{"id":13422865,"url":"https://github.com/AllsafeCyberSecurity/ghidra_scripts","last_synced_at":"2025-03-15T12:30:56.675Z","repository":{"id":130755248,"uuid":"207281625","full_name":"AllsafeCyberSecurity/ghidra_scripts","owner":"AllsafeCyberSecurity","description":"Ghidra scripts for malware analysis","archived":false,"fork":false,"pushed_at":"2024-01-11T06:31:39.000Z","size":5291,"stargazers_count":91,"open_issues_count":0,"forks_count":4,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-02-24T07:36:54.665Z","etag":null,"topics":["ghidra","python","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AllsafeCyberSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-09-09T10:14:42.000Z","updated_at":"2024-11-27T17:27:15.000Z","dependencies_parsed_at":"2023-05-23T11:30:41.753Z","dependency_job_id":null,"html_url":"https://github.com/AllsafeCyberSecurity/ghidra_scripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AllsafeCyberSecurity%2Fghidra_scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AllsafeCyberSecurity%2Fghidra_scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AllsafeCyberSecurity%2Fghidra_scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AllsafeCyberSecurity%2Fghidra_scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AllsafeCyberSecurity","download_url":"https://codeload.github.com/AllsafeCyberSecurity/ghidra_scripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243731074,"owners_count":20338766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ghidra","python","reverse-engineering"],"created_at":"2024-07-30T23:00:59.115Z","updated_at":"2025-03-15T12:30:54.744Z","avatar_url":"https://github.com/AllsafeCyberSecurity.png","language":"Python","funding_links":[],"categories":["Ghidra Plugins","Ghidra Scripts/Plugins/Extension"],"sub_categories":[],"readme":"# shellcode_hashes\n\nshellcode_hashs was created inspired by a [script of the same name in flare](https://github.com/fireeye/flare-ida/tree/master/shellcode_hashes).   \nFind the name that matches the [hash](https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html) used in the shellcode.  \nUse the database created by flare script.\n\n## sqlite2json.py\nSince Ghidra could not import sqlite, I created a script to convert it to json.  \nConvert with the following command:\n```\npython sqlite2json.py\n```\n\n## shellcode_hash_search.py\n\nOpen the target shellcode and execute the script.\n\n![ch03_shellcodehash](https://user-images.githubusercontent.com/18203311/64575824-a5bf6700-d3b0-11e9-8294-c6b045c127a5.png)\n\n\n![ch03_shellcodehash_decompile](https://user-images.githubusercontent.com/18203311/64575814-9c35ff00-d3b0-11e9-8cb8-3b686ae553a9.png)\n\n# non-zero_xor_search.py\nFinds XOR instructions whose source and destination operands are not equivalent.  \nIt is registered in the bookmark.\n\n![ch03_non-zero_xor](https://user-images.githubusercontent.com/18203311/64575818-9fc98600-d3b0-11e9-8732-bccf8d0e3c1f.png)\n\n# coloring_call_jmp.py\n\nColoring of CALL and JMP instructions.  \nColor the following instructions\n * CALL　 \n * JE\n * JZ\n * JNE\n * JNZ\n * JA\n * JAE\n * JBE\n * JB\n * JL\n * JLE\n * JG\n * JGE\n\n![ch03_coloring_call_jmp](https://user-images.githubusercontent.com/18203311/64575795-87596b80-d3b0-11e9-847b-f46ab6aefa4b.png)\n\n# stackstrings.py\n\nDeobfuscate stackstrings used by Godzilla Loader.\n\n### before\n![stackstrings_execute_before](https://user-images.githubusercontent.com/18203311/65371013-13fe0680-dc9a-11e9-910a-37329767a26a.png)\n\n### after\n![stackstrings_execute_after](https://user-images.githubusercontent.com/18203311/65371015-15c7ca00-dc9a-11e9-80c2-5028a8c3d03f.png)\n\n### console output\n![stackstrings_console_result](https://user-images.githubusercontent.com/18203311/65371016-16f8f700-dc9a-11e9-981c-552a7e9152a4.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAllsafeCyberSecurity%2Fghidra_scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAllsafeCyberSecurity%2Fghidra_scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAllsafeCyberSecurity%2Fghidra_scripts/lists"}