an ecosystem of plugins or scripts that extend the capabilities of the basic reverse engineering framework. If one can call such a framework "basic," that is.

The second edition book is divided into five parts, for a total of 23 chapters, followed by an appendix. While the structure resembles the first edition of the book, the reader should understand that the book has undergone a serious general "overhaul" for content in connection to the evolution and expansion that happened for Ghidra over the last few years. The book is illustrated with helpful, updated Ghidra screenshots and even more expanded code samples than before. The latter are available from a book companion website for those readers whose curiosity has been piqued and can't wait to just try it out.

The five parts are, in order, 'Introduction', 'Basic Ghidra Usage,' 'Customizing and Extending Ghidra,' 'A Deeper Dive,' and 'Real-world Applications,' followed by an appendix called 'Ghidra for IDA Pro Users.'

In the first part 'Introduction', the reader learns the basics of the field. For the first chapter 'Introduction to Disassembly,' this means grasping the proper context of programming languages from machine languages to higher forms such as C/C++ or Java, and understanding that the compilation process is lossy, making the job of the reverse engineer having to reverse that process a challenging task. For the second chapter, 'Reversing and Disassembly Tools,' the reader recognizes that there are two classical disassembly techniques, namely Linear Sweep and Recursive Descent, plus a few ways of expressing the disassembled code, such as the AT&T and Intel notation variants. The first part wraps up with a quick introduction to Ghidra.

The second part 'Basic Ghidra Usage' contains seven chapters that explain the basics of Ghidra, such as data displays (i.e. how you view the disassembly in multiple functional windows), untangling a Ghidra disassembly and how to manipulate it to your liking. Further chapters discuss data types that come with each programming language, as well as data structures, and capturing cross-references in a program, as well as graphs as a more or less simple way of displaying what a program does. In the end, the reader will realize that Ghidra is really a database that allows you to label or annotate the code incrementally, sometimes automagically, as you move along. The basics explained here include initial guidance on accepting recommendations for code identification, such as processor type, bitness (16/32/64), or even suggested compiler types that may have generated the binary program.

In the third part, 'Customizing and Extending Ghidra,' the authors explore the above-mentioned collaborative software reverse engineering across multiple analysts' devices, customization (for one Ghidra is available in source, for two, Ghidra can be adjusted to taste), extending the worldview such as improving the automagic labeling and function identification in the binary, and basic scripting for repeated or repetitive tasks. Moreover, one chapter discusses the integration of the Eclipse IDE of Java fame using the GhidraDev plugin. Last but not least in this part, the authors guide the reader on the headless (dragon?) mode, when a GUI is not needed, say in scripting mode or for batches of binaries. Here the python-based pyGhidra extension stands out as a new addition to the second edition, as it lets python users tap into the capabilities of Ghidra.

For the fourth part 'A Deeper Dive,' the book goes even further into the nitty gritty of Ghidra, looking at Ghidra loaders for when Ghidra is at wit's end, say in the case of shellcode without proper program headers. Another chapter looks at Ghidra processors, for the (unlikely?) event the reader may have to write - using the SLEIGH language - their own processor definition for a firmware image for a particular embedded processor they may have discovered. That chapter also mentions p-code or intermediate representation (IR), with an intermediate language (IL), an important concept found in the common reverse engineering and security literature. The authors also mention the Ghidra Decompiler, which builds on p-code among other things, and the challenges that may occur when dealing with Compiler Variations that can throw the analyst off.

In the last part 'Real-world Applications,' the real fun stuff awaits: a discussion of Ghidra use in the context of Obfuscated Code Analysis such as anti-static analysis techniques (e.g. opcode obfuscation, dynamic target computation, control flow obfuscation) and anti-dynamic-analysis techniques (virtualization detection, debugging detection), and the new(er) emulator capabilities. They also mention Patching Binaries, for when the reader may want to modify a program for a variety of reasons (remove debugging, bypass system checks, phoning home), and Binary Differencing and Version Tracking for understanding the lineage of a malware family, for example, especially for those readers that are familiar the IDA Pro bindiff tool. The discussion of the Ghidra Bsim comparison tool stands out here in the new edition, with an example of using this tool for ransomware code evolution.

The book wraps up with an Appendix on 'Ghidra for IDA Pro Users,' for those die-hards who got used to another framework of thinking about reverse engineering and want to explore a new world, even if it is 6-7 years in the "public life" of Ghidra, as this maps the concepts from the other (IDA Pro) world to the Ghidra world discussed in the book.

Chris Eagle and Kara Nance have - once more - delivered a very readable and hands-on book on reverse engineering using a publicly available tool. This second edition will join the first edition on my bookshelf. I enjoyed reading this book by the Eagle-Nance team that will continue to make the black art of reverse engineering more accessible.

Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org.